LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/8021X-HOWTO/testbed.html

671 lines
12 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>Testbed</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="802.1X Port-Based Authentication HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Authenticator: Setting up the Authenticator (Access
Point)"
HREF="authenticator.html"><LINK
REL="NEXT"
TITLE="Note about driver support and Xsupplicant"
HREF="dynwep.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>802.1X Port-Based Authentication HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="authenticator.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="dynwep.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="testbed"
></A
>6. Testbed</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="testcase"
></A
>6.1. Testcase</H2
><DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/8021X-Testbed.png"
ALIGN="center"
WIDTH="500"><DIV
CLASS="caption"
><P
>figure testbed: A wireless node request authentication.</P
></DIV
></P
></DIV
><P
>&#13; Our testbed consists of two nodes and one Access Point (AP). One
node functions as the Supplicant (WN), the other as the back-end
Authentication Server running RADIUS (AS). The Access Point is the
Authenticator. See figure <A
HREF="testbed.html#testbedimg"
>testbed</A
>
for explanation.
</P
><DIV
CLASS="important"
><P
></P
><TABLE
CLASS="important"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/important.gif"
HSPACE="5"
ALT="Important"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>&#13; It is crucial that the Access Point be able to reach (ping) the
Authentication Server, and vice versa!
</P
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="startrad"
></A
>6.2. Running some tests</H2
><DIV
CLASS="procedure"
><P
><B
>Running some tests</B
></P
><OL
TYPE="1"
><LI
><P
>&#13; The RADIUS server is started in debug mode. This produces
<EM
>a lot</EM
> of debug information. The important
snippets are below:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>radiusd</B
> -X</B
></TT
>
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
......
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
......
Module: Loaded eap
eap: default_eap_type = "peap" <A
NAME="rad_peap"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
>
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no <A
NAME="rad_tls"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
>
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "SecretKeyPass77"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2" <A
NAME="rad_mschapv2"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
>
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
......
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users" <A
NAME="rad_users"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
>
......
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests. <A
NAME="rad_finished"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
>
</PRE
></FONT
></TD
></TR
></TABLE
><DIV
CLASS="calloutlist"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="testbed.html#rad_peap"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>&#13; Default EAP type is set to PEAP.
</DD
><DT
><A
HREF="testbed.html#rad_tls"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
></DT
><DD
>&#13; RADIUS's TLS settings are initiated here. The certificate type,
location, and password are listet here.
</DD
><DT
><A
HREF="testbed.html#rad_mschapv2"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
></DT
><DD
>&#13; Inside the PEAP tunnel, MS-CHAPv2 is used.
</DD
><DT
><A
HREF="testbed.html#rad_users"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
></DT
><DD
>&#13; The username/password information is found in the
<TT
CLASS="filename"
>users</TT
> file.
</DD
><DT
><A
HREF="testbed.html#rad_finished"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
></DT
><DD
>&#13; RADIUS server started successfully. Waiting for incoming requests.
</DD
></DL
></DIV
><P
>The radius server is now ready to process requests!</P
><P
>&#13; The most interesting output is included above. If you get any
error message instead of the last line, go over the configuration
(above) carefully.
</P
></LI
><LI
><P
>&#13; Now the Supplicant is ready to get authenticated. Start
<SPAN
CLASS="application"
>Xsupplicant</SPAN
> in debug mode. Note that
we'll see output produced by the two startup scripts:
<TT
CLASS="filename"
>startup.sh</TT
> and
<TT
CLASS="filename"
>startup2.sh</TT
>.
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>xsupplicant</B
> -c /usr/local/etc/1x/1x.conf -i eth0 -d 6</B
></TT
>
Starting /etc/1x/startup.sh
Finished /etc/1x/startup.sh
Starting /etc/1x/startup2.sh
Finished /etc/1x/startup2.sh
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; At the same time, the RADIUS server is producing a lot of
output. Key snippets are shown below:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; ......
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS <A
NAME="rpro_tls"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
>
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK <A
NAME="rpro_peap"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
>
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: group authenticate returns ok for request 8
Login OK: [testuser/&#60;no User-Password attribute&#62;] (from client testnet port 37 cli 0002a56fa08a)
Sending Access-Accept of id 8 to 192.168.2.1:1032 <A
NAME="rpro_accept"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
>
MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206 <A
NAME="rpro_reckey"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
>
MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
</PRE
></FONT
></TD
></TR
></TABLE
><DIV
CLASS="calloutlist"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="testbed.html#rpro_tls"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>&#13; TLS session startup. Doing TLS-handshake.
</DD
><DT
><A
HREF="testbed.html#rpro_peap"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
></DT
><DD
>&#13; The TLS session (PEAP-encrypted tunnel) is up.
</DD
><DT
><A
HREF="testbed.html#rpro_accept"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
></DT
><DD
>&#13; The Supplicant has been authenticated successfully by the
RADIUS server. An <SPAN
CLASS="QUOTE"
>"Access-Accept"</SPAN
> message is
sent.
</DD
><DT
><A
HREF="testbed.html#rpro_reckey"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
></DT
><DD
>&#13; The <EM
>MS-MPPE-Recv-Key</EM
> [<A
HREF="http://www.ietf.org/rfc/rfc2548.txt"
TARGET="_top"
>RFC2548</A
>
section 2.4.3] contains the Pairwise Master Key (PMK) destined
to the Authenticator (access point), encrypted with the MPPE
Protocol [<A
HREF="http://www.ietf.org/rfc/rfc3078.txt"
TARGET="_top"
>RFC3078</A
>],
using the shared secret between the Authenticator and
Authentication Server as key. The Supplicant derives the same
PMK from MK, as described in <A
HREF="intro.html#Key"
>Key
Management</A
>.
</DD
></DL
></DIV
></LI
><LI
><P
>&#13; The Authenticator (access point) may also show something like this
in its log:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; 00:02:16 (Info): Station 0002a56fa08a Associated
00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></DIV
><P
>&#13; That's it! The Supplicant is now authenticated to use the Access
Point!
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="authenticator.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="dynwep.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Authenticator: Setting up the Authenticator (Access
Point)</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Note about driver support and Xsupplicant</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink