319 lines
5.1 KiB
HTML
319 lines
5.1 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Authenticator: Setting up the Authenticator (Access
|
|
Point)</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="802.1X Port-Based Authentication HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Supplicant: Setting up Xsupplicant"
|
|
HREF="xsupplicant.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Testbed"
|
|
HREF="testbed.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>802.1X Port-Based Authentication HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="xsupplicant.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="testbed.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="authenticator"
|
|
></A
|
|
>5. Authenticator: Setting up the Authenticator (Access
|
|
Point)</H1
|
|
><P
|
|
> During the authentication process, the Authenticator just relays all
|
|
messages between the Supplicant and the Authentication Server
|
|
(RADIUS). EAPOL is used between the Supplicant and the Authenticator;
|
|
and, between the Authenticator and the Authentication Server, UDP is
|
|
used.
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AP"
|
|
></A
|
|
>5.1. Access Point</H2
|
|
><P
|
|
> Many access point have support for 802.1X (and RADIUS)
|
|
authentication. It must first be configured to use 802.1X
|
|
authentication.
|
|
</P
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> <EM
|
|
>Configuring and setting up 802.1X on the AP may differ
|
|
between vendors.</EM
|
|
> Listed below are the required settings to
|
|
make a Cisco AP350 work. Other settings to TIKP, CCMP etc. may also
|
|
be configured.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
> The AP must set the ESSID to <SPAN
|
|
CLASS="QUOTE"
|
|
>"testnet"</SPAN
|
|
> and must
|
|
activate:
|
|
</P
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-CiscoAP.png"
|
|
ALIGN="center"
|
|
WIDTH="599"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>Figure AP350: The RADIUS configuration screen for a Cisco
|
|
AP-350</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>802.1X-2001:</EM
|
|
> Make sure the 802.1X Protocol
|
|
version is set to <SPAN
|
|
CLASS="QUOTE"
|
|
>"802.1X-2001"</SPAN
|
|
>. Some older Access
|
|
Points support only the draft version of the 802.1X standard (and
|
|
may therefore not work).
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>RADIUS Server:</EM
|
|
> the name/IP address of the
|
|
RADIUS server and the shared secret between the RADIUS server and
|
|
the Access Point (which in this document is "SharedSecret99"). See
|
|
figure <A
|
|
HREF="authenticator.html#ciscoAP"
|
|
>AP350</A
|
|
>.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>EAP Authentication:</EM
|
|
> The RADIUS server should be
|
|
used for EAP authentication.
|
|
</P
|
|
></LI
|
|
></UL
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-CiscoAP2.png"
|
|
ALIGN="center"
|
|
WIDTH="604"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>Figure AP350-2: The Encryption configuration screen for a
|
|
Cisco AP-350</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Full Encryption</EM
|
|
> to allow only encrypted
|
|
traffic. Note that 802.1X may be used without using encryption,
|
|
which is nice for test purposes.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Open Authentication</EM
|
|
> to make the Supplicant
|
|
associate with the Access Point before encryption keys are
|
|
available. Once the association is done, the Supplicant may start EAP
|
|
authentication.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Require EAP</EM
|
|
> for the <SPAN
|
|
CLASS="QUOTE"
|
|
>"Open
|
|
Authentication"</SPAN
|
|
>. That will ensure that only authenticated
|
|
users are allowed into the network.
|
|
</P
|
|
></LI
|
|
></UL
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="LinuxAP"
|
|
></A
|
|
>5.2. Linux Authenticator</H2
|
|
><P
|
|
> An ordinary Linux node can be set up to function as a wireless Access
|
|
Point and Authenticator. How to set up and use Linux as an AP is
|
|
beyond the scope of this document. Simon Anderson's <A
|
|
HREF="http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html"
|
|
TARGET="_top"
|
|
>Linux
|
|
Wireless Access Point HOWTO</A
|
|
> may be of guidance.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="xsupplicant.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="testbed.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Supplicant: Setting up Xsupplicant</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Testbed</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |