802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗
- Author: Lars Strand
- Performer: -
Book online «802.1X Port-Based Authentication HOWTO - Lars Strand (spicy books to read .TXT) 📗». Author Lars Strand
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: group authenticate returns ok for request 8
Login OK: [testuser/] (from client testnet port 37 cli 0002a56fa08a)
Sending Access-Accept of id 8 to 192.168.2.1:1032 (3)
MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206 (4) MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testuser"(1) TLS session startup. Doing TLS-handshake.
(2) The TLS session (PEAP-encrypted tunnel) is up.
(3) The Supplicant has been authenticated successfully by the RADIUS
server. An "Access-Accept" message is sent.(4) The MS-MPPE-Recv-Key [[http://www.ietf.org/rfc/rfc2548.txt] RFC2548
section 2.4.3] contains the Pairwise Master Key (PMK) destined to the Authenticator (access point), encrypted with the MPPE Protocol [[http://www.ietf.org/rfc/rfc3078.txt] RFC3078], using the shared secret between the Authenticator and Authentication Server as key. The Supplicant derives the same PMK from MK, as described in Key Management.The Authenticator (access point) may also show something like this in
its log:
00:02:16 (Info): Station 0002a56fa08a Associated
00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated
That's it! The Supplicant is now authenticated to use the Access Point!
Note about driver support and XsupplicantAs described in Key Management, one of the big advantages of using Dynamic
WEP/802.11i with 802.1X is the support for session keys. A new encryption key
is generated for each session.
Xsupplicant only supports "Dynamic WEP" as of this writing. Support for WPA
and RSN/WPA2 (802.11i) is being worked on, and is estimated to be supported
at the end of the year/early next year (2004/2005), according to Chris
Hessing (one of the Xsupplicants developers).
Not all wireless drives support dynamic WEP, nor WPA. To use RSN (WPA2),
new support in hardware may even be required. Many older drivers assume only
one WEP key will be used on the network at any time. The card is reset
whenever the key is changed to let the new key take effect. This triggers a
new authentication, and there is a never-ending loop.
At the time of writing, most of the wireless drivers in the base Linux
kernel require patching to make dynamic WEP/WPA work. They will, in time, be
upgraded to support these new features. Many drivers developed outside the
kernel, however, support for dynamic WEP; HostAP, madwifi, Orinoco, and atmel
should work without problems.
Instead of using Xsupplicant, [http://hostap.epitest.fi/wpa_supplicant/]
wpa_supplicant may be used. It has support for both WPA and RSN (WPA2), and a
wide range of EAP authentication methods.
FAQDo not forget to check out the FAQ section of both the [http://
www.freeradius.org/faq/] FreeRADIUS (highly recommended!) and [http://
sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236#ch7]
Xsupplicant Web sites!
8.1. Is it possible to allow user-specific Xsupplicant configuration, to
avoid having a global configuration file?8.2. I don't want to use PEAP; can I use EAP-TTLS or EAP-TLS instead?
8.3. Can I use a Windows Supplicant (client) instead of GNU/Linux?
8.4. Can I use a Active Directory to authenticate users?
8.5. Is there any Windows Supplicant clients available?
8.1. Is it possible to allow user-specific Xsupplicant configuration, to
avoid having a global configuration file?
No, not at the moment.
8.2. I don't want to use PEAP; can I use EAP-TTLS or EAP-TLS instead?
Yes. To use EAP-TTLS, only small changes to the configuration used in this
document are required. To use EAP-TLS, client certificates must be used as
well.
8.3. Can I use a Windows Supplicant (client) instead of GNU/Linux?
Yes. Windows XP SP1/Windows 2000 SP3 has support for PEAP MSCHAPv2 (used in
this document). A Windows HOWTO can be found here: FreeRADIUS/WinXP
Authentication Setup
8.4. Can I use a Active Directory to authenticate users?
Yes. FreeRADIUS can authenticate users from AD by using "ntlm_auth".
8.5. Is there any Windows Supplicant clients available?
Yes. As of Windows XP SP1 or Windows 2000 SP3, support for WPA (PEAP/
MS-CHAPv2) is supported. Other clients include (not tested) [http://
www.securew2.com] Secure W2 (free for non-commercial) and [http://
wire.cs.nthu.edu.tw/wire1x/] WIRE1X. [http://www.funk.com] Funk Software also
has a commercial client available.
Useful ResourcesOnly IEEE standards older than 12 months are available to the public in
general (through the "Get IEEE 802 Program"). So the new 802.11i and
802.1X-2004 standards documents are not available. You must be a IEEE
participant to get hold of any drafts/work in progress papers (which actually
isn't that hard - just join a mailing list and say you are interested).
FreeRADIUS Server Project[http://www.freeradius.org/] http://
www.freeradius.org/
Open1x: Open Source implementation of IEEE 802.1X (Xsupplicant)[http://
www.open1x.org/] http://www.open1x.org/
The Open1x User's Guide http://sourceforge.net/docman/display_doc.php?
docid=23371&group_id=60236
Port-Based Network Access Control (802.1X-2001)[http://standards.ieee.org
/getieee802/download/802.1X-2001.pdf] http://standards.ieee.org/
getieee802/download/802.1X-2001.pdf
RFC2246: The TLS Protocol Version 1.0 http://www.ietf.org/rfc/rfc2246.txt
RFC2459: Internet X.509 Public Key Infrastructure - Certificate and CRL
Profile http://www.ietf.org/rfc/rfc2459.txt
RFC2548: Microsoft Vendor-specific RADIUS Attributes http://www.ietf.org/
rfc/rfc2548.txt
RFC2716: PPP EAP TLS Authentication Protocol http://www.ietf.org/rfc/
rfc2716.txt
RFC2865: Remote Authentication Dial-In User Service (RADIUS)[http://
www.ietf.org/rfc/rfc2865.txt] http://www.ietf.org/rfc/rfc2865.txt
RFC3079: Deriving Keys for use with Microsoft Point-to-Point Encryption
(MPPE)[http://www.ietf.org/rfc/rfc3079.txt] http://www.ietf.org/rfc/
rfc3079.txt
RFC3579: RADIUS Support For EAP[http://www.ietf.org/rfc/rfc3579.txt]
http://www.ietf.org/rfc/rfc3579.txt
RFC3580: IEEE 802.1X RADIUS Usage Guidelines[http://www.ietf.org/rfc/
rfc3580.txt] http://www.ietf.org/rfc/rfc3580.txt
RFC3588: Diameter Base Protocol[http://www.ietf.org/rfc/rfc3588.txt]
http://www.ietf.org/rfc/rfc3588.txt
RFC3610: Counter with CBC-MAC (CCM)[http://www.ietf.org/rfc/rfc3610.txt]
http://www.ietf.org/rfc/rfc3610.txt
RFC3748: Extensible Authentication Protocol (EAP)[http://www.ietf.org/rfc
/rfc3748.txt] http://www.ietf.org/rfc/rfc3748.txt
Linux Wireless Access Point HOWTO [http://oob.freeshell.org/nzwireless/
LWAP-HOWTO.html] http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html
SSL Certificates HOWTO http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/
OpenSSL: x509(1) http://www.openssl.org/docs/apps/x509.html
Copyright, acknowledgments and miscellaneous10.1. Copyright and License
Copyright (c) 2004 Lars Strand.
Permission is granted to copy, distribute and/or modify this document under
the terms of the GNU Free Documentation License, Version 1.2 or any later
version published by the Free Software Foundation; with no Invariant
Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the
license is included in the section entitled "GNU Free Documentation License".
10.2. How this document was produced
This document was written in DocBook XML using Emacs.
10.3. Feedback
Suggestions, corrections, additions wanted. Contributors wanted and
acknowledged. Flames not wanted.
I can always be reached at
Homepage: [http://www.gnist.org/~lars/] http://www.gnist.org/~lars/
10.4. Acknowledgments
Thanks to Andreas Hafslund and Thales Communication
for initial support.
Also thanks to Artur Hecker , Chris Hessing <chris
hessing at utah edu>, Jouni Malinen and Terry Simons
for valuable feedback!
Thanks to Rick Moen for doing a language review!
A. GNU Free Documentation License
Version 1.2, November 2002
Copyright (C) 2000,2001,2002 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.A.1. PREAMBLE
The purpose of this License is to make a manual, textbook, or other
functional and useful document "free" in the sense of freedom: to assure
everyone the effective freedom to copy and redistribute it, with or without
modifying it, either commercially or noncommercially. Secondarily, this
License preserves for the author and publisher a way to get credit for their
work, while not being considered responsible for modifications made by
others.
This License is a kind of "copyleft", which means that derivative works of
the document must themselves be free in the same sense. It complements the
GNU General Public License, which is a copyleft license designed for free
software.
We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free program
should come with manuals providing the same freedoms that the software does.
But this License is not limited to software manuals; it can be used for any
textual work, regardless of subject matter or whether it is published as a
printed book. We recommend this License principally for works whose purpose
is instruction or reference.
A.2. APPLICABILITY AND DEFINITIONS
This License applies to any manual or other work, in any medium, that
contains a notice placed by the copyright holder saying it can be distributed
under the terms of this License. Such a notice grants a world-wide,
royalty-free license, unlimited in duration, to use that work under the
conditions stated herein. The "Document", below, refers to any such manual or
work. Any member of the public is a licensee, and is addressed as "you". You
accept the license if you copy, modify or distribute the work in a way
requiring permission under copyright law.
A "Modified Version" of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or
translated into another language.
A "Secondary Section" is a named appendix or a front-matter section of the
Document that deals exclusively with the relationship of the publishers or
authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (Thus, if the Document is in part a textbook of mathematics, a
Secondary Section may not explain any mathematics.) The relationship could be
a matter of historical connection with the subject or with related matters,
or of
Comments (0)