671 lines
12 KiB
HTML
671 lines
12 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Testbed</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="802.1X Port-Based Authentication HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Authenticator: Setting up the Authenticator (Access
|
|
Point)"
|
|
HREF="authenticator.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Note about driver support and Xsupplicant"
|
|
HREF="dynwep.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>802.1X Port-Based Authentication HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="authenticator.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="dynwep.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="testbed"
|
|
></A
|
|
>6. Testbed</H1
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="testcase"
|
|
></A
|
|
>6.1. Testcase</H2
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-Testbed.png"
|
|
ALIGN="center"
|
|
WIDTH="500"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>figure testbed: A wireless node request authentication.</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><P
|
|
> Our testbed consists of two nodes and one Access Point (AP). One
|
|
node functions as the Supplicant (WN), the other as the back-end
|
|
Authentication Server running RADIUS (AS). The Access Point is the
|
|
Authenticator. See figure <A
|
|
HREF="testbed.html#testbedimg"
|
|
>testbed</A
|
|
>
|
|
for explanation.
|
|
</P
|
|
><DIV
|
|
CLASS="important"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="important"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/important.gif"
|
|
HSPACE="5"
|
|
ALT="Important"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> It is crucial that the Access Point be able to reach (ping) the
|
|
Authentication Server, and vice versa!
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="startrad"
|
|
></A
|
|
>6.2. Running some tests</H2
|
|
><DIV
|
|
CLASS="procedure"
|
|
><P
|
|
><B
|
|
>Running some tests</B
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> The RADIUS server is started in debug mode. This produces
|
|
<EM
|
|
>a lot</EM
|
|
> of debug information. The important
|
|
snippets are below:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>radiusd</B
|
|
> -X</B
|
|
></TT
|
|
>
|
|
Starting - reading configuration files ...
|
|
reread_config: reading radiusd.conf
|
|
Config: including file: /usr/local/etc/raddb/proxy.conf
|
|
Config: including file: /usr/local/etc/raddb/clients.conf
|
|
Config: including file: /usr/local/etc/raddb/snmp.conf
|
|
Config: including file: /usr/local/etc/raddb/eap.conf
|
|
Config: including file: /usr/local/etc/raddb/sql.conf
|
|
......
|
|
Module: Loaded MS-CHAP
|
|
mschap: use_mppe = yes
|
|
mschap: require_encryption = no
|
|
mschap: require_strong = no
|
|
mschap: with_ntdomain_hack = no
|
|
mschap: passwd = "(null)"
|
|
mschap: authtype = "MS-CHAP"
|
|
mschap: ntlm_auth = "(null)"
|
|
Module: Instantiated mschap (mschap)
|
|
......
|
|
Module: Loaded eap
|
|
eap: default_eap_type = "peap" <A
|
|
NAME="rad_peap"
|
|
><IMG
|
|
SRC="../images/callouts/1.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(1)"></A
|
|
>
|
|
eap: timer_expire = 60
|
|
eap: ignore_unknown_eap_types = no
|
|
eap: cisco_accounting_username_bug = no
|
|
rlm_eap: Loaded and initialized type md5
|
|
tls: rsa_key_exchange = no <A
|
|
NAME="rad_tls"
|
|
><IMG
|
|
SRC="../images/callouts/2.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(2)"></A
|
|
>
|
|
tls: dh_key_exchange = yes
|
|
tls: rsa_key_length = 512
|
|
tls: dh_key_length = 512
|
|
tls: verify_depth = 0
|
|
tls: CA_path = "(null)"
|
|
tls: pem_file_type = yes
|
|
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
|
|
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
|
|
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
|
|
tls: private_key_password = "SecretKeyPass77"
|
|
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
|
|
tls: random_file = "/usr/local/etc/raddb/certs/random"
|
|
tls: fragment_size = 1024
|
|
tls: include_length = yes
|
|
tls: check_crl = no
|
|
tls: check_cert_cn = "(null)"
|
|
rlm_eap: Loaded and initialized type tls
|
|
peap: default_eap_type = "mschapv2" <A
|
|
NAME="rad_mschapv2"
|
|
><IMG
|
|
SRC="../images/callouts/3.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(3)"></A
|
|
>
|
|
peap: copy_request_to_tunnel = no
|
|
peap: use_tunneled_reply = no
|
|
peap: proxy_tunneled_request_as_eap = yes
|
|
rlm_eap: Loaded and initialized type peap
|
|
mschapv2: with_ntdomain_hack = no
|
|
rlm_eap: Loaded and initialized type mschapv2
|
|
Module: Instantiated eap (eap)
|
|
......
|
|
Module: Loaded files
|
|
files: usersfile = "/usr/local/etc/raddb/users" <A
|
|
NAME="rad_users"
|
|
><IMG
|
|
SRC="../images/callouts/4.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(4)"></A
|
|
>
|
|
......
|
|
Module: Instantiated radutmp (radutmp)
|
|
Listening on authentication *:1812
|
|
Listening on accounting *:1813
|
|
Ready to process requests. <A
|
|
NAME="rad_finished"
|
|
><IMG
|
|
SRC="../images/callouts/5.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(5)"></A
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="calloutlist"
|
|
><DL
|
|
COMPACT="COMPACT"
|
|
><DT
|
|
><A
|
|
HREF="testbed.html#rad_peap"
|
|
><IMG
|
|
SRC="../images/callouts/1.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(1)"></A
|
|
></DT
|
|
><DD
|
|
> Default EAP type is set to PEAP.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="testbed.html#rad_tls"
|
|
><IMG
|
|
SRC="../images/callouts/2.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(2)"></A
|
|
></DT
|
|
><DD
|
|
> RADIUS's TLS settings are initiated here. The certificate type,
|
|
location, and password are listet here.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="testbed.html#rad_mschapv2"
|
|
><IMG
|
|
SRC="../images/callouts/3.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(3)"></A
|
|
></DT
|
|
><DD
|
|
> Inside the PEAP tunnel, MS-CHAPv2 is used.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="testbed.html#rad_users"
|
|
><IMG
|
|
SRC="../images/callouts/4.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(4)"></A
|
|
></DT
|
|
><DD
|
|
> The username/password information is found in the
|
|
<TT
|
|
CLASS="filename"
|
|
>users</TT
|
|
> file.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="testbed.html#rad_finished"
|
|
><IMG
|
|
SRC="../images/callouts/5.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(5)"></A
|
|
></DT
|
|
><DD
|
|
> RADIUS server started successfully. Waiting for incoming requests.
|
|
</DD
|
|
></DL
|
|
></DIV
|
|
><P
|
|
>The radius server is now ready to process requests!</P
|
|
><P
|
|
> The most interesting output is included above. If you get any
|
|
error message instead of the last line, go over the configuration
|
|
(above) carefully.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Now the Supplicant is ready to get authenticated. Start
|
|
<SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
> in debug mode. Note that
|
|
we'll see output produced by the two startup scripts:
|
|
<TT
|
|
CLASS="filename"
|
|
>startup.sh</TT
|
|
> and
|
|
<TT
|
|
CLASS="filename"
|
|
>startup2.sh</TT
|
|
>.
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>xsupplicant</B
|
|
> -c /usr/local/etc/1x/1x.conf -i eth0 -d 6</B
|
|
></TT
|
|
>
|
|
Starting /etc/1x/startup.sh
|
|
Finished /etc/1x/startup.sh
|
|
Starting /etc/1x/startup2.sh
|
|
Finished /etc/1x/startup2.sh
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> At the same time, the RADIUS server is producing a lot of
|
|
output. Key snippets are shown below:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> ......
|
|
rlm_eap: Request found, released from the list
|
|
rlm_eap: EAP/peap
|
|
rlm_eap: processing type peap
|
|
rlm_eap_peap: Authenticate
|
|
rlm_eap_tls: processing TLS <A
|
|
NAME="rpro_tls"
|
|
><IMG
|
|
SRC="../images/callouts/1.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(1)"></A
|
|
>
|
|
eaptls_verify returned 7
|
|
rlm_eap_tls: Done initial handshake
|
|
eaptls_process returned 7
|
|
rlm_eap_peap: EAPTLS_OK <A
|
|
NAME="rpro_peap"
|
|
><IMG
|
|
SRC="../images/callouts/2.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(2)"></A
|
|
>
|
|
rlm_eap_peap: Session established. Decoding tunneled attributes.
|
|
rlm_eap_peap: Received EAP-TLV response.
|
|
rlm_eap_peap: Tunneled data is valid.
|
|
rlm_eap_peap: Success
|
|
rlm_eap: Freeing handler
|
|
modcall[authenticate]: module "eap" returns ok for request 8
|
|
modcall: group authenticate returns ok for request 8
|
|
Login OK: [testuser/<no User-Password attribute>] (from client testnet port 37 cli 0002a56fa08a)
|
|
Sending Access-Accept of id 8 to 192.168.2.1:1032 <A
|
|
NAME="rpro_accept"
|
|
><IMG
|
|
SRC="../images/callouts/3.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(3)"></A
|
|
>
|
|
MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206 <A
|
|
NAME="rpro_reckey"
|
|
><IMG
|
|
SRC="../images/callouts/4.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(4)"></A
|
|
>
|
|
MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18
|
|
EAP-Message = 0x030a0004
|
|
Message-Authenticator = 0x00000000000000000000000000000000
|
|
User-Name = "testuser"
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="calloutlist"
|
|
><DL
|
|
COMPACT="COMPACT"
|
|
><DT
|
|
><A
|
|
HREF="testbed.html#rpro_tls"
|
|
><IMG
|
|
SRC="../images/callouts/1.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(1)"></A
|
|
></DT
|
|
><DD
|
|
> TLS session startup. Doing TLS-handshake.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="testbed.html#rpro_peap"
|
|
><IMG
|
|
SRC="../images/callouts/2.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(2)"></A
|
|
></DT
|
|
><DD
|
|
> The TLS session (PEAP-encrypted tunnel) is up.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="testbed.html#rpro_accept"
|
|
><IMG
|
|
SRC="../images/callouts/3.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(3)"></A
|
|
></DT
|
|
><DD
|
|
> The Supplicant has been authenticated successfully by the
|
|
RADIUS server. An <SPAN
|
|
CLASS="QUOTE"
|
|
>"Access-Accept"</SPAN
|
|
> message is
|
|
sent.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="testbed.html#rpro_reckey"
|
|
><IMG
|
|
SRC="../images/callouts/4.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(4)"></A
|
|
></DT
|
|
><DD
|
|
> The <EM
|
|
>MS-MPPE-Recv-Key</EM
|
|
> [<A
|
|
HREF="http://www.ietf.org/rfc/rfc2548.txt"
|
|
TARGET="_top"
|
|
>RFC2548</A
|
|
>
|
|
section 2.4.3] contains the Pairwise Master Key (PMK) destined
|
|
to the Authenticator (access point), encrypted with the MPPE
|
|
Protocol [<A
|
|
HREF="http://www.ietf.org/rfc/rfc3078.txt"
|
|
TARGET="_top"
|
|
>RFC3078</A
|
|
>],
|
|
using the shared secret between the Authenticator and
|
|
Authentication Server as key. The Supplicant derives the same
|
|
PMK from MK, as described in <A
|
|
HREF="intro.html#Key"
|
|
>Key
|
|
Management</A
|
|
>.
|
|
</DD
|
|
></DL
|
|
></DIV
|
|
></LI
|
|
><LI
|
|
><P
|
|
> The Authenticator (access point) may also show something like this
|
|
in its log:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> 00:02:16 (Info): Station 0002a56fa08a Associated
|
|
00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
><P
|
|
> That's it! The Supplicant is now authenticated to use the Access
|
|
Point!
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="authenticator.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="dynwep.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Authenticator: Setting up the Authenticator (Access
|
|
Point)</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Note about driver support and Xsupplicant</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |