696 lines
11 KiB
HTML
696 lines
11 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Supplicant: Setting up Xsupplicant</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="802.1X Port-Based Authentication HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Authentication Server: Setting up FreeRADIUS"
|
|
HREF="freeradius.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Authenticator: Setting up the Authenticator (Access
|
|
Point)"
|
|
HREF="authenticator.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>802.1X Port-Based Authentication HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="freeradius.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="authenticator.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="xsupplicant"
|
|
></A
|
|
>4. Supplicant: Setting up Xsupplicant</H1
|
|
><P
|
|
> The Supplicant is usually a laptop or other (wireless) device that
|
|
requires authentication. <SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
>
|
|
does the bidding of being the <SPAN
|
|
CLASS="QUOTE"
|
|
>"Supplicant"</SPAN
|
|
> part of the
|
|
IEEE 802.1X-2001 standard.
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="instxsup"
|
|
></A
|
|
>4.1. Installing Xsupplicant</H2
|
|
><DIV
|
|
CLASS="procedure"
|
|
><P
|
|
><B
|
|
>Installing Xsupplicant</B
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Download the latest source from from <A
|
|
HREF="http://www.open1x.org/"
|
|
TARGET="_top"
|
|
>http://www.open1x.org/</A
|
|
>
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cd </B
|
|
>/usr/local/src</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>wget </B
|
|
>http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>tar </B
|
|
>zxfv xsupplicant-1.0.tar.gz</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cd </B
|
|
>xsupplicant</B
|
|
></TT
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Configure, make, and install:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>./configure</B
|
|
></B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>make</B
|
|
></B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>make install</B
|
|
></B
|
|
></TT
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> If the configuration file wasn't installed (copied) into the "etc"
|
|
folder, do it manually:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>mkdir </B
|
|
>-p /usr/local/etc/1x</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cp </B
|
|
>etc/tls-example.conf /usr/local/etc/1x</B
|
|
></TT
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
><P
|
|
> If installation fails, check the <TT
|
|
CLASS="filename"
|
|
>README</TT
|
|
> and
|
|
<TT
|
|
CLASS="filename"
|
|
>INSTALL</TT
|
|
> files included with the source. You may
|
|
also check out the <A
|
|
HREF="http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236"
|
|
TARGET="_top"
|
|
>official
|
|
documentation</A
|
|
>.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="confxsup"
|
|
></A
|
|
>4.2. Configuring Xsupplicant</H2
|
|
><DIV
|
|
CLASS="procedure"
|
|
><P
|
|
><B
|
|
>Configuring Xsupplicant</B
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> The Supplicant must have access to the root certificate.
|
|
</P
|
|
><P
|
|
> If the Supplicant needs to authenticate against the Authentication
|
|
Server (authentication both ways), the Supplicant must have
|
|
certificates as well.
|
|
</P
|
|
><P
|
|
> Create a certificate folder, and move the certificates into it:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>mkdir</B
|
|
> -p /usr/local/etc/1x/certs</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cp</B
|
|
> root.pem /usr/local/etc/1x/certs/</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
>(copy optional client certificate(s) into the same folder)
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Open and edit the configuration file:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # startup_command: the command to run when Xsupplicant is first started.
|
|
# This command can do things such as configure the card to associate with
|
|
# the network properly.
|
|
startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> The <TT
|
|
CLASS="filename"
|
|
>startup.sh</TT
|
|
> will be created shortly.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> When the client is authenticated, it will transmit a DHCP request or
|
|
manually set an IP address. Here, the Supplicant sets its IP address
|
|
manually in <TT
|
|
CLASS="filename"
|
|
>startup2.sh</TT
|
|
>:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # first_auth_command: the command to run when Xsupplicant authenticates to
|
|
# a wireless network for the first time. This will usually be used to
|
|
# start a DHCP client process.
|
|
#first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND>
|
|
first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup2.sh<END_COMMAND>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Since <SPAN
|
|
CLASS="QUOTE"
|
|
>"-i"</SPAN
|
|
> is just for debugging purpose (and may
|
|
go away according to the developers),
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"allow_interfaces"</SPAN
|
|
> must be set:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> allow_interfaces = eth0
|
|
deny_interfaces = eth1
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Next, under the <SPAN
|
|
CLASS="QUOTE"
|
|
>"NETWORK SECTION"</SPAN
|
|
>, we'll configure
|
|
PEAP:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # We'll be using PEAP
|
|
allow_types = eap_peap
|
|
|
|
# Don't want any eavesdropper to learn the username during the
|
|
# first phase (which is unencrypted), so 'identity hiding' is
|
|
# used (using a bogus username).
|
|
identity = <BEGIN_ID>anonymous<END_ID>
|
|
|
|
eap-peap {
|
|
# As in tls, define either a root certificate or a directory
|
|
# containing root certificates.
|
|
root_cert = /usr/local/etc/1x/certs/root.pem
|
|
#root_dir = /path/to/root/certificate/dir
|
|
#crl_dir = /path/to/dir/with/crl
|
|
chunk_size = 1398
|
|
random_file = /dev/urandom
|
|
#cncheck = myradius.radius.com # Verify that the server certificate
|
|
# has this value in its CN field.
|
|
#cnexact = yes # Should it be an exact match?
|
|
session_resume = yes
|
|
|
|
# Currently 'all' is just mschapv2.
|
|
# If no allow_types is defined, all is assumed.
|
|
#allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
|
|
allow_types = eap_mschapv2
|
|
|
|
# Right now, you can do any of these methods in PEAP:
|
|
eap-mschapv2 {
|
|
username = <BEGIN_UNAME>testuser<END_UNAME>
|
|
password = <BEGIN_PASS>Secret149<END_PASS>
|
|
}
|
|
}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> The Supplicant must first associate with the access point. The
|
|
script <TT
|
|
CLASS="filename"
|
|
>startup.sh</TT
|
|
> does that job. It is also
|
|
the first command <SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
> executes.
|
|
</P
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> Notice the bogus key we give to iwconfig (<EM
|
|
>enc
|
|
000000000</EM
|
|
>)! This key is used to tell the driver
|
|
to run in encrypted mode. The key gets replaced after successful
|
|
authentication. This can be set to <EM
|
|
>enc
|
|
off</EM
|
|
> only if encryption is disabled in the AP (for
|
|
testing purposes).
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
> Both <TT
|
|
CLASS="filename"
|
|
>startup.sh</TT
|
|
> and
|
|
<TT
|
|
CLASS="filename"
|
|
>startup2.sh</TT
|
|
> must be saved under
|
|
<TT
|
|
CLASS="filename"
|
|
>/usr/local/etc/1x/</TT
|
|
>.
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> #!/bin/bash
|
|
echo "Starting startup.sh"
|
|
# Take down interface (if it's up)
|
|
/sbin/ifconfig eth0 down
|
|
# To make sure the routes are flushed
|
|
sleep 1
|
|
# Configuring the interface with a bogus key
|
|
/sbin/iwconfig eth0 mode managed essid testnet enc 000000000
|
|
# Bring the interface up and make sure it listens to multicast packets
|
|
/sbin/ifconfig eth0 allmulti up
|
|
echo "Finished startup.sh"
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> This next file is used to set the IP address statically. This can
|
|
be omitted if a DHCP server is present (as it typically is, in many
|
|
access points).
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> #!/bin/bash
|
|
echo "Starting startup2.sh"
|
|
# Assigning an IP address
|
|
/sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0
|
|
echo "Finished startup2.sh"
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="freeradius.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="authenticator.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Authentication Server: Setting up FreeRADIUS</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Authenticator: Setting up the Authenticator (Access
|
|
Point)</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |