mirror of https://github.com/tLDP/LDP
2465 lines
82 KiB
XML
2465 lines
82 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
|
|
|
|
<!-- ID cannot begin with a number -->
|
|
<article id="article-8021X-HOWTO">
|
|
<articleinfo>
|
|
|
|
<!-- Article Title -->
|
|
<title>802.1X Port-Based Authentication HOWTO</title>
|
|
<titleabbrev>802.1X</titleabbrev>
|
|
|
|
<author>
|
|
<firstname>Lars</firstname>
|
|
<surname>Strand</surname>
|
|
<affiliation>
|
|
<!-- Valid email -->
|
|
<address><email>lars strand (at) gnist org</email></address>
|
|
</affiliation>
|
|
</author>
|
|
|
|
<editor>
|
|
<firstname>Rick</firstname>
|
|
<surname>Moen</surname>
|
|
<contrib>Language review of draft 0.0</contrib>
|
|
</editor>
|
|
|
|
<!-- All dates specified in ISO "YYYY-MM-DD" format -->
|
|
<pubdate>2004-08-18</pubdate>
|
|
|
|
<!-- Most-recent revision goes at the top; list in descending order -->
|
|
<revhistory id="revhistory">
|
|
<revision>
|
|
<revnumber>1.0</revnumber>
|
|
<date>2004-10-18</date>
|
|
<authorinitials>LKS</authorinitials>
|
|
<revremark>Initial Release, reviewed by TLDP.</revremark>
|
|
</revision>
|
|
<revision>
|
|
<revnumber>0.2b</revnumber>
|
|
<date>2004-10-13</date>
|
|
<authorinitials>LKS</authorinitials>
|
|
<revremark>Various updates. Thanks to Rick Moen <rick
|
|
(at) linuxmafia com> for language review. </revremark>
|
|
</revision>
|
|
<revision>
|
|
<revnumber>0.0</revnumber>
|
|
<date>2004-07-23</date>
|
|
<authorinitials>LKS</authorinitials>
|
|
<revremark>Initial draft.</revremark>
|
|
</revision>
|
|
</revhistory>
|
|
|
|
<!-- Provide a good abstract; a couple of sentences is sufficient -->
|
|
<abstract>
|
|
<para>
|
|
This document describes the software and procedures to set up
|
|
and use <ulink
|
|
url="http://standards.ieee.org/getieee802/download/802.1X-2001.pdf">IEEE
|
|
802.1X Port-Based Network Access Control</ulink> using <ulink
|
|
url="http://www.open1x.org"><application>Xsupplicant</application></ulink>
|
|
as Supplicant with <ulink
|
|
url="http://www.freeradius.org"><application>FreeRADIUS</application></ulink>
|
|
as a back-end Authentication Server.
|
|
</para>
|
|
</abstract>
|
|
|
|
</articleinfo>
|
|
|
|
<!-- ##################################################### -->
|
|
|
|
<sect1 id="intro">
|
|
<title>Introduction</title>
|
|
|
|
<para>
|
|
This document describes the software and procedures to set up and use <ulink
|
|
url="http://standards.ieee.org/getieee802/download/802.1X-2001.pdf">802.1X:
|
|
Port-Based Network Access Control</ulink> using <ulink
|
|
url="http://www.open1x.org"><application>Xsupplicant</application></ulink>
|
|
with PEAP (PEAP/MS-CHAPv2) as authentication method and <ulink
|
|
url="http://www.freeradius.org/"><application>FreeRADIUS</application></ulink>
|
|
as back-end authentication server.
|
|
</para>
|
|
|
|
<para>
|
|
If another authentication mechanism than PEAP is preferred, e.g.,
|
|
EAP-TLS or EAP-TTLS, only a small number of configuration options
|
|
needs to be changed. PEAP/MS-CHAPv2 are also supported by Windows XP
|
|
SP1/Windows 2000 SP3.
|
|
</para>
|
|
|
|
<!-- ################## -->
|
|
|
|
<sect2 id="what8021x">
|
|
<title>What is 802.1X?</title>
|
|
|
|
<para>The 802.1X-2001 standard states:</para>
|
|
|
|
<para>
|
|
<quote>Port-based network access control makes use of the physical
|
|
access characteristics of IEEE 802 LAN infrastructures in order to
|
|
provide a means of <emphasis>authenticating</emphasis> and
|
|
<emphasis>authorizing</emphasis> devices attached
|
|
to a LAN port that has point-to-point connection characteristics,
|
|
and of <emphasis>preventing access</emphasis> to that port in cases
|
|
which the authentication and authorization fails. A port in this
|
|
context is a single point of attachment to the LAN
|
|
infrastructure.</quote> --- 802.1X-2001, page 1.
|
|
</para>
|
|
|
|
<mediaobject id="p8021x">
|
|
<imageobject>
|
|
<imagedata fileref="images/8021X-Overview.png" format="PNG"
|
|
width="550" align="center" scalefit="1"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>802.1X</phrase>
|
|
</textobject>
|
|
<caption>
|
|
<para>Figure 802.1X: A wireless node must be authenticated before it
|
|
can gain access to other LAN resources.</para>
|
|
</caption>
|
|
</mediaobject>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>
|
|
When a new wireless node (WN) requests access to a LAN resource,
|
|
the access point (AP) asks for the WN's identity. <emphasis>No
|
|
other traffic than EAP is allowed before the WN is authenticated
|
|
(the <quote>port</quote> is closed).</emphasis>
|
|
</para>
|
|
|
|
<para>
|
|
The wireless node that requests authentication is often called
|
|
<emphasis>Supplicant</emphasis>, although it is more correct to
|
|
say that the wireless node <emphasis>contains</emphasis> a
|
|
Supplicant. The Supplicant is responsible for responding to
|
|
Authenticator data that will establish its credentials. The same
|
|
goes for the access point; the
|
|
<emphasis>Authenticator is</emphasis> not the access point. Rather,
|
|
the access point contains an Authenticator. The Authenticator does
|
|
not even need to be in the access point; it can be an external
|
|
component.
|
|
</para>
|
|
|
|
<para>
|
|
EAP, which is the protocol used for authentication, was originally
|
|
used for dial-up PPP. The identity was the username, and either
|
|
PAP or CHAP authentication [<ulink
|
|
url="http://www.ietf.org/rfc/rfc1994.txt">RFC1994</ulink>] was
|
|
used to check the user's password. Since the identity is sent in
|
|
clear (not encrypted), a malicious sniffer may learn the user's
|
|
identity. <quote>Identity hiding</quote> is therefore used; the
|
|
real identity is not sent before the encrypted TLS tunnel is up.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
After the identity has been sent, the authentication process
|
|
begins. The protocol used between the Supplicant and the
|
|
Authenticator is EAP, or, more correctly, EAP encapsulation over
|
|
LAN (EAPOL). The Authenticator re-encapsulates the EAP messages to
|
|
RADIUS format, and passes them to the Authentication Server.
|
|
</para>
|
|
<para>
|
|
During authentication, the Authenticator just relays packets
|
|
between the Supplicant and the Authentication Server. When the
|
|
authentication process finishes, the Authentication Server sends a
|
|
success message (or failure, if the authentication
|
|
failed).<emphasis> The Authenticator then opens the
|
|
<quote>port</quote> for the Supplicant.</emphasis>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
After a successful authentication, the Supplicant is granted
|
|
access to other LAN resources/Internet.
|
|
</para>
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
<para>
|
|
See figure <link linkend="p8021x">802.1X</link> for explanation.
|
|
</para>
|
|
|
|
<para>
|
|
Why is it called <quote>port</quote>-based authentication? The
|
|
Authenticator deals with <emphasis>controlled</emphasis> and
|
|
<emphasis>uncontrolled</emphasis> ports. Both the controlled and the
|
|
uncontrolled port are logical entities (virtual ports), but use the
|
|
same physical connection to the LAN (same point of attachment).
|
|
</para>
|
|
|
|
<mediaobject id="port">
|
|
<imageobject>
|
|
<imagedata fileref="images/8021X-Ports.png" format="PNG"
|
|
width="550" align="center" scalefit="1"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>802.1X (un)controlled port</phrase>
|
|
</textobject>
|
|
<caption>
|
|
<para>Figure port: The authorization state of the controlled
|
|
port.</para>
|
|
</caption>
|
|
</mediaobject>
|
|
|
|
<para>
|
|
Before authentication, only the uncontrolled port is
|
|
<quote>open</quote>. The only traffic allowed is EAPOL; see
|
|
Authenticator System 1 on figure <link
|
|
linkend="port">port</link>. After the Supplicant has been
|
|
authenticated, the controlled port is opened, and access to other LAN
|
|
resources are granted; see Authenticator System 2 on figure <link
|
|
linkend="port">port</link>.
|
|
</para>
|
|
|
|
<para>
|
|
802.1X plays a major role in the new IEEE wireless standard 802.11i.
|
|
</para>
|
|
|
|
</sect2>
|
|
<!-- ################## -->
|
|
|
|
<sect2 id="what80211i">
|
|
<title>What is 802.11i?</title>
|
|
|
|
<!-- ########### -->
|
|
|
|
<sect3 id="WEP">
|
|
<title>WEP</title>
|
|
|
|
<para>
|
|
Wired Equivalent Privacy (WEP), which is part of the original
|
|
802.11 standard, should provide confidentiality. Unfortunately WEP
|
|
is poorly designed and easily cracked. There is no authentication
|
|
mechanism, only a weak form of access control (must have the
|
|
shared key to communicate). Read more <ulink
|
|
url="http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html">here</ulink>.
|
|
</para>
|
|
|
|
<para>
|
|
As a response to WEP broken security, IEEE has come up with
|
|
a new wireless security standard named 802.11i. 802.1X plays a
|
|
major role in this new standard.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<!-- ########### -->
|
|
<sect3 id="RSN">
|
|
<title>802.11i</title>
|
|
|
|
<para>
|
|
The new security standard, 802.11i, which was ratified in June
|
|
2004, fixes all WEP weaknesses. It is divided into three main
|
|
categories:
|
|
</para>
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Temporary Key Integrity Protocol (TKIP)</emphasis> is
|
|
a short-term solution that fixes all WEP weaknesses. TKIP can be
|
|
used with old 802.11 equipment (after a driver/firmware upgrade)
|
|
and provides integrity and confidentiality.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Counter Mode with CBC-MAC Protocol (CCMP) [<ulink
|
|
url="http://www.ietf.org/rfc/rfc3610.txt">RFC2610</ulink>]</emphasis>
|
|
is a new protocol, designed from ground up. It uses AES [<ulink
|
|
url="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf">FIPS
|
|
197</ulink>] as its cryptographic algorithm, and, since this is
|
|
more CPU intensive than RC4 (used in WEP and TKIP), new 802.11
|
|
hardware may be required. Some drivers can implement CCMP in
|
|
software. CCMP provides integrity and confidentiality.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>802.1X Port-Based Network Access Control:</emphasis>
|
|
Either when using TKIP or CCMP, 802.1X is used for
|
|
authentication.
|
|
</para>
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
<para>
|
|
In addition, an optional encryption method called <quote>Wireless
|
|
Robust Authentication Protocol</quote> (WRAP) may be used instead
|
|
of CCMP. WRAP was the original AES-based proposal for 802.11i, but
|
|
was replaced by CCMP since it became plagued by property
|
|
encumbrances. Support for WRAP is optional, but CCMP support is
|
|
mandatory in 802.11i.
|
|
</para>
|
|
|
|
<para>
|
|
802.11i also has an extended key derivation/management,
|
|
described next.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<!-- ########### -->
|
|
<sect3 id="Key">
|
|
<title>Key Management</title>
|
|
|
|
<!-- #### -->
|
|
<sect4 id="DynKey">
|
|
<title>Dynamic key exchange and management</title>
|
|
|
|
<para>
|
|
To enforce a security policy using encryption and integrity
|
|
algorithms, keys must be obtained. Fortunately, 802.11i implements
|
|
a key derivation/management regime. See figure <link
|
|
linkend="keyman">KM</link>.
|
|
</para>
|
|
|
|
<mediaobject id="keyman">
|
|
<imageobject>
|
|
<imagedata fileref="images/8021X-KeyManagement.png" format="PNG"
|
|
width="550" align="center" scalefit="1"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>802.1X Key Management</phrase>
|
|
</textobject>
|
|
<caption>
|
|
<para>Figure KM: Key management and distribution in 802.11i.</para>
|
|
</caption>
|
|
</mediaobject>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>
|
|
When the Supplicant (WN) and Authentication Server (AS)
|
|
authenticate, one of the last messages sent from AS, given that
|
|
authentication was successful, is a <emphasis>Master Key
|
|
(MK)</emphasis>. After it has been sent, the MK is known only to the
|
|
WN and the AS. The MK is bound to this session between the WN and
|
|
the AS.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
Both the WN and the AS derive a new key, called the
|
|
<emphasis>Pairwise Master Key (PMK)</emphasis>, from the Master
|
|
Key.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
The PMK is then moved from the AS to the Authenticator (AP). Only
|
|
the WN and the AS can derive the PMK, else the AP could
|
|
make access-control decisions instead of the AS. The PMK is a fresh
|
|
symmetric key bound to this session between the WN and the AP.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
PMK and a 4-way handshake are used between the WN and the AP to
|
|
derive, bind, and verify a <emphasis>Pairwise Transient Key
|
|
(PTK)</emphasis>. The PTK is a collection of operational keys:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Key Confirmation Key (KCK)</emphasis>, as the name
|
|
implies, is used to prove the posession of the PMK and to bind
|
|
the PMK to the AP.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Key Encryption Key (KEK)</emphasis> is used to
|
|
distributed the Group Transient Key (GTK). Described below.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Temporal Key 1 & 2 (TK1/TK2)</emphasis> are used
|
|
for encryption. Usage of TK1 and TK2 is ciphersuite-specific.
|
|
</para>
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
</para>
|
|
|
|
<para>
|
|
See figure <link linkend="pkh">PKH</link> for a overview of the
|
|
Pairwise Key Hierarchy.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
The KEK and a 4-way group handshake are then used to send the
|
|
<emphasis>Group Transient Key (GTK)</emphasis> from the AP to the
|
|
WN. The GTK is a shared key among all Supplicants connected to the
|
|
same Authenticator, and is used to secure multicast/broadcast
|
|
traffic.
|
|
</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<mediaobject id="pkh">
|
|
<imageobject>
|
|
<imagedata fileref="images/8021X-KeyHierarchy.png" format="PNG"
|
|
width="550" align="center" scalefit="1"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>Pairwise Key Hierarchy</phrase>
|
|
</textobject>
|
|
<caption>
|
|
<para>Figure PKH: Pairwise Key Hierarchy</para>
|
|
</caption>
|
|
</mediaobject>
|
|
|
|
</sect4>
|
|
|
|
<!-- #### -->
|
|
<sect4 id="PSK">
|
|
<title>Pre-shared Key</title>
|
|
|
|
<para>
|
|
For small office / home office (SOHO), ad-hoc networks or home
|
|
usage, a pre-shared key (PSK) may be used. When using PSK, the whole
|
|
802.1X authentication process is elided. This has also been called
|
|
<quote>WPA Personal</quote> (WPA-PSK), whereas WPA using EAP (and
|
|
RADIUS) is <quote>WPA Enterprise</quote> or just
|
|
<quote>WPA</quote>.
|
|
</para>
|
|
|
|
<para>
|
|
The 256-bit PSK is generated from a given password using PBKDFv2
|
|
from [<ulink
|
|
url="http://www.ietf.org/rfc/rfc2898.txt">RFC2898</ulink>], and is
|
|
used as the Master Key (MK) described in the key management regime
|
|
above. It can be one single PSK for the whole network (insecure), or
|
|
one PSK per Supplicant (more secure).
|
|
</para>
|
|
|
|
</sect4>
|
|
|
|
</sect3>
|
|
|
|
|
|
<!-- ########### -->
|
|
<sect3 id="WPA">
|
|
<title>TSN (WPA) / RSN (WPA2)</title>
|
|
|
|
<para>
|
|
The industry didn't have time to wait until the 802.11i standard
|
|
was completed. They wanted the WEP issues fixed now! <ulink
|
|
url="http://www.wi-fi.org/">Wi-Fi Alliance</ulink> felt the
|
|
pressure, took a <quote>snapshot</quote> of the standard
|
|
(based on draft 3), and called it <emphasis>Wi-Fi Protected Access
|
|
(WPA)</emphasis>. One requirement was that existing 802.11
|
|
equipment could be used with WPA, so WPA is basically TKIP +
|
|
802.1X.
|
|
</para>
|
|
|
|
<para>
|
|
WPA is not the long term solution. To get a <emphasis>Robust
|
|
Secure Network (RSN)</emphasis>, the hardware must support and use
|
|
CCMP. RSN is basically CCMP + 802.1X.
|
|
</para>
|
|
|
|
<para>
|
|
RSN, which uses TKIP instead of CCMP, is also called Transition
|
|
Security Network (TSN). RSN may also be called WPA2, so that the
|
|
market don't get confused.
|
|
</para>
|
|
|
|
<para>
|
|
Confused?
|
|
</para>
|
|
|
|
<para>
|
|
Basically:
|
|
|
|
<itemizedlist>
|
|
<listitem><para>TSN = TKIP + 802.1X = WPA(1)</para></listitem>
|
|
<listitem><para>RSN = CCMP + 802.1X = WPA2</para></listitem>
|
|
</itemizedlist>
|
|
|
|
In addition comes key management, as described in the previous
|
|
section.
|
|
</para>
|
|
|
|
</sect3>
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
|
|
<sect2 id="EAP">
|
|
<title>What is EAP?</title>
|
|
|
|
<para>
|
|
Extensible Authentication Protocol (EAP) [<ulink
|
|
url="http://www.ietf.org/rfc/rfc3748.txt">RFC 3748</ulink>] is just
|
|
the transport protocol optimized for authentication, not the
|
|
authentication method itself:
|
|
</para>
|
|
|
|
<para>
|
|
<quote>
|
|
[EAP is] an authentication framework which supports multiple
|
|
authentication methods. EAP typically runs directly over data link
|
|
layers such as Point-to-Point Protocol (PPP) or IEEE 802, without
|
|
requiring IP. EAP provides its own support for duplicate
|
|
elimination and retransmission, but is reliant on lower layer
|
|
ordering guarantees. Fragmentation is not supported within EAP
|
|
itself; however, individual EAP methods may support this.</quote>
|
|
--- RFC 3748, page 3
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
<sect2 id="auth">
|
|
<title>EAP authentication methods</title>
|
|
|
|
<para>
|
|
Since 802.1X is using EAP, multiple different authentication
|
|
schemes may be added, including smart cards, Kerberos, public key,
|
|
one time passwords, and others.
|
|
</para>
|
|
|
|
<para>
|
|
Some of the most-used EAP authentication mechanism are listed
|
|
below. A full list of registered EAP authentication types is
|
|
available at IANA: <ulink
|
|
url="http://www.iana.org/assignments/eap-numbers">http://www.iana.org/assignments/eap-numbers</ulink>.
|
|
</para>
|
|
|
|
<warning>
|
|
<para>
|
|
Not all authentication mechanisms are considered secure!
|
|
</para>
|
|
</warning>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>EAP-MD5:</emphasis> MD5-Challenge requires
|
|
username/password, and is equivalent to the PPP CHAP protocol
|
|
[<ulink
|
|
url="http://www.ietf.org/rfc/rfc1994.txt">RFC1994</ulink>]. This
|
|
method does not provide dictionary attack resistance, mutual
|
|
authentication, or key derivation, and has therefore little use in a
|
|
wireless authentication enviroment.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Lightweight EAP (LEAP):</emphasis> A username/password
|
|
combination is sent to a Authentication Server (RADIUS) for
|
|
authentication. Leap is a proprietary protocol developed by
|
|
Cisco, and is not considered secure. Cisco is phasing out LEAP in
|
|
favor of PEAP. The closest thing to a published standard can be
|
|
found <ulink
|
|
url="http://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.html">here</ulink>.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>EAP-TLS:</emphasis> Creates a TLS session within EAP,
|
|
between the Supplicant and the Authentication Server. Both the
|
|
server and the client(s) need a valid (x509) certificate, and
|
|
therefore a PKI. This method provides authentication both
|
|
ways. EAP-TLS is described in [<ulink
|
|
url="http://www.ietf.org/rfc/rfc2716.txt">RFC2716</ulink>].
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>EAP-TTLS:</emphasis> Sets up a encrypted TLS-tunnel for
|
|
safe transport of authentication data. Within the TLS tunnel,
|
|
(any) other authentication methods may be used. Developed by Funk
|
|
Software and Meetinghouse, and is currently an IETF draft.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Protected EAP (PEAP):</emphasis> Uses, as EAP-TTLS, an
|
|
encrypted TLS-tunnel. Supplicant certificates for both EAP-TTLS
|
|
and EAP-PEAP are optional, but server (AS) certificates are
|
|
required. Developed by Microsoft, Cisco, and RSA Security, and is
|
|
currently an IETF draft.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>EAP-MSCHAPv2:</emphasis> Requires username/password, and
|
|
is basically an EAP encapsulation of MS-CHAP-v2 [<ulink
|
|
url="http://www.ietf.org/rfc/rfc2759.txt">RFC2759</ulink>].
|
|
Usually used inside of a PEAP-encrypted tunnel. Developed by
|
|
Microsoft, and is currently an IETF draft.
|
|
</para>
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
|
|
<sect2 id="AAA">
|
|
<title>What is RADIUS?</title>
|
|
|
|
<para>
|
|
Remote Authentication Dial-In User Service (RADIUS) is defined in
|
|
[<ulink url="http://www.ietf.org/rfc/rfc2865.txt">RFC2865</ulink>]
|
|
(with friends), and was primarily used by ISPs who authenticated
|
|
username and password before the user got authorized to use the
|
|
ISP's network.
|
|
</para>
|
|
|
|
<para>
|
|
802.1X does not specify what kind of back-end authentication
|
|
server must be present, but RADIUS is the "de-facto" back-end
|
|
authentication server used in 802.1X.
|
|
</para>
|
|
|
|
<para>
|
|
There are not many AAA protocols available, but both RADIUS and
|
|
DIAMETER [<ulink
|
|
url="http://www.ietf.org/rfc/rfc3588.txt">RFC3588</ulink>]
|
|
(including their extensions) conform to full AAA support. AAA
|
|
stands for Authentication, Authorization, and Accounting (<ulink
|
|
url="http://www.ietf.org/html.charters/aaa-charter.html">IETF's
|
|
AAA Working Group</ulink>).
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<!-- ####################################################### -->
|
|
<sect1 id="cert">
|
|
<title>Obtaining Certificates</title>
|
|
|
|
<note><para>OpenSSL must be installed to use either EAP-TLS,
|
|
EAP-TTLS, or PEAP!</para></note>
|
|
|
|
<para>
|
|
When using EAP-TLS, both the Authentication Server and all the
|
|
Supplicants (clients) need certificates [<ulink
|
|
url="http://www.ietf.org/rfc/rfc2459.txt">RFC2459</ulink>] . Using
|
|
EAP-TTLS or PEAP, only the Authentication Server requires
|
|
certificates; Supplicant certificates are optional.
|
|
</para>
|
|
|
|
<para>
|
|
You get certificates from the local certificate authority (CA). If
|
|
there is no local CA available, <application>OpenSSL</application>
|
|
may be used to generate self-signed certificates.
|
|
</para>
|
|
|
|
<para>
|
|
Included with the <application>FreeRADIUS</application> source are
|
|
some helper scripts to generate self-signed certificates. The scripts
|
|
are located under the <filename>scripts/</filename> folder included
|
|
with the <application>FreeRADIUS</application> source:
|
|
</para>
|
|
|
|
<para>
|
|
<filename>CA.all</filename> is a shell script that generates
|
|
certificates based on some questions it
|
|
ask. <filename>CA.certs</filename> generates certificates
|
|
non-interactively based on pre-defined information at the start of
|
|
the script.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
The scripts uses a Perl script called <filename>CA.pl</filename>,
|
|
included with OpenSSL. The path to this Perl script
|
|
in <filename>CA.all</filename> and <filename>CA.certs</filename> may
|
|
need to be changed to make it work.
|
|
</para>
|
|
</note>
|
|
|
|
<tip>
|
|
<para>
|
|
More information on how to generate your own certificates can be
|
|
found in the <ulink
|
|
url="http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/">SSL
|
|
certificates HOWTO</ulink>.
|
|
</para>
|
|
</tip>
|
|
|
|
</sect1>
|
|
|
|
<!-- ####################################################### -->
|
|
|
|
<sect1 id="FreeRADIUS">
|
|
<title>Authentication Server: Setting up FreeRADIUS</title>
|
|
|
|
<para>
|
|
<application>FreeRADIUS</application> is a fully GPLed RADIUS server
|
|
implementation. It supports a wide range of authentication mechanisms,
|
|
but PEAP is used for the example in this document.
|
|
</para>
|
|
|
|
<!-- ################## -->
|
|
<sect2 id="instradius">
|
|
<title>Installing FreeRADIUS</title>
|
|
|
|
<procedure>
|
|
<title>Installing FreeRADIUS</title>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Head over to the <application>FreeRADIUS</application> site, <ulink
|
|
url="http://www.freeradius.org/">http://www.freeradius.org/</ulink>,
|
|
and download the latest release.
|
|
</para>
|
|
|
|
<screen>
|
|
<prompt># </prompt><userinput><command>cd </command>/usr/local/src</userinput>
|
|
<prompt># </prompt><userinput><command>wget </command>ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz</userinput>
|
|
<prompt># </prompt><userinput><command>tar </command>zxfv freeradius-1.0.0.tar.gz</userinput>
|
|
<prompt># </prompt><userinput><command>cd </command>freeradius-1.0.0</userinput>
|
|
</screen>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Configure, make and install:
|
|
</para>
|
|
|
|
<screen>
|
|
<prompt># </prompt><userinput><command>./configure</command></userinput>
|
|
<prompt># </prompt><userinput><command>make</command></userinput>
|
|
<prompt># </prompt><userinput><command>make install</command></userinput>
|
|
</screen>
|
|
|
|
<para>
|
|
<emphasis>You can pass options to
|
|
<command>configure</command>. Use <command>./configure
|
|
--help</command> or read the README file, for more
|
|
information.</emphasis>
|
|
</para>
|
|
</step>
|
|
</procedure>
|
|
|
|
<para>
|
|
The binaries are installed in <filename>/usr/local/bin</filename> and
|
|
<filename>/usr/local/sbin</filename>. The configuration files are found
|
|
under <filename>/usr/local/etc/raddb</filename>.
|
|
</para>
|
|
|
|
<para>
|
|
If something went wrong, check the <filename>INSTALL</filename> and
|
|
<filename>README</filename> included with the source. The <ulink
|
|
url="http://www.freeradius.org/faq/">RADIUS FAQ</ulink> also contains
|
|
valuable information.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
<sect2 id="confradius">
|
|
<title>Configuring FreeRADIUS</title>
|
|
|
|
<para>
|
|
<application>FreeRADIUS</application> has a big and mighty
|
|
configuration file. It's so big, it has been split into several
|
|
smaller files that are just <quote>included</quote> into the main
|
|
<filename>radius.conf</filename> file.
|
|
</para>
|
|
|
|
<para>
|
|
There is numerous ways of using and setting up FreeRADIUS to do
|
|
what you want: i.e., fetch user information from LDAP, SQL, PDC,
|
|
Kerberos, etc. In this document, user information from a plain text
|
|
file, <filename>users</filename>, is used.
|
|
</para>
|
|
|
|
<tip>
|
|
<para>
|
|
The configuration files are thoroughly commented, and, if that is not
|
|
enough, the <filename>doc/</filename> folder that comes with the source
|
|
contains additional information.
|
|
</para>
|
|
</tip>
|
|
|
|
<procedure>
|
|
<title>Configuring FreeRADIUS</title>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
The configuration files can be found under <filename>/usr/local/etc/raddb/</filename>
|
|
</para>
|
|
<screen>
|
|
<prompt># </prompt><userinput><command>cd </command>/usr/local/etc/raddb/</userinput>
|
|
</screen>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Open the main configuration file <filename>radiusd.conf</filename>,
|
|
<emphasis>and read the comments!</emphasis> Inside the encrypted
|
|
PEAP tunnel, an MS-CHAPv2 authentication mechanism is used.
|
|
</para>
|
|
|
|
<substeps>
|
|
<step performance="required">
|
|
<para>
|
|
MPPE [<ulink
|
|
url="http://www.ietf.org/rfc/rfc3078.txt">RFC3078</ulink>] is
|
|
responsible for sending the PMK to the AP. Make sure the following
|
|
settings are set:
|
|
</para>
|
|
|
|
<programlisting>
|
|
# under MODULES, make sure mschap is uncommented!
|
|
mschap {
|
|
# authtype value, if present, will be used
|
|
# to overwrite (or add) Auth-Type during
|
|
# authorization. Normally, should be MS-CHAP
|
|
authtype = MS-CHAP
|
|
|
|
# if use_mppe is not set to no, mschap will
|
|
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
|
|
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
|
|
#
|
|
use_mppe = yes
|
|
|
|
# if mppe is enabled, require_encryption makes
|
|
# encryption moderate
|
|
#
|
|
require_encryption = yes
|
|
|
|
# require_strong always requires 128 bit key
|
|
# encryption
|
|
#
|
|
require_strong = yes
|
|
|
|
authtype = MS-CHAP
|
|
# The module can perform authentication itself, OR
|
|
# use a Windows Domain Controller. See the radius.conf file
|
|
# for how to do this.
|
|
}
|
|
</programlisting>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Also make sure the <quote>authorize</quote> and
|
|
<quote>authenticate</quote> contains:
|
|
</para>
|
|
|
|
<programlisting>
|
|
authorize {
|
|
preprocess
|
|
mschap
|
|
suffix
|
|
eap
|
|
files
|
|
}
|
|
|
|
authenticate {
|
|
|
|
#
|
|
# MSCHAP authentication.
|
|
Auth-Type MS-CHAP {
|
|
mschap
|
|
}
|
|
|
|
#
|
|
# Allow EAP authentication.
|
|
eap
|
|
}
|
|
</programlisting>
|
|
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Then, change the <filename>clients.conf</filename> file to specify
|
|
what network it's serving:
|
|
</para>
|
|
|
|
<programlisting>
|
|
# Here, we specify which network we're serving
|
|
client 192.168.0.0/16 {
|
|
# This is the shared secret between the Authenticator (the
|
|
# access point) and the Authentication Server (RADIUS).
|
|
secret = SharedSecret99
|
|
shortname = testnet
|
|
}
|
|
</programlisting>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
The <filename>eap.conf</filename> should also be pretty
|
|
straightforward.
|
|
</para>
|
|
|
|
<substeps>
|
|
<step performance="required">
|
|
<para>
|
|
Set <quote>default_eap_type</quote> to <quote>peap</quote>:
|
|
</para>
|
|
|
|
<programlisting>
|
|
default_eap_type = peap
|
|
</programlisting>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Since PEAP is using TLS, the TLS section must contain:
|
|
</para>
|
|
<programlisting>
|
|
tls {
|
|
# The private key password
|
|
private_key_password = SecretKeyPass77
|
|
# The private key
|
|
private_key_file = ${raddbdir}/certs/cert-srv.pem
|
|
# Trusted Root CA list
|
|
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
|
|
dh_file = ${raddbdir}/certs/dh
|
|
random_file = /dev/urandom
|
|
}
|
|
</programlisting>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Find the <quote>peap</quote> section, and make sure it contain
|
|
the following:
|
|
</para>
|
|
|
|
<programlisting>
|
|
peap {
|
|
# The tunneled EAP session needs a default
|
|
# EAP type, which is separate from the one for
|
|
# the non-tunneled EAP module. Inside of the
|
|
# PEAP tunnel, we recommend using MS-CHAPv2,
|
|
# as that is the default type supported by
|
|
# Windows clients.
|
|
default_eap_type = mschapv2
|
|
}
|
|
</programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
|
|
<step>
|
|
<para>
|
|
The user information is stored in a plain text file
|
|
<filename>users</filename>. A more sophisticated solution to store
|
|
user information may be preferred (SQL, LDAP, PDC, etc.).
|
|
</para>
|
|
|
|
<para>
|
|
Make sure the <filename>users</filename> file contains the
|
|
following entry:
|
|
</para>
|
|
|
|
<screen>
|
|
"testuser" User-Password == "Secret149"
|
|
</screen>
|
|
</step>
|
|
|
|
</procedure>
|
|
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<!-- ####################################################### -->
|
|
<sect1 id="xsupplicant">
|
|
<title>Supplicant: Setting up Xsupplicant</title>
|
|
|
|
<para>
|
|
The Supplicant is usually a laptop or other (wireless) device that
|
|
requires authentication. <application>Xsupplicant</application>
|
|
does the bidding of being the <quote>Supplicant</quote> part of the
|
|
IEEE 802.1X-2001 standard.
|
|
</para>
|
|
|
|
<!-- ################## -->
|
|
<sect2 id="instxsup">
|
|
<title>Installing Xsupplicant</title>
|
|
|
|
<procedure>
|
|
<title>Installing Xsupplicant</title>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Download the latest source from <ulink
|
|
url="http://www.open1x.org/">http://www.open1x.org/</ulink>
|
|
</para>
|
|
|
|
<screen>
|
|
<prompt># </prompt><userinput><command>cd </command>/usr/local/src</userinput>
|
|
<prompt># </prompt><userinput><command>wget </command>http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz</userinput>
|
|
<prompt># </prompt><userinput><command>tar </command>zxfv xsupplicant-1.0.tar.gz</userinput>
|
|
<prompt># </prompt><userinput><command>cd </command>xsupplicant</userinput>
|
|
</screen>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Configure, make, and install:
|
|
</para>
|
|
|
|
<screen>
|
|
<prompt># </prompt><userinput><command>./configure</command></userinput>
|
|
<prompt># </prompt><userinput><command>make</command></userinput>
|
|
<prompt># </prompt><userinput><command>make install</command></userinput>
|
|
</screen>
|
|
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
If the configuration file wasn't installed (copied) into the "etc"
|
|
folder, do it manually:
|
|
</para>
|
|
|
|
<screen>
|
|
<prompt># </prompt><userinput><command>mkdir </command>-p /usr/local/etc/1x</userinput>
|
|
<prompt># </prompt><userinput><command>cp </command>etc/tls-example.conf /usr/local/etc/1x</userinput>
|
|
</screen>
|
|
</step>
|
|
|
|
</procedure>
|
|
|
|
<para>
|
|
If installation fails, check the <filename>README</filename> and
|
|
<filename>INSTALL</filename> files included with the source. You may
|
|
also check out the <ulink
|
|
url="http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236">official
|
|
documentation</ulink>.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
<sect2 id="confxsup">
|
|
<title>Configuring Xsupplicant</title>
|
|
|
|
<procedure>
|
|
<title>Configuring Xsupplicant</title>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
The Supplicant must have access to the root certificate.
|
|
</para>
|
|
|
|
<para>
|
|
If the Supplicant needs to authenticate against the Authentication
|
|
Server (authentication both ways), the Supplicant must have
|
|
certificates as well.
|
|
</para>
|
|
|
|
<para>
|
|
Create a certificate folder, and move the certificates into it:
|
|
</para>
|
|
|
|
<screen>
|
|
<prompt># </prompt><userinput><command>mkdir</command> -p /usr/local/etc/1x/certs</userinput>
|
|
<prompt># </prompt><userinput><command>cp</command> root.pem /usr/local/etc/1x/certs/</userinput>
|
|
<prompt># </prompt>(copy optional client certificate(s) into the same folder)
|
|
</screen>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
|
|
<para>
|
|
Open and edit the configuration file:
|
|
</para>
|
|
|
|
<programlisting>
|
|
# startup_command: the command to run when Xsupplicant is first started.
|
|
# This command can do things such as configure the card to associate with
|
|
# the network properly.
|
|
startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND>
|
|
</programlisting>
|
|
|
|
<para>
|
|
The <filename>startup.sh</filename> will be created shortly.
|
|
</para>
|
|
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
When the client is authenticated, it will transmit a DHCP request or
|
|
manually set an IP address. Here, the Supplicant sets its IP address
|
|
manually in <filename>startup2.sh</filename>:
|
|
</para>
|
|
|
|
<programlisting>
|
|
# first_auth_command: the command to run when Xsupplicant authenticates to
|
|
# a wireless network for the first time. This will usually be used to
|
|
# start a DHCP client process.
|
|
#first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND>
|
|
first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup2.sh<END_COMMAND>
|
|
</programlisting>
|
|
</step>
|
|
|
|
<step performance="optional">
|
|
<para>
|
|
Since <quote>-i</quote> is just for debugging purpose (and may
|
|
go away according to the developers),
|
|
<quote>allow_interfaces</quote> must be set:
|
|
</para>
|
|
<programlisting>
|
|
allow_interfaces = eth0
|
|
deny_interfaces = eth1
|
|
</programlisting>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Next, under the <quote>NETWORK SECTION</quote>, we'll configure
|
|
PEAP:
|
|
</para>
|
|
|
|
<programlisting>
|
|
# We'll be using PEAP
|
|
allow_types = eap_peap
|
|
|
|
# Don't want any eavesdropper to learn the username during the
|
|
# first phase (which is unencrypted), so 'identity hiding' is
|
|
# used (using a bogus username).
|
|
identity = <BEGIN_ID>anonymous<END_ID>
|
|
|
|
eap-peap {
|
|
# As in tls, define either a root certificate or a directory
|
|
# containing root certificates.
|
|
root_cert = /usr/local/etc/1x/certs/root.pem
|
|
#root_dir = /path/to/root/certificate/dir
|
|
#crl_dir = /path/to/dir/with/crl
|
|
chunk_size = 1398
|
|
random_file = /dev/urandom
|
|
#cncheck = myradius.radius.com # Verify that the server certificate
|
|
# has this value in its CN field.
|
|
#cnexact = yes # Should it be an exact match?
|
|
session_resume = yes
|
|
|
|
# Currently 'all' is just mschapv2.
|
|
# If no allow_types is defined, all is assumed.
|
|
#allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
|
|
allow_types = eap_mschapv2
|
|
|
|
# Right now, you can do any of these methods in PEAP:
|
|
eap-mschapv2 {
|
|
username = <BEGIN_UNAME>testuser<END_UNAME>
|
|
password = <BEGIN_PASS>Secret149<END_PASS>
|
|
}
|
|
}
|
|
</programlisting>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
The Supplicant must first associate with the access point. The
|
|
script <filename>startup.sh</filename> does that job. It is also
|
|
the first command <application>Xsupplicant</application> executes.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
Notice the bogus key we give to iwconfig (<emphasis>enc
|
|
000000000</emphasis>)! This key is used to tell the driver
|
|
to run in encrypted mode. The key gets replaced after successful
|
|
authentication. This can be set to <emphasis>enc
|
|
off</emphasis> only if encryption is disabled in the AP (for
|
|
testing purposes).
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
Both <filename>startup.sh</filename> and
|
|
<filename>startup2.sh</filename> must be saved under
|
|
<filename>/usr/local/etc/1x/</filename>.
|
|
</para>
|
|
|
|
<programlisting>
|
|
#!/bin/bash
|
|
echo "Starting startup.sh"
|
|
# Take down interface (if it's up)
|
|
/sbin/ifconfig eth0 down
|
|
# To make sure the routes are flushed
|
|
sleep 1
|
|
# Configuring the interface with a bogus key
|
|
/sbin/iwconfig eth0 mode managed essid testnet enc 000000000
|
|
# Bring the interface up and make sure it listens to multicast packets
|
|
/sbin/ifconfig eth0 allmulti up
|
|
echo "Finished startup.sh"
|
|
</programlisting>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
This next file is used to set the IP address statically. This can
|
|
be omitted if a DHCP server is present (as it typically is, in many
|
|
access points).
|
|
</para>
|
|
|
|
<programlisting>
|
|
#!/bin/bash
|
|
echo "Starting startup2.sh"
|
|
# Assigning an IP address
|
|
/sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0
|
|
echo "Finished startup2.sh"
|
|
</programlisting>
|
|
</step>
|
|
|
|
</procedure>
|
|
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<!-- ##################################################### -->
|
|
<sect1 id="authenticator">
|
|
<title>Authenticator: Setting up the Authenticator (Access
|
|
Point)</title>
|
|
|
|
<para>
|
|
During the authentication process, the Authenticator just relays all
|
|
messages between the Supplicant and the Authentication Server
|
|
(RADIUS). EAPOL is used between the Supplicant and the Authenticator;
|
|
and, between the Authenticator and the Authentication Server, UDP is
|
|
used.
|
|
</para>
|
|
|
|
<!-- ################## -->
|
|
<sect2 id="AP">
|
|
<title>Access Point</title>
|
|
|
|
<para>
|
|
Many access point have support for 802.1X (and RADIUS)
|
|
authentication. It must first be configured to use 802.1X
|
|
authentication.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
<emphasis>Configuring and setting up 802.1X on the AP may differ
|
|
between vendors.</emphasis> Listed below are the required settings to
|
|
make a Cisco AP350 work. Other settings to TIKP, CCMP etc. may also
|
|
be configured.
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
The AP must set the ESSID to <quote>testnet</quote> and must
|
|
activate:
|
|
</para>
|
|
|
|
<screenshot>
|
|
<screeninfo>Cisco AP350 RADIUS configuration screen</screeninfo>
|
|
<mediaobject id="ciscoAP">
|
|
<imageobject>
|
|
<imagedata fileref="images/8021X-CiscoAP.png" format="PNG" width="599"
|
|
align="center" scalefit="1"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>The Cisco AP-350 RADIUS configuration</phrase>
|
|
</textobject>
|
|
<caption>
|
|
<para>Figure AP350: The RADIUS configuration screen for a Cisco
|
|
AP-350</para>
|
|
</caption>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>802.1X-2001:</emphasis> Make sure the 802.1X Protocol
|
|
version is set to <quote>802.1X-2001</quote>. Some older Access
|
|
Points support only the draft version of the 802.1X standard (and
|
|
may therefore not work).
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>RADIUS Server:</emphasis> the name/IP address of the
|
|
RADIUS server and the shared secret between the RADIUS server and
|
|
the Access Point (which in this document is "SharedSecret99"). See
|
|
figure <link linkend="ciscoAP">AP350</link>.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>EAP Authentication:</emphasis> The RADIUS server should be
|
|
used for EAP authentication.
|
|
</para>
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
<screenshot>
|
|
<screeninfo>Cisco AP350 Encryption configuration screen</screeninfo>
|
|
<mediaobject id="ciscoAP2">
|
|
<imageobject>
|
|
<imagedata fileref="images/8021X-CiscoAP2.png" format="PNG" width="604"
|
|
align="center" scalefit="1"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>The Cisco AP-350 Encryption configuration</phrase>
|
|
</textobject>
|
|
<caption>
|
|
<para>Figure AP350-2: The Encryption configuration screen for a
|
|
Cisco AP-350</para>
|
|
</caption>
|
|
</mediaobject>
|
|
</screenshot>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Full Encryption</emphasis> to allow only encrypted
|
|
traffic. Note that 802.1X may be used without using encryption,
|
|
which is nice for test purposes.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Open Authentication</emphasis> to make the Supplicant
|
|
associate with the Access Point before encryption keys are
|
|
available. Once the association is done, the Supplicant may start EAP
|
|
authentication.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<emphasis>Require EAP</emphasis> for the <quote>Open
|
|
Authentication</quote>. That will ensure that only authenticated
|
|
users are allowed into the network.
|
|
</para>
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
<sect2 id="LinuxAP">
|
|
<title>Linux Authenticator</title>
|
|
<para>
|
|
An ordinary Linux node can be set up to function as a wireless Access
|
|
Point and Authenticator. How to set up and use Linux as an AP is
|
|
beyond the scope of this document. Simon Anderson's <ulink
|
|
url="http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html">Linux
|
|
Wireless Access Point HOWTO</ulink> may be of guidance.
|
|
</para>
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<!-- ##################################################### -->
|
|
<sect1 id="testbed">
|
|
<title>Testbed</title>
|
|
|
|
<!-- ################## -->
|
|
<sect2 id="testcase">
|
|
<title>Testcase</title>
|
|
|
|
<mediaobject id="testbedimg">
|
|
<imageobject>
|
|
<imagedata fileref="images/8021X-Testbed.png" format="PNG"
|
|
width="500" align="center" scalefit="1"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>Testbed</phrase>
|
|
</textobject>
|
|
<caption>
|
|
<para>figure testbed: A wireless node request authentication.</para>
|
|
</caption>
|
|
</mediaobject>
|
|
|
|
<para>
|
|
Our testbed consists of two nodes and one Access Point (AP). One
|
|
node functions as the Supplicant (WN), the other as the back-end
|
|
Authentication Server running RADIUS (AS). The Access Point is the
|
|
Authenticator. See figure <link linkend="testbedimg">testbed</link>
|
|
for explanation.
|
|
</para>
|
|
|
|
<important>
|
|
<para>
|
|
It is crucial that the Access Point be able to reach (ping) the
|
|
Authentication Server, and vice versa!
|
|
</para>
|
|
</important>
|
|
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
<sect2 id="startrad">
|
|
<title>Running some tests</title>
|
|
|
|
<procedure>
|
|
<title>Running some tests</title>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
The RADIUS server is started in debug mode. This produces
|
|
<emphasis>a lot</emphasis> of debug information. The important
|
|
snippets are below:
|
|
</para>
|
|
|
|
<screen>
|
|
<prompt># </prompt><userinput><command>radiusd</command> -X</userinput>
|
|
Starting - reading configuration files ...
|
|
reread_config: reading radiusd.conf
|
|
Config: including file: /usr/local/etc/raddb/proxy.conf
|
|
Config: including file: /usr/local/etc/raddb/clients.conf
|
|
Config: including file: /usr/local/etc/raddb/snmp.conf
|
|
Config: including file: /usr/local/etc/raddb/eap.conf
|
|
Config: including file: /usr/local/etc/raddb/sql.conf
|
|
......
|
|
Module: Loaded MS-CHAP
|
|
mschap: use_mppe = yes
|
|
mschap: require_encryption = no
|
|
mschap: require_strong = no
|
|
mschap: with_ntdomain_hack = no
|
|
mschap: passwd = "(null)"
|
|
mschap: authtype = "MS-CHAP"
|
|
mschap: ntlm_auth = "(null)"
|
|
Module: Instantiated mschap (mschap)
|
|
......
|
|
Module: Loaded eap
|
|
eap: default_eap_type = "peap" <co id="rad_peap"/>
|
|
eap: timer_expire = 60
|
|
eap: ignore_unknown_eap_types = no
|
|
eap: cisco_accounting_username_bug = no
|
|
rlm_eap: Loaded and initialized type md5
|
|
tls: rsa_key_exchange = no <co id="rad_tls"/>
|
|
tls: dh_key_exchange = yes
|
|
tls: rsa_key_length = 512
|
|
tls: dh_key_length = 512
|
|
tls: verify_depth = 0
|
|
tls: CA_path = "(null)"
|
|
tls: pem_file_type = yes
|
|
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
|
|
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
|
|
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
|
|
tls: private_key_password = "SecretKeyPass77"
|
|
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
|
|
tls: random_file = "/usr/local/etc/raddb/certs/random"
|
|
tls: fragment_size = 1024
|
|
tls: include_length = yes
|
|
tls: check_crl = no
|
|
tls: check_cert_cn = "(null)"
|
|
rlm_eap: Loaded and initialized type tls
|
|
peap: default_eap_type = "mschapv2" <co id="rad_mschapv2"/>
|
|
peap: copy_request_to_tunnel = no
|
|
peap: use_tunneled_reply = no
|
|
peap: proxy_tunneled_request_as_eap = yes
|
|
rlm_eap: Loaded and initialized type peap
|
|
mschapv2: with_ntdomain_hack = no
|
|
rlm_eap: Loaded and initialized type mschapv2
|
|
Module: Instantiated eap (eap)
|
|
......
|
|
Module: Loaded files
|
|
files: usersfile = "/usr/local/etc/raddb/users" <co id="rad_users"/>
|
|
......
|
|
Module: Instantiated radutmp (radutmp)
|
|
Listening on authentication *:1812
|
|
Listening on accounting *:1813
|
|
Ready to process requests. <co id="rad_finished"/>
|
|
</screen>
|
|
|
|
<calloutlist>
|
|
<callout arearefs="rad_peap">
|
|
<para>
|
|
Default EAP type is set to PEAP.
|
|
</para>
|
|
</callout>
|
|
<callout arearefs="rad_tls">
|
|
<para>
|
|
RADIUS's TLS settings are initiated here. The certificate type,
|
|
location, and password are listet here.
|
|
</para>
|
|
</callout>
|
|
<callout arearefs="rad_mschapv2">
|
|
<para>
|
|
Inside the PEAP tunnel, MS-CHAPv2 is used.
|
|
</para>
|
|
</callout>
|
|
<callout arearefs="rad_users">
|
|
<para>
|
|
The username/password information is found in the
|
|
<filename>users</filename> file.
|
|
</para>
|
|
</callout>
|
|
<callout arearefs="rad_finished">
|
|
<para>
|
|
RADIUS server started successfully. Waiting for incoming requests.
|
|
</para>
|
|
</callout>
|
|
</calloutlist>
|
|
|
|
<para>The radius server is now ready to process requests!</para>
|
|
|
|
<para>
|
|
The most interesting output is included above. If you get any
|
|
error message instead of the last line, go over the configuration
|
|
(above) carefully.
|
|
</para>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
Now the Supplicant is ready to get authenticated. Start
|
|
<application>Xsupplicant</application> in debug mode. Note that
|
|
we'll see output produced by the two startup scripts:
|
|
<filename>startup.sh</filename> and
|
|
<filename>startup2.sh</filename>.
|
|
</para>
|
|
|
|
<screen>
|
|
<prompt># </prompt><userinput><command>xsupplicant</command> -c /usr/local/etc/1x/1x.conf -i eth0 -d 6</userinput>
|
|
Starting /etc/1x/startup.sh
|
|
Finished /etc/1x/startup.sh
|
|
Starting /etc/1x/startup2.sh
|
|
Finished /etc/1x/startup2.sh
|
|
</screen>
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
At the same time, the RADIUS server is producing a lot of
|
|
output. Key snippets are shown below:
|
|
</para>
|
|
|
|
<screen>
|
|
......
|
|
rlm_eap: Request found, released from the list
|
|
rlm_eap: EAP/peap
|
|
rlm_eap: processing type peap
|
|
rlm_eap_peap: Authenticate
|
|
rlm_eap_tls: processing TLS <co id="rpro_tls"/>
|
|
eaptls_verify returned 7
|
|
rlm_eap_tls: Done initial handshake
|
|
eaptls_process returned 7
|
|
rlm_eap_peap: EAPTLS_OK <co id="rpro_peap"/>
|
|
rlm_eap_peap: Session established. Decoding tunneled attributes.
|
|
rlm_eap_peap: Received EAP-TLV response.
|
|
rlm_eap_peap: Tunneled data is valid.
|
|
rlm_eap_peap: Success
|
|
rlm_eap: Freeing handler
|
|
modcall[authenticate]: module "eap" returns ok for request 8
|
|
modcall: group authenticate returns ok for request 8
|
|
Login OK: [testuser/<no User-Password attribute>] (from client testnet port 37 cli 0002a56fa08a)
|
|
Sending Access-Accept of id 8 to 192.168.2.1:1032 <co id="rpro_accept"/>
|
|
MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206 <co id="rpro_reckey"/>
|
|
MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18
|
|
EAP-Message = 0x030a0004
|
|
Message-Authenticator = 0x00000000000000000000000000000000
|
|
User-Name = "testuser"
|
|
</screen>
|
|
|
|
<calloutlist>
|
|
<callout arearefs="rpro_tls">
|
|
<para>
|
|
TLS session startup. Doing TLS-handshake.
|
|
</para>
|
|
</callout>
|
|
<callout arearefs="rpro_peap">
|
|
<para>
|
|
The TLS session (PEAP-encrypted tunnel) is up.
|
|
</para>
|
|
</callout>
|
|
<callout arearefs="rpro_accept">
|
|
<para>
|
|
The Supplicant has been authenticated successfully by the
|
|
RADIUS server. An <quote>Access-Accept</quote> message is
|
|
sent.
|
|
</para>
|
|
</callout>
|
|
<callout arearefs="rpro_reckey">
|
|
<para>
|
|
The <emphasis>MS-MPPE-Recv-Key</emphasis> [<ulink
|
|
url="http://www.ietf.org/rfc/rfc2548.txt">RFC2548</ulink>
|
|
section 2.4.3] contains the Pairwise Master Key (PMK) destined
|
|
to the Authenticator (access point), encrypted with the MPPE
|
|
Protocol [<ulink
|
|
url="http://www.ietf.org/rfc/rfc3078.txt">RFC3078</ulink>],
|
|
using the shared secret between the Authenticator and
|
|
Authentication Server as key. The Supplicant derives the same
|
|
PMK from MK, as described in <link linkend="Key">Key
|
|
Management</link>.
|
|
</para>
|
|
</callout>
|
|
|
|
</calloutlist>
|
|
|
|
</step>
|
|
|
|
<step performance="required">
|
|
<para>
|
|
The Authenticator (access point) may also show something like this
|
|
in its log:
|
|
</para>
|
|
|
|
<screen>
|
|
00:02:16 (Info): Station 0002a56fa08a Associated
|
|
00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated
|
|
</screen>
|
|
</step>
|
|
</procedure>
|
|
|
|
<para>
|
|
That's it! The Supplicant is now authenticated to use the Access
|
|
Point!
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<!-- ##################################################### -->
|
|
<sect1 id="dynWEP">
|
|
<title>Note about driver support and Xsupplicant</title>
|
|
|
|
<para>
|
|
As described in <link linkend="Key">Key Management</link>, one of
|
|
the big advantages of using Dynamic WEP/802.11i with 802.1X is the
|
|
support for session keys. A new encryption key is generated for each
|
|
session.
|
|
</para>
|
|
|
|
<para>
|
|
<application>Xsupplicant</application> only supports <quote>Dynamic
|
|
WEP</quote> as of this writing. Support for WPA and RSN/WPA2
|
|
(802.11i) is being worked on, and is estimated to be supported at
|
|
the end of the year/early next year (2004/2005), according to Chris
|
|
Hessing (one of the <application>Xsupplicants</application>
|
|
developers).
|
|
</para>
|
|
|
|
<para>
|
|
Not all wireless drives support dynamic WEP, nor WPA. To use RSN
|
|
(WPA2), new support in hardware may even be required. Many older
|
|
drivers assume only one WEP key will be used on the network at any
|
|
time. The card is reset whenever the key is changed to let the new
|
|
key take effect. This triggers a new authentication, and there is a
|
|
never-ending loop.
|
|
</para>
|
|
|
|
<para>
|
|
At the time of writing, most of the wireless drivers in the base
|
|
Linux kernel require patching to make dynamic WEP/WPA work. They
|
|
will, in time, be upgraded to support these new features. Many drivers
|
|
developed outside the kernel, however, support for dynamic WEP;
|
|
HostAP, madwifi, Orinoco, and atmel should work without problems.
|
|
</para>
|
|
|
|
<para>
|
|
Instead of using Xsupplicant, <ulink
|
|
url="http://hostap.epitest.fi/wpa_supplicant/">wpa_supplicant</ulink>
|
|
may be used. It has support for both WPA and RSN (WPA2), and a wide
|
|
range of EAP authentication methods.
|
|
</para>
|
|
|
|
|
|
</sect1>
|
|
|
|
<!-- ##################################################### -->
|
|
<sect1 id="faq">
|
|
<title>FAQ</title>
|
|
|
|
<para>
|
|
Do not forget to check out the FAQ section of both the <ulink
|
|
url="http://www.freeradius.org/faq/">FreeRADIUS</ulink> (highly
|
|
recommended!) and <ulink
|
|
url="http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236#ch7">
|
|
Xsupplicant</ulink> Web sites!
|
|
</para>
|
|
|
|
<qandaset>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
<para>
|
|
Is it possible to allow user-specific
|
|
<application>Xsupplicant</application> configuration, to avoid
|
|
having a global configuration file?
|
|
</para>
|
|
</question>
|
|
|
|
<answer>
|
|
<para>
|
|
No, not at the moment.
|
|
</para>
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
<para>I don't want to use PEAP; can I use EAP-TTLS or EAP-TLS instead?</para>
|
|
</question>
|
|
|
|
<answer>
|
|
<para>
|
|
Yes. To use EAP-TTLS, only small changes to the configuration used
|
|
in this document are required. To use EAP-TLS, client certificates
|
|
must be used as well.
|
|
</para>
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
<para>
|
|
Can I use a Windows Supplicant (client) instead of GNU/Linux?
|
|
</para>
|
|
</question>
|
|
|
|
<answer>
|
|
<para>
|
|
Yes. Windows XP SP1/Windows 2000 SP3 has support for PEAP MSCHAPv2
|
|
(used in this document). A Windows HOWTO can be found here: <ulink
|
|
url="http://text.dslreports.com/forum/remark,9286052~mode=flat">FreeRADIUS/WinXP
|
|
Authentication Setup</ulink>
|
|
</para>
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
<para>
|
|
Can I use a Active Directory to authenticate users?
|
|
</para>
|
|
</question>
|
|
|
|
<answer>
|
|
<para>
|
|
Yes. FreeRADIUS can authenticate users from AD by using
|
|
<quote>ntlm_auth</quote>.
|
|
</para>
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
<para>
|
|
Is there any Windows Supplicant clients available?
|
|
</para>
|
|
</question>
|
|
|
|
<answer>
|
|
<para>
|
|
Yes. As of Windows XP SP1 or Windows 2000 SP3, support for WPA
|
|
(PEAP/MS-CHAPv2) is supported. Other clients include (not tested)
|
|
<ulink url="http://www.securew2.com">Secure W2</ulink> (free for
|
|
non-commercial) and <ulink
|
|
url="http://wire.cs.nthu.edu.tw/wire1x/">WIRE1X</ulink>. <ulink
|
|
url="http://www.funk.com">Funk Software</ulink> also has a
|
|
commercial client available.
|
|
</para>
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
</qandaset>
|
|
|
|
</sect1>
|
|
|
|
<!-- ##################################################### -->
|
|
<sect1 id="resources">
|
|
<title>Useful Resources</title>
|
|
|
|
<para>
|
|
Only IEEE standards older than 12 months are available to
|
|
the public in general (through the <ulink
|
|
url="http://standards.ieee.org/getieee802/"><quote>Get IEEE 802
|
|
Program</quote></ulink>). So the new <emphasis>802.11i</emphasis> and
|
|
<emphasis>802.1X-2004</emphasis> standards documents are not
|
|
available. You must be a IEEE participant to get hold of any
|
|
drafts/work in progress papers (which actually isn't that hard -
|
|
just join a mailing list and say you are interested).
|
|
</para>
|
|
|
|
<para>
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
<para>FreeRADIUS Server Project<ulink
|
|
url="http://www.freeradius.org/">
|
|
http://www.freeradius.org/</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Open1x: Open Source implementation of IEEE 802.1X (Xsupplicant)<ulink
|
|
url="http://www.open1x.org/">
|
|
http://www.open1x.org/</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The Open1x User's Guide<ulink
|
|
url="http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236">
|
|
http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Port-Based Network Access Control (802.1X-2001)<ulink
|
|
url="http://standards.ieee.org/getieee802/download/802.1X-2001.pdf">
|
|
http://standards.ieee.org/getieee802/download/802.1X-2001.pdf</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC2246: The TLS Protocol Version 1.0<ulink
|
|
url="http://www.ietf.org/rfc/rfc2246.txt">
|
|
http://www.ietf.org/rfc/rfc2246.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC2459: Internet X.509 Public Key Infrastructure -
|
|
Certificate and CRL Profile<ulink
|
|
url="http://www.ietf.org/rfc/rfc2459.txt">
|
|
http://www.ietf.org/rfc/rfc2459.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC2548: Microsoft Vendor-specific RADIUS Attributes<ulink
|
|
url="http://www.ietf.org/rfc/rfc2548.txt">
|
|
http://www.ietf.org/rfc/rfc2548.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC2716: PPP EAP TLS Authentication Protocol<ulink
|
|
url="http://www.ietf.org/rfc/rfc2716.txt">
|
|
http://www.ietf.org/rfc/rfc2716.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC2865: Remote Authentication Dial-In User Service (RADIUS)<ulink
|
|
url="http://www.ietf.org/rfc/rfc2865.txt">
|
|
http://www.ietf.org/rfc/rfc2865.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC3079: Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE)<ulink
|
|
url="http://www.ietf.org/rfc/rfc3079.txt">
|
|
http://www.ietf.org/rfc/rfc3079.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC3579: RADIUS Support For EAP<ulink
|
|
url="http://www.ietf.org/rfc/rfc3579.txt">
|
|
http://www.ietf.org/rfc/rfc3579.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC3580: IEEE 802.1X RADIUS Usage Guidelines<ulink
|
|
url="http://www.ietf.org/rfc/rfc3580.txt">
|
|
http://www.ietf.org/rfc/rfc3580.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC3588: Diameter Base Protocol<ulink
|
|
url="http://www.ietf.org/rfc/rfc3588.txt">
|
|
http://www.ietf.org/rfc/rfc3588.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC3610: Counter with CBC-MAC (CCM)<ulink
|
|
url="http://www.ietf.org/rfc/rfc3610.txt">
|
|
http://www.ietf.org/rfc/rfc3610.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RFC3748: Extensible Authentication Protocol (EAP)<ulink
|
|
url="http://www.ietf.org/rfc/rfc3748.txt">
|
|
http://www.ietf.org/rfc/rfc3748.txt</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Linux Wireless Access Point HOWTO <ulink
|
|
url="http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html">
|
|
http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>SSL Certificates HOWTO<ulink
|
|
url="http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/">
|
|
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>OpenSSL: x509(1)<ulink
|
|
url="http://www.openssl.org/docs/apps/x509.html">
|
|
http://www.openssl.org/docs/apps/x509.html</ulink>
|
|
</para>
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
</para>
|
|
</sect1>
|
|
|
|
<!-- ##################################################### -->
|
|
|
|
<sect1 id="copyack">
|
|
<title>Copyright, acknowledgments and miscellaneous</title>
|
|
|
|
<!-- ################## -->
|
|
|
|
<sect2 id="copyright">
|
|
<title>Copyright and License</title>
|
|
<para> Copyright (c) 2004 Lars Strand.</para>
|
|
<para>
|
|
Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the <ulink
|
|
url="http://www.gnu.org/licenses/fdl.html">GNU Free
|
|
Documentation License</ulink>, Version 1.2 or any later version
|
|
published by the Free Software Foundation; with no Invariant
|
|
Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy
|
|
of the license is included in the section entitled "GNU Free
|
|
Documentation License".
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
|
|
<sect2 id="produced">
|
|
|
|
<title>How this document was produced</title>
|
|
|
|
<para>This document was written in DocBook XML using Emacs.</para>
|
|
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
|
|
<sect2 id="feedback">
|
|
|
|
<title>Feedback</title>
|
|
|
|
<para>
|
|
Suggestions, corrections, additions wanted. Contributors wanted
|
|
and acknowledged. Flames not wanted.
|
|
</para>
|
|
|
|
<para>
|
|
I can always be reached at <email>lars strand at gnist org</email>
|
|
</para>
|
|
|
|
<para>
|
|
Homepage: <ulink
|
|
url="http://www.gnist.org/~lars/">http://www.gnist.org/~lars/</ulink>
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<!-- ################## -->
|
|
|
|
<sect2 id="ack">
|
|
|
|
<title>Acknowledgments</title>
|
|
|
|
<para>
|
|
Thanks to Andreas Hafslund <email>andreha at unik no</email> and Thales
|
|
Communication for initial support.
|
|
</para>
|
|
|
|
<para>
|
|
Also thanks to Artur Hecker <email>hecker at enst fr</email>,
|
|
Chris Hessing <email>chris hessing at utah edu</email>, Jouni
|
|
Malinen <email>jkmaline at cc hut fi</email> and Terry
|
|
Simons <email>galimore at mac com</email> for valuable feedback!
|
|
</para>
|
|
|
|
<para>
|
|
Thanks to Rick Moen <email>rick at linuxmafia com</email> for
|
|
doing a language review!
|
|
</para>
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<!-- ################## -->
|
|
|
|
<appendix id="gfdl">
|
|
<title>GNU Free Documentation License</title>
|
|
<subtitle>Version 1.2, November 2002</subtitle>
|
|
|
|
<blockquote id="fsf-copyright">
|
|
<para>Copyright (C) 2000,2001,2002 Free Software Foundation, Inc.
|
|
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
Everyone is permitted to copy and distribute verbatim copies
|
|
of this license document, but changing it is not allowed.</para>
|
|
</blockquote>
|
|
|
|
<section id="gfdl-0"><title>PREAMBLE</title>
|
|
|
|
<para>The purpose of this License is to make a manual, textbook, or
|
|
other functional and useful document "free" in the sense of freedom: to
|
|
assure everyone the effective freedom to copy and redistribute it, with
|
|
or without modifying it, either commercially or noncommercially.
|
|
Secondarily, this License preserves for the author and publisher a way
|
|
to get credit for their work, while not being considered responsible for
|
|
modifications made by others.</para>
|
|
|
|
<para>This License is a kind of "copyleft", which means that derivative
|
|
works of the document must themselves be free in the same sense. It
|
|
complements the GNU General Public License, which is a copyleft license
|
|
designed for free software.</para>
|
|
|
|
<para>We have designed this License in order to use it for manuals for
|
|
free software, because free software needs free documentation: a free
|
|
program should come with manuals providing the same freedoms that the
|
|
software does. But this License is not limited to software manuals; it
|
|
can be used for any textual work, regardless of subject matter or
|
|
whether it is published as a printed book. We recommend this License
|
|
principally for works whose purpose is instruction or reference.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-1"><title>APPLICABILITY AND DEFINITIONS</title>
|
|
|
|
<para id="gfdl-doc">This License applies to any manual or other work, in
|
|
any medium, that contains a notice placed by the copyright holder saying
|
|
it can be distributed under the terms of this License. Such a notice
|
|
grants a world-wide, royalty-free license, unlimited in duration, to use
|
|
that work under the conditions stated herein. The "Document", below,
|
|
refers to any such manual or work. Any member of the public is a
|
|
licensee, and is addressed as "you". You accept the license if you
|
|
copy, modify or distribute the work in a way requiring permission under
|
|
copyright law.</para>
|
|
|
|
<para id="gfdl-mod-ver">A "Modified Version" of the Document means any
|
|
work containing the Document or a portion of it, either copied verbatim,
|
|
or with modifications and/or translated into another language.</para>
|
|
|
|
<para id="gfdl-secnd-sect">A "Secondary Section" is a named appendix or
|
|
a front-matter section of the Document that deals exclusively with the
|
|
relationship of the publishers or authors of the Document to the
|
|
Document's overall subject (or to related matters) and contains nothing
|
|
that could fall directly within that overall subject. (Thus, if the
|
|
Document is in part a textbook of mathematics, a Secondary Section may
|
|
not explain any mathematics.) The relationship could be a matter of
|
|
historical connection with the subject or with related matters, or of
|
|
legal, commercial, philosophical, ethical or political position
|
|
regarding them.</para>
|
|
|
|
<para id="gfdl-inv-sect">The "Invariant Sections" are certain Secondary
|
|
Sections whose titles are designated, as being those of Invariant
|
|
Sections, in the notice that says that the Document is released under
|
|
this License. If a section does not fit the above definition of
|
|
Secondary then it is not allowed to be designated as Invariant. The
|
|
Document may contain zero Invariant Sections. If the Document does not
|
|
identify any Invariant Sections then there are none.</para>
|
|
|
|
<para id="gfdl-cov-text">The "Cover Texts" are certain short passages of
|
|
text that are listed, as Front-Cover Texts or Back-Cover Texts, in the
|
|
notice that says that the Document is released under this License. A
|
|
Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at
|
|
most 25 words.</para>
|
|
|
|
<para id="gfdl-transparent">A "Transparent" copy of the Document means a
|
|
machine-readable copy, represented in a format whose specification is
|
|
available to the general public, that is suitable for revising the
|
|
document straightforwardly with generic text editors or (for images
|
|
composed of pixels) generic paint programs or (for drawings) some widely
|
|
available drawing editor, and that is suitable for input to text
|
|
formatters or for automatic translation to a variety of formats suitable
|
|
for input to text formatters. A copy made in an otherwise Transparent
|
|
file format whose markup, or absence of markup, has been arranged to
|
|
thwart or discourage subsequent modification by readers is not
|
|
Transparent. An image format is not Transparent if used for any
|
|
substantial amount of text. A copy that is not "Transparent" is called
|
|
"Opaque".</para>
|
|
|
|
<para>Examples of suitable formats for Transparent copies include plain
|
|
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
|
|
XML using a publicly available DTD, and standard-conforming simple HTML,
|
|
PostScript or PDF designed for human modification. Examples of
|
|
transparent image formats include PNG, XCF and JPG. Opaque formats
|
|
include proprietary formats that can be read and edited only by
|
|
proprietary word processors, SGML or XML for which the DTD and/or
|
|
processing tools are not generally available, and the machine-generated
|
|
HTML, PostScript or PDF produced by some word processors for output
|
|
purposes only.</para>
|
|
|
|
<para id="gfdl-title-page">The "Title Page" means, for a printed book,
|
|
the title page itself, plus such following pages as are needed to hold,
|
|
legibly, the material this License requires to appear in the title page.
|
|
For works in formats which do not have any title page as such, "Title
|
|
Page" means the text near the most prominent appearance of the work's
|
|
title, preceding the beginning of the body of the text.</para>
|
|
|
|
<para id="gfdl-entitled">A section "Entitled XYZ" means a named subunit
|
|
of the Document whose title either is precisely XYZ or contains XYZ in
|
|
parentheses following text that translates XYZ in another language.
|
|
(Here XYZ stands for a specific section name mentioned below, such as
|
|
"Acknowledgements", "Dedications", "Endorsements", or "History".) To
|
|
"Preserve the Title" of such a section when you modify the Document
|
|
means that it remains a section "Entitled XYZ" according to this
|
|
definition.</para>
|
|
|
|
<para>The Document may include Warranty Disclaimers next to the notice
|
|
which states that this License applies to the Document. These Warranty
|
|
Disclaimers are considered to be included by reference in this License,
|
|
but only as regards disclaiming warranties: any other implication that
|
|
these Warranty Disclaimers may have is void and has no effect on the
|
|
meaning of this License.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-2"><title>VERBATIM COPYING</title>
|
|
|
|
<para>You may copy and distribute the Document in any medium, either
|
|
commercially or noncommercially, provided that this License, the
|
|
copyright notices, and the license notice saying this License applies to
|
|
the Document are reproduced in all copies, and that you add no other
|
|
conditions whatsoever to those of this License. You may not use
|
|
technical measures to obstruct or control the reading or further copying
|
|
of the copies you make or distribute. However, you may accept
|
|
compensation in exchange for copies. If you distribute a large enough
|
|
number of copies you must also follow the conditions in section 3.
|
|
</para>
|
|
|
|
<para>You may also lend copies, under the same conditions stated above,
|
|
and you may publicly display copies.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-3"><title>COPYING IN QUANTITY</title>
|
|
|
|
<para>If you publish printed copies (or copies in media that commonly
|
|
have printed covers) of the Document, numbering more than 100, and the
|
|
Document's license notice requires Cover Texts, you must enclose the
|
|
copies in covers that carry, clearly and legibly, all these Cover Texts:
|
|
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
|
|
cover. Both covers must also clearly and legibly identify you as the
|
|
publisher of these copies. The front cover must present the full title
|
|
with all words of the title equally prominent and visible. You may add
|
|
other material on the covers in addition. Copying with changes limited
|
|
to the covers, as long as they preserve the title of the Document and
|
|
satisfy these conditions, can be treated as verbatim copying in other
|
|
respects.</para>
|
|
|
|
<para>If the required texts for either cover are too voluminous to fit
|
|
legibly, you should put the first ones listed (as many as fit
|
|
reasonably) on the actual cover, and continue the rest onto adjacent
|
|
pages.</para>
|
|
|
|
<para>If you publish or distribute Opaque copies of the Document
|
|
numbering more than 100, you must either include a machine-readable
|
|
Transparent copy along with each Opaque copy, or state in or with each
|
|
Opaque copy a computer-network location from which the general
|
|
network-using public has access to download using public-standard
|
|
network protocols a complete Transparent copy of the Document, free of
|
|
added material. If you use the latter option, you must take reasonably
|
|
prudent steps, when you begin distribution of Opaque copies in quantity,
|
|
to ensure that this Transparent copy will remain thus accessible at the
|
|
stated location until at least one year after the last time you
|
|
distribute an Opaque copy (directly or through your agents or retailers)
|
|
of that edition to the public.</para>
|
|
|
|
<para>It is requested, but not required, that you contact the authors of
|
|
the Document well before redistributing any large number of copies, to
|
|
give them a chance to provide you with an updated version of the
|
|
Document.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-4"><title>MODIFICATIONS</title>
|
|
|
|
<para>You may copy and distribute a Modified Version of the Document
|
|
under the conditions of sections 2 and 3 above, provided that you
|
|
release the Modified Version under precisely this License, with the
|
|
Modified Version filling the role of the Document, thus licensing
|
|
distribution and modification of the Modified Version to whoever
|
|
possesses a copy of it. In addition, you must do these things in the
|
|
Modified Version:</para>
|
|
|
|
<orderedlist id="gfdl-modif-cond" numeration="upperalpha">
|
|
<listitem><simpara>Use in the Title Page (and on the covers, if any) a
|
|
title distinct from that of the Document, and from those of previous
|
|
versions (which should, if there were any, be listed in the History
|
|
section of the Document). You may use the same title as a previous
|
|
version if the original publisher of that version gives permission.
|
|
</simpara></listitem>
|
|
<listitem><simpara>List on the Title Page, as authors, one or more
|
|
persons or entities responsible for authorship of the modifications in
|
|
the Modified Version, together with at least five of the principal
|
|
authors of the Document (all of its principal authors, if it has fewer
|
|
than five), unless they release you from this requirement.
|
|
</simpara></listitem>
|
|
<listitem><simpara>State on the Title page the name of the publisher of
|
|
the Modified Version, as the publisher.</simpara></listitem>
|
|
<listitem><simpara>Preserve all the copyright notices of the Document.
|
|
</simpara></listitem>
|
|
<listitem><simpara>Add an appropriate copyright notice for your
|
|
modifications adjacent to the other copyright notices.
|
|
</simpara></listitem>
|
|
<listitem><simpara>Include, immediately after the copyright notices, a
|
|
license notice giving the public permission to use the Modified
|
|
Version under the terms of this License, in the form shown in the
|
|
<link linkend="gfdl-addendum">Addendum</link> below.
|
|
</simpara></listitem>
|
|
<listitem><simpara>Preserve in that license notice the full lists of
|
|
Invariant Sections and required Cover Texts given in the Document's
|
|
license notice.</simpara></listitem>
|
|
<listitem><simpara>Include an unaltered copy of this License.
|
|
</simpara></listitem>
|
|
<listitem><simpara>Preserve the section Entitled "History", Preserve its
|
|
Title, and add to it an item stating at least the title, year, new
|
|
authors, and publisher of the Modified Version as given on the Title
|
|
Page. If there is no section Entitled "History" in the Document,
|
|
create one stating the title, year, authors, and publisher of the
|
|
Document as given on its Title Page, then add an item describing the
|
|
Modified Version as stated in the previous sentence.
|
|
</simpara></listitem>
|
|
<listitem><simpara>Preserve the network location, if any, given in the
|
|
Document for public access to a Transparent copy of the Document, and
|
|
likewise the network locations given in the Document for previous
|
|
versions it was based on. These may be placed in the "History"
|
|
section. You may omit a network location for a work that was
|
|
published at least four years before the Document itself, or if the
|
|
original publisher of the version it refers to gives permission.
|
|
</simpara></listitem>
|
|
<listitem><simpara>For any section Entitled "Acknowledgements" or
|
|
"Dedications", Preserve the Title of the section, and preserve in the
|
|
section all the substance and tone of each of the contributor
|
|
acknowledgements and/or dedications given therein.
|
|
</simpara></listitem>
|
|
<listitem><simpara>Preserve all the Invariant Sections of the Document,
|
|
unaltered in their text and in their titles. Section numbers or the
|
|
equivalent are not considered part of the section titles.
|
|
</simpara></listitem>
|
|
<listitem><simpara>Delete any section Entitled "Endorsements".
|
|
Such a section may not be included in the Modified Version.
|
|
</simpara></listitem>
|
|
<listitem><simpara>Do not retitle any existing section to be Entitled
|
|
"Endorsements" or to conflict in title with any Invariant Section.
|
|
</simpara></listitem>
|
|
<listitem><simpara>Preserve any Warranty Disclaimers.
|
|
</simpara></listitem>
|
|
</orderedlist>
|
|
|
|
<para>If the Modified Version includes new front-matter sections or
|
|
appendices that qualify as Secondary Sections and contain no material
|
|
copied from the Document, you may at your option designate some or all
|
|
of these sections as invariant. To do this, add their titles to the
|
|
list of Invariant Sections in the Modified Version's license notice.
|
|
These titles must be distinct from any other section titles.</para>
|
|
|
|
<para>You may add a section Entitled "Endorsements", provided it
|
|
contains nothing but endorsements of your Modified Version by various
|
|
parties--for example, statements of peer review or that the text has
|
|
been approved by an organization as the authoritative definition of a
|
|
standard.</para>
|
|
|
|
<para>You may add a passage of up to five words as a Front-Cover Text,
|
|
and a passage of up to 25 words as a Back-Cover Text, to the end of the
|
|
list of Cover Texts in the Modified Version. Only one passage of
|
|
Front-Cover Text and one of Back-Cover Text may be added by (or through
|
|
arrangements made by) any one entity. If the Document already includes
|
|
a cover text for the same cover, previously added by you or by
|
|
arrangement made by the same entity you are acting on behalf of, you may
|
|
not add another; but you may replace the old one, on explicit permission
|
|
from the previous publisher that added the old one.</para>
|
|
|
|
<para>The author(s) and publisher(s) of the Document do not by this
|
|
License give permission to use their names for publicity for or to
|
|
assert or imply endorsement of any Modified Version.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-5"><title>COMBINING DOCUMENTS</title>
|
|
|
|
<para>You may combine the Document with other documents released under
|
|
this License, under the terms defined in <link linkend="gfdl-4">section
|
|
4</link> above for modified versions, provided that you include in the
|
|
combination all of the Invariant Sections of all of the original
|
|
documents, unmodified, and list them all as Invariant Sections of your
|
|
combined work in its license notice, and that you preserve all their
|
|
Warranty Disclaimers.</para>
|
|
|
|
<para>The combined work need only contain one copy of this License, and
|
|
multiple identical Invariant Sections may be replaced with a single
|
|
copy. If there are multiple Invariant Sections with the same name but
|
|
different contents, make the title of each such section unique by adding
|
|
at the end of it, in parentheses, the name of the original author or
|
|
publisher of that section if known, or else a unique number. Make the
|
|
same adjustment to the section titles in the list of Invariant Sections
|
|
in the license notice of the combined work.</para>
|
|
|
|
<para>In the combination, you must combine any sections Entitled
|
|
"History" in the various original documents, forming one section
|
|
Entitled "History"; likewise combine any sections Entitled
|
|
"Acknowledgements", and any sections Entitled "Dedications". You must
|
|
delete all sections Entitled "Endorsements".</para>
|
|
</section>
|
|
|
|
<section id="gfdl-6"><title>COLLECTIONS OF DOCUMENTS</title>
|
|
|
|
<para>You may make a collection consisting of the Document and other
|
|
documents released under this License, and replace the individual copies
|
|
of this License in the various documents with a single copy that is
|
|
included in the collection, provided that you follow the rules of this
|
|
License for verbatim copying of each of the documents in all other
|
|
respects.</para>
|
|
|
|
<para>You may extract a single document from such a collection, and
|
|
distribute it individually under this License, provided you insert a
|
|
copy of this License into the extracted document, and follow this
|
|
License in all other respects regarding verbatim copying of that
|
|
document.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-7"><title>AGGREGATION WITH INDEPENDENT WORKS</title>
|
|
|
|
<para>A compilation of the Document or its derivatives with other
|
|
separate and independent documents or works, in or on a volume of a
|
|
storage or distribution medium, is called an "aggregate" if the
|
|
copyright resulting from the compilation is not used to limit the legal
|
|
rights of the compilation's users beyond what the individual works
|
|
permit. When the Document is included in an aggregate, this License does
|
|
not apply to the other works in the aggregate which are not themselves
|
|
derivative works of the Document.</para>
|
|
|
|
<para>If the Cover Text requirement of section 3 is applicable to these
|
|
copies of the Document, then if the Document is less than one half of
|
|
the entire aggregate, the Document's Cover Texts may be placed on covers
|
|
that bracket the Document within the aggregate, or the electronic
|
|
equivalent of covers if the Document is in electronic form. Otherwise
|
|
they must appear on printed covers that bracket the whole
|
|
aggregate.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-8"><title>TRANSLATION</title>
|
|
|
|
<para>Translation is considered a kind of modification, so you may
|
|
distribute translations of the Document under the terms of section 4.
|
|
Replacing Invariant Sections with translations requires special
|
|
permission from their copyright holders, but you may include
|
|
translations of some or all Invariant Sections in addition to the
|
|
original versions of these Invariant Sections. You may include a
|
|
translation of this License, and all the license notices in the
|
|
Document, and any Warranty Disclaimers, provided that you also include
|
|
the original English version of this License and the original versions
|
|
of those notices and disclaimers. In case of a disagreement between the
|
|
translation and the original version of this License or a notice or
|
|
disclaimer, the original version will prevail.</para>
|
|
|
|
<para>If a section in the Document is Entitled "Acknowledgements",
|
|
"Dedications", or "History", the requirement (section 4) to Preserve its
|
|
Title (section 1) will typically require changing the actual
|
|
title.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-9"><title>TERMINATION</title>
|
|
|
|
<para>You may not copy, modify, sublicense, or distribute the Document
|
|
except as expressly provided for under this License. Any other attempt
|
|
to copy, modify, sublicense or distribute the Document is void, and will
|
|
automatically terminate your rights under this License. However,
|
|
parties who have received copies, or rights, from you under this License
|
|
will not have their licenses terminated so long as such parties remain
|
|
in full compliance.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-10"><title>FUTURE REVISIONS OF THIS LICENSE</title>
|
|
|
|
<para>The Free Software Foundation may publish new, revised versions of
|
|
the GNU Free Documentation License from time to time. Such new versions
|
|
will be similar in spirit to the present version, but may differ in
|
|
detail to address new problems or concerns. See
|
|
http://www.gnu.org/copyleft/.</para>
|
|
|
|
<para>Each version of the License is given a distinguishing version
|
|
number. If the Document specifies that a particular numbered version of
|
|
this License "or any later version" applies to it, you have the option
|
|
of following the terms and conditions either of that specified version
|
|
or of any later version that has been published (not as a draft) by the
|
|
Free Software Foundation. If the Document does not specify a version
|
|
number of this License, you may choose any version ever published (not
|
|
as a draft) by the Free Software Foundation.</para>
|
|
</section>
|
|
|
|
<section id="gfdl-addendum"><title>ADDENDUM: How to use this License for
|
|
your documents</title>
|
|
|
|
<para>To use this License in a document you have written, include a copy
|
|
of the License in the document and put the following copyright and
|
|
license notices just after the title page:</para>
|
|
|
|
<blockquote id="copyright-sample"><para>
|
|
Copyright (c) YEAR YOUR NAME.
|
|
Permission is granted to copy, distribute and/or modify this document
|
|
under the terms of the GNU Free Documentation License, Version 1.2
|
|
or any later version published by the Free Software Foundation;
|
|
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
|
A copy of the license is included in the section entitled "GNU
|
|
Free Documentation License".
|
|
</para></blockquote>
|
|
|
|
<para>If you have Invariant Sections, Front-Cover Texts and Back-Cover
|
|
Texts, replace the "with...Texts." line with this:</para>
|
|
|
|
<blockquote id="inv-cover-sample"><para>
|
|
with the Invariant Sections being LIST THEIR TITLES, with the
|
|
Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
|
|
</para></blockquote>
|
|
|
|
<para>If you have Invariant Sections without Cover Texts, or some other
|
|
combination of the three, merge those two alternatives to suit the
|
|
situation.</para>
|
|
|
|
<para>If your document contains nontrivial examples of program code, we
|
|
recommend releasing these examples in parallel under your choice of free
|
|
software license, such as the GNU General Public License, to permit
|
|
their use in free software.</para>
|
|
</section>
|
|
</appendix>
|
|
|
|
</article>
|