bookssland.com » Computers » 802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗

Book online «802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗». Author Lars Strand



1 2 3 4 5 6 7 8
Go to page:

rlm_eap_peap: Received EAP-TLV response.

rlm_eap_peap: Tunneled data is valid.

rlm_eap_peap: Success

rlm_eap: Freeing handler

modcall[authenticate]: module "eap" returns ok for request 8

modcall: group authenticate returns ok for request 8

Login OK: [testuser/] (from client testnet port 37 cli 0002a56fa08a)

Sending Access-Accept of id 8 to 192.168.2.1:1032 (3)

MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206 (4) MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testuser"

(1) TLS session startup. Doing TLS-handshake.

(2) The TLS session (PEAP-encrypted tunnel) is up.

(3) The Supplicant has been authenticated successfully by the RADIUS

server. An "Access-Accept" message is sent.

(4) The MS-MPPE-Recv-Key [[http://www.ietf.org/rfc/rfc2548.txt] RFC2548

section 2.4.3] contains the Pairwise Master Key (PMK) destined to the Authenticator (access point), encrypted with the MPPE Protocol [[http://www.ietf.org/rfc/rfc3078.txt] RFC3078], using the shared secret between the Authenticator and Authentication Server as key. The Supplicant derives the same PMK from MK, as described in Key Management.

The Authenticator (access point) may also show something like this in

its log:

00:02:16 (Info): Station 0002a56fa08a Associated

00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated

That's it! The Supplicant is now authenticated to use the Access Point!

Note about driver support and Xsupplicant

As described in Key Management, one of the big advantages of using Dynamic

WEP/802.11i with 802.1X is the support for session keys. A new encryption key

is generated for each session.

Xsupplicant only supports "Dynamic WEP" as of this writing. Support for WPA

and RSN/WPA2 (802.11i) is being worked on, and is estimated to be supported

at the end of the year/early next year (2004/2005), according to Chris

Hessing (one of the Xsupplicants developers).

Not all wireless drives support dynamic WEP, nor WPA. To use RSN (WPA2),

new support in hardware may even be required. Many older drivers assume only

one WEP key will be used on the network at any time. The card is reset

whenever the key is changed to let the new key take effect. This triggers a

new authentication, and there is a never-ending loop.

At the time of writing, most of the wireless drivers in the base Linux

kernel require patching to make dynamic WEP/WPA work. They will, in time, be

upgraded to support these new features. Many drivers developed outside the

kernel, however, support for dynamic WEP; HostAP, madwifi, Orinoco, and atmel

should work without problems.

Instead of using Xsupplicant, [http://hostap.epitest.fi/wpa_supplicant/]

wpa_supplicant may be used. It has support for both WPA and RSN (WPA2), and a

wide range of EAP authentication methods.

FAQ

Do not forget to check out the FAQ section of both the [http://

www.freeradius.org/faq/] FreeRADIUS (highly recommended!) and [http://

sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236#ch7]

Xsupplicant Web sites!

8.1. Is it possible to allow user-specific Xsupplicant configuration, to

avoid having a global configuration file?

8.2. I don't want to use PEAP; can I use EAP-TTLS or EAP-TLS instead?

8.3. Can I use a Windows Supplicant (client) instead of GNU/Linux?

8.4. Can I use a Active Directory to authenticate users?

8.5. Is there any Windows Supplicant clients available?

8.1. Is it possible to allow user-specific Xsupplicant configuration, to

avoid having a global configuration file?

No, not at the moment.

8.2. I don't want to use PEAP; can I use EAP-TTLS or EAP-TLS instead?

Yes. To use EAP-TTLS, only small changes to the configuration used in this

document are required. To use EAP-TLS, client certificates must be used as

well.

8.3. Can I use a Windows Supplicant (client) instead of GNU/Linux?

Yes. Windows XP SP1/Windows 2000 SP3 has support for PEAP MSCHAPv2 (used in

this document). A Windows HOWTO can be found here: FreeRADIUS/WinXP

Authentication Setup

8.4. Can I use a Active Directory to authenticate users?

Yes. FreeRADIUS can authenticate users from AD by using "ntlm_auth".

8.5. Is there any Windows Supplicant clients available?

Yes. As of Windows XP SP1 or Windows 2000 SP3, support for WPA (PEAP/

MS-CHAPv2) is supported. Other clients include (not tested) [http://

www.securew2.com] Secure W2 (free for non-commercial) and [http://

wire.cs.nthu.edu.tw/wire1x/] WIRE1X. [http://www.funk.com] Funk Software also

has a commercial client available.

Useful Resources

Only IEEE standards older than 12 months are available to the public in

general (through the "Get IEEE 802 Program"). So the new 802.11i and

802.1X-2004 standards documents are not available. You must be a IEEE

participant to get hold of any drafts/work in progress papers (which actually

isn't that hard - just join a mailing list and say you are interested).

FreeRADIUS Server Project[http://www.freeradius.org/] http://

www.freeradius.org/

Open1x: Open Source implementation of IEEE 802.1X (Xsupplicant)[http://

www.open1x.org/] http://www.open1x.org/

The Open1x User's Guide http://sourceforge.net/docman/display_doc.php?

docid=23371&group_id=60236

Port-Based Network Access Control (802.1X-2001)[http://standards.ieee.org

/getieee802/download/802.1X-2001.pdf] http://standards.ieee.org/

getieee802/download/802.1X-2001.pdf

RFC2246: The TLS Protocol Version 1.0 http://www.ietf.org/rfc/rfc2246.txt

RFC2459: Internet X.509 Public Key Infrastructure - Certificate and CRL

Profile http://www.ietf.org/rfc/rfc2459.txt

RFC2548: Microsoft Vendor-specific RADIUS Attributes http://www.ietf.org/

rfc/rfc2548.txt

RFC2716: PPP EAP TLS Authentication Protocol http://www.ietf.org/rfc/

rfc2716.txt

RFC2865: Remote Authentication Dial-In User Service (RADIUS)[http://

www.ietf.org/rfc/rfc2865.txt] http://www.ietf.org/rfc/rfc2865.txt

RFC3079: Deriving Keys for use with Microsoft Point-to-Point Encryption

(MPPE)[http://www.ietf.org/rfc/rfc3079.txt] http://www.ietf.org/rfc/

rfc3079.txt

RFC3579: RADIUS Support For EAP[http://www.ietf.org/rfc/rfc3579.txt]

http://www.ietf.org/rfc/rfc3579.txt

RFC3580: IEEE 802.1X RADIUS Usage Guidelines[http://www.ietf.org/rfc/

rfc3580.txt] http://www.ietf.org/rfc/rfc3580.txt

RFC3588: Diameter Base Protocol[http://www.ietf.org/rfc/rfc3588.txt]

http://www.ietf.org/rfc/rfc3588.txt

RFC3610: Counter with CBC-MAC (CCM)[http://www.ietf.org/rfc/rfc3610.txt]

http://www.ietf.org/rfc/rfc3610.txt

RFC3748: Extensible Authentication Protocol (EAP)[http://www.ietf.org/rfc

/rfc3748.txt] http://www.ietf.org/rfc/rfc3748.txt

Linux Wireless Access Point HOWTO [http://oob.freeshell.org/nzwireless/

LWAP-HOWTO.html] http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html

SSL Certificates HOWTO http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/

OpenSSL: x509(1) http://www.openssl.org/docs/apps/x509.html

Copyright, acknowledgments and miscellaneous

10.1. Copyright and License

Copyright (c) 2004 Lars Strand.

Permission is granted to copy, distribute and/or modify this document under

the terms of the GNU Free Documentation License, Version 1.2 or any later

version published by the Free Software Foundation; with no Invariant

Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the

license is included in the section entitled "GNU Free Documentation License".

10.2. How this document was produced

This document was written in DocBook XML using Emacs.

10.3. Feedback

Suggestions, corrections, additions wanted. Contributors wanted and

acknowledged. Flames not wanted.

I can always be reached at

Homepage: [http://www.gnist.org/~lars/] http://www.gnist.org/~lars/

10.4. Acknowledgments

Thanks to Andreas Hafslund and Thales Communication

for initial support.

Also thanks to Artur Hecker , Chris Hessing <chris

hessing at utah edu>, Jouni Malinen and Terry Simons

for valuable feedback!

Thanks to Rick Moen for doing a language review!

A. GNU Free Documentation License

Version 1.2, November 2002

Copyright (C) 2000,2001,2002 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

A.1. PREAMBLE

The purpose of this License is to make a manual, textbook, or other

functional and useful document "free" in the sense of freedom: to assure

everyone the effective freedom to copy and redistribute it, with or without

modifying it, either commercially or noncommercially. Secondarily, this

License preserves for the author and publisher a way to get credit for their

work, while not being considered responsible for modifications made by

others.

This License is a kind of "copyleft", which means that derivative works of

the document must themselves be free in the same sense. It complements the

GNU General Public License, which is a copyleft license designed for free

software.

We have designed this License in order to use it for manuals for free

software, because free software needs free documentation: a free program

should come with manuals providing the same freedoms that the software does.

But this License is not limited to software manuals; it can be used for any

textual work, regardless of subject matter or whether it is published as a

printed book. We recommend this License principally for works whose purpose

is instruction or reference.

A.2. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that

contains a notice placed by the copyright holder saying it can be distributed

under the terms of this License. Such a notice grants a world-wide,

royalty-free license, unlimited in duration, to use that work under the

conditions stated herein. The "Document", below, refers to any such manual or

work. Any member of the public is a licensee, and is addressed as "you". You

accept the license if you copy, modify or distribute the work in a way

requiring permission under copyright law.

A "Modified Version" of the Document means any work containing the Document

or a portion of it, either copied verbatim, or with modifications and/or

translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the

Document that deals exclusively with the relationship of the publishers or

authors of the Document to the Document's overall subject (or to related

matters) and contains nothing that could fall directly within that overall

subject. (Thus, if the Document is in part a textbook of mathematics, a

Secondary Section may not explain any mathematics.) The relationship could be

a matter of historical connection with the subject or with related matters,

or of

1 2 3 4 5 6 7 8
Go to page:

Free e-book «802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗» - read online now

Comments (0)

There are no comments yet. You can be the first!
Add a comment