4415 lines
89 KiB
HTML
4415 lines
89 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>802.1X Port-Based Authentication HOWTO</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
|
|
><BODY
|
|
CLASS="article"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="ARTICLE"
|
|
><DIV
|
|
CLASS="TITLEPAGE"
|
|
><H1
|
|
CLASS="title"
|
|
><A
|
|
NAME="AEN2"
|
|
></A
|
|
>802.1X Port-Based Authentication HOWTO</H1
|
|
><H3
|
|
CLASS="author"
|
|
><A
|
|
NAME="AEN5"
|
|
>Lars Strand</A
|
|
></H3
|
|
><DIV
|
|
CLASS="affiliation"
|
|
><DIV
|
|
CLASS="address"
|
|
><P
|
|
CLASS="address"
|
|
><TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:lars strand (at) gnist org"
|
|
>lars strand (at) gnist org</A
|
|
>></TT
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><P
|
|
CLASS="pubdate"
|
|
>2004-08-18<BR></P
|
|
><DIV
|
|
CLASS="revhistory"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TH
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
COLSPAN="3"
|
|
><B
|
|
>Revision History</B
|
|
></TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
>Revision 1.0</TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
>2004-10-18</TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
>Revised by: LKS</TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
COLSPAN="3"
|
|
>Initial Release, reviewed by TLDP.</TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
>Revision 0.2b</TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
>2004-10-13</TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
>Revised by: LKS</TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
COLSPAN="3"
|
|
>Various updates. Thanks to Rick Moen <rick
|
|
(at) linuxmafia com> for language review.</TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
>Revision 0.0</TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
>2004-07-23</TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
>Revised by: LKS</TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
COLSPAN="3"
|
|
>Initial draft.</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
><DIV
|
|
CLASS="abstract"
|
|
><A
|
|
NAME="AEN32"
|
|
></A
|
|
><P
|
|
></P
|
|
><P
|
|
> This document describes the software and procedures to set up
|
|
and use <A
|
|
HREF="http://standards.ieee.org/getieee802/download/802.1X-2001.pdf"
|
|
TARGET="_top"
|
|
>IEEE
|
|
802.1X Port-Based Network Access Control</A
|
|
> using <A
|
|
HREF="http://www.open1x.org"
|
|
TARGET="_top"
|
|
><SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
></A
|
|
>
|
|
as Supplicant with <A
|
|
HREF="http://www.freeradius.org"
|
|
TARGET="_top"
|
|
><SPAN
|
|
CLASS="application"
|
|
>FreeRADIUS</SPAN
|
|
></A
|
|
>
|
|
as a back-end Authentication Server.
|
|
</P
|
|
><P
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><HR></DIV
|
|
><DIV
|
|
CLASS="TOC"
|
|
><DL
|
|
><DT
|
|
><B
|
|
>Table of Contents</B
|
|
></DT
|
|
><DT
|
|
>1. <A
|
|
HREF="#intro"
|
|
>Introduction</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>1.1. <A
|
|
HREF="#what8021x"
|
|
>What is 802.1X?</A
|
|
></DT
|
|
><DT
|
|
>1.2. <A
|
|
HREF="#what80211i"
|
|
>What is 802.11i?</A
|
|
></DT
|
|
><DT
|
|
>1.3. <A
|
|
HREF="#EAP"
|
|
>What is EAP?</A
|
|
></DT
|
|
><DT
|
|
>1.4. <A
|
|
HREF="#auth"
|
|
>EAP authentication methods</A
|
|
></DT
|
|
><DT
|
|
>1.5. <A
|
|
HREF="#AAA"
|
|
>What is RADIUS?</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>2. <A
|
|
HREF="#cert"
|
|
>Obtaining Certificates</A
|
|
></DT
|
|
><DT
|
|
>3. <A
|
|
HREF="#FreeRADIUS"
|
|
>Authentication Server: Setting up FreeRADIUS</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>3.1. <A
|
|
HREF="#instradius"
|
|
>Installing FreeRADIUS</A
|
|
></DT
|
|
><DT
|
|
>3.2. <A
|
|
HREF="#confradius"
|
|
>Configuring FreeRADIUS</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>4. <A
|
|
HREF="#xsupplicant"
|
|
>Supplicant: Setting up Xsupplicant</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>4.1. <A
|
|
HREF="#instxsup"
|
|
>Installing Xsupplicant</A
|
|
></DT
|
|
><DT
|
|
>4.2. <A
|
|
HREF="#confxsup"
|
|
>Configuring Xsupplicant</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>5. <A
|
|
HREF="#authenticator"
|
|
>Authenticator: Setting up the Authenticator (Access
|
|
Point)</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>5.1. <A
|
|
HREF="#AP"
|
|
>Access Point</A
|
|
></DT
|
|
><DT
|
|
>5.2. <A
|
|
HREF="#LinuxAP"
|
|
>Linux Authenticator</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>6. <A
|
|
HREF="#testbed"
|
|
>Testbed</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>6.1. <A
|
|
HREF="#testcase"
|
|
>Testcase</A
|
|
></DT
|
|
><DT
|
|
>6.2. <A
|
|
HREF="#startrad"
|
|
>Running some tests</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>7. <A
|
|
HREF="#dynWEP"
|
|
>Note about driver support and Xsupplicant</A
|
|
></DT
|
|
><DT
|
|
>8. <A
|
|
HREF="#faq"
|
|
>FAQ</A
|
|
></DT
|
|
><DT
|
|
>9. <A
|
|
HREF="#resources"
|
|
>Useful Resources</A
|
|
></DT
|
|
><DT
|
|
>10. <A
|
|
HREF="#copyack"
|
|
>Copyright, acknowledgments and miscellaneous</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>10.1. <A
|
|
HREF="#copyright"
|
|
>Copyright and License</A
|
|
></DT
|
|
><DT
|
|
>10.2. <A
|
|
HREF="#produced"
|
|
>How this document was produced</A
|
|
></DT
|
|
><DT
|
|
>10.3. <A
|
|
HREF="#feedback"
|
|
>Feedback</A
|
|
></DT
|
|
><DT
|
|
>10.4. <A
|
|
HREF="#ack"
|
|
>Acknowledgments</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>A. <A
|
|
HREF="#gfdl"
|
|
>GNU Free Documentation License</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>A.1. <A
|
|
HREF="#gfdl-0"
|
|
>PREAMBLE</A
|
|
></DT
|
|
><DT
|
|
>A.2. <A
|
|
HREF="#gfdl-1"
|
|
>APPLICABILITY AND DEFINITIONS</A
|
|
></DT
|
|
><DT
|
|
>A.3. <A
|
|
HREF="#gfdl-2"
|
|
>VERBATIM COPYING</A
|
|
></DT
|
|
><DT
|
|
>A.4. <A
|
|
HREF="#gfdl-3"
|
|
>COPYING IN QUANTITY</A
|
|
></DT
|
|
><DT
|
|
>A.5. <A
|
|
HREF="#gfdl-4"
|
|
>MODIFICATIONS</A
|
|
></DT
|
|
><DT
|
|
>A.6. <A
|
|
HREF="#gfdl-5"
|
|
>COMBINING DOCUMENTS</A
|
|
></DT
|
|
><DT
|
|
>A.7. <A
|
|
HREF="#gfdl-6"
|
|
>COLLECTIONS OF DOCUMENTS</A
|
|
></DT
|
|
><DT
|
|
>A.8. <A
|
|
HREF="#gfdl-7"
|
|
>AGGREGATION WITH INDEPENDENT WORKS</A
|
|
></DT
|
|
><DT
|
|
>A.9. <A
|
|
HREF="#gfdl-8"
|
|
>TRANSLATION</A
|
|
></DT
|
|
><DT
|
|
>A.10. <A
|
|
HREF="#gfdl-9"
|
|
>TERMINATION</A
|
|
></DT
|
|
><DT
|
|
>A.11. <A
|
|
HREF="#gfdl-10"
|
|
>FUTURE REVISIONS OF THIS LICENSE</A
|
|
></DT
|
|
><DT
|
|
>A.12. <A
|
|
HREF="#gfdl-addendum"
|
|
>ADDENDUM: How to use this License for
|
|
your documents</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
></DL
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="intro"
|
|
></A
|
|
>1. Introduction</H1
|
|
><P
|
|
> This document describes the software and procedures to set up and use <A
|
|
HREF="http://standards.ieee.org/getieee802/download/802.1X-2001.pdf"
|
|
TARGET="_top"
|
|
>802.1X:
|
|
Port-Based Network Access Control</A
|
|
> using <A
|
|
HREF="http://www.open1x.org"
|
|
TARGET="_top"
|
|
><SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
></A
|
|
>
|
|
with PEAP (PEAP/MS-CHAPv2) as authentication method and <A
|
|
HREF="http://www.freeradius.org/"
|
|
TARGET="_top"
|
|
><SPAN
|
|
CLASS="application"
|
|
>FreeRADIUS</SPAN
|
|
></A
|
|
>
|
|
as back-end authentication server.
|
|
</P
|
|
><P
|
|
> If another authentication mechanism than PEAP is preferred, e.g.,
|
|
EAP-TLS or EAP-TTLS, only a small number of configuration options
|
|
needs to be changed. PEAP/MS-CHAPv2 are also supported by Windows XP
|
|
SP1/Windows 2000 SP3.
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="what8021x"
|
|
></A
|
|
>1.1. What is 802.1X?</H2
|
|
><P
|
|
>The 802.1X-2001 standard states:</P
|
|
><P
|
|
> <SPAN
|
|
CLASS="QUOTE"
|
|
>"Port-based network access control makes use of the physical
|
|
access characteristics of IEEE 802 LAN infrastructures in order to
|
|
provide a means of <EM
|
|
>authenticating</EM
|
|
> and
|
|
<EM
|
|
>authorizing</EM
|
|
> devices attached
|
|
to a LAN port that has point-to-point connection characteristics,
|
|
and of <EM
|
|
>preventing access</EM
|
|
> to that port in cases
|
|
which the authentication and authorization fails. A port in this
|
|
context is a single point of attachment to the LAN
|
|
infrastructure."</SPAN
|
|
> --- 802.1X-2001, page 1.
|
|
</P
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-Overview.png"
|
|
ALIGN="center"
|
|
WIDTH="550"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>Figure 802.1X: A wireless node must be authenticated before it
|
|
can gain access to other LAN resources.</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> When a new wireless node (WN) requests access to a LAN resource,
|
|
the access point (AP) asks for the WN's identity. <EM
|
|
>No
|
|
other traffic than EAP is allowed before the WN is authenticated
|
|
(the <SPAN
|
|
CLASS="QUOTE"
|
|
>"port"</SPAN
|
|
> is closed).</EM
|
|
>
|
|
</P
|
|
><P
|
|
> The wireless node that requests authentication is often called
|
|
<EM
|
|
>Supplicant</EM
|
|
>, although it is more correct to
|
|
say that the wireless node <EM
|
|
>contains</EM
|
|
> a
|
|
Supplicant. The Supplicant is responsible for responding to
|
|
Authenticator data that will establish its credentials. The same
|
|
goes for the access point; the
|
|
<EM
|
|
>Authenticator is</EM
|
|
> not the access point. Rather,
|
|
the access point contains an Authenticator. The Authenticator does
|
|
not even need to be in the access point; it can be an external
|
|
component.
|
|
</P
|
|
><P
|
|
> EAP, which is the protocol used for authentication, was originally
|
|
used for dial-up PPP. The identity was the username, and either
|
|
PAP or CHAP authentication [<A
|
|
HREF="http://www.ietf.org/rfc/rfc1994.txt"
|
|
TARGET="_top"
|
|
>RFC1994</A
|
|
>] was
|
|
used to check the user's password. Since the identity is sent in
|
|
clear (not encrypted), a malicious sniffer may learn the user's
|
|
identity. <SPAN
|
|
CLASS="QUOTE"
|
|
>"Identity hiding"</SPAN
|
|
> is therefore used; the
|
|
real identity is not sent before the encrypted TLS tunnel is up.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> After the identity has been sent, the authentication process
|
|
begins. The protocol used between the Supplicant and the
|
|
Authenticator is EAP, or, more correctly, EAP encapsulation over
|
|
LAN (EAPOL). The Authenticator re-encapsulates the EAP messages to
|
|
RADIUS format, and passes them to the Authentication Server.
|
|
</P
|
|
><P
|
|
> During authentication, the Authenticator just relays packets
|
|
between the Supplicant and the Authentication Server. When the
|
|
authentication process finishes, the Authentication Server sends a
|
|
success message (or failure, if the authentication
|
|
failed).<EM
|
|
> The Authenticator then opens the
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"port"</SPAN
|
|
> for the Supplicant.</EM
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> After a successful authentication, the Supplicant is granted
|
|
access to other LAN resources/Internet.
|
|
</P
|
|
></LI
|
|
></OL
|
|
><P
|
|
> See figure <A
|
|
HREF="#p8021x"
|
|
>802.1X</A
|
|
> for explanation.
|
|
</P
|
|
><P
|
|
> Why is it called <SPAN
|
|
CLASS="QUOTE"
|
|
>"port"</SPAN
|
|
>-based authentication? The
|
|
Authenticator deals with <EM
|
|
>controlled</EM
|
|
> and
|
|
<EM
|
|
>uncontrolled</EM
|
|
> ports. Both the controlled and the
|
|
uncontrolled port are logical entities (virtual ports), but use the
|
|
same physical connection to the LAN (same point of attachment).
|
|
</P
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-Ports.png"
|
|
ALIGN="center"
|
|
WIDTH="550"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>Figure port: The authorization state of the controlled
|
|
port.</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><P
|
|
> Before authentication, only the uncontrolled port is
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"open"</SPAN
|
|
>. The only traffic allowed is EAPOL; see
|
|
Authenticator System 1 on figure <A
|
|
HREF="#port"
|
|
>port</A
|
|
>. After the Supplicant has been
|
|
authenticated, the controlled port is opened, and access to other LAN
|
|
resources are granted; see Authenticator System 2 on figure <A
|
|
HREF="#port"
|
|
>port</A
|
|
>.
|
|
</P
|
|
><P
|
|
> 802.1X plays a major role in the new IEEE wireless standard 802.11i.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="what80211i"
|
|
></A
|
|
>1.2. What is 802.11i?</H2
|
|
><DIV
|
|
CLASS="sect3"
|
|
><H3
|
|
CLASS="sect3"
|
|
><A
|
|
NAME="WEP"
|
|
></A
|
|
>1.2.1. WEP</H3
|
|
><P
|
|
> Wired Equivalent Privacy (WEP), which is part of the original
|
|
802.11 standard, should provide confidentiality. Unfortunately WEP
|
|
is poorly designed and easily cracked. There is no authentication
|
|
mechanism, only a weak form of access control (must have the
|
|
shared key to communicate). Read more <A
|
|
HREF="http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html"
|
|
TARGET="_top"
|
|
>here</A
|
|
>.
|
|
</P
|
|
><P
|
|
> As a response to WEP broken security, IEEE has come up with
|
|
a new wireless security standard named 802.11i. 802.1X plays a
|
|
major role in this new standard.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect3"
|
|
><HR><H3
|
|
CLASS="sect3"
|
|
><A
|
|
NAME="RSN"
|
|
></A
|
|
>1.2.2. 802.11i</H3
|
|
><P
|
|
> The new security standard, 802.11i, which was ratified in June
|
|
2004, fixes all WEP weaknesses. It is divided into three main
|
|
categories:
|
|
</P
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Temporary Key Integrity Protocol (TKIP)</EM
|
|
> is
|
|
a short-term solution that fixes all WEP weaknesses. TKIP can be
|
|
used with old 802.11 equipment (after a driver/firmware upgrade)
|
|
and provides integrity and confidentiality.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Counter Mode with CBC-MAC Protocol (CCMP) [<A
|
|
HREF="http://www.ietf.org/rfc/rfc3610.txt"
|
|
TARGET="_top"
|
|
>RFC2610</A
|
|
>]</EM
|
|
>
|
|
is a new protocol, designed from ground up. It uses AES [<A
|
|
HREF="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf"
|
|
TARGET="_top"
|
|
>FIPS
|
|
197</A
|
|
>] as its cryptographic algorithm, and, since this is
|
|
more CPU intensive than RC4 (used in WEP and TKIP), new 802.11
|
|
hardware may be required. Some drivers can implement CCMP in
|
|
software. CCMP provides integrity and confidentiality.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>802.1X Port-Based Network Access Control:</EM
|
|
>
|
|
Either when using TKIP or CCMP, 802.1X is used for
|
|
authentication.
|
|
</P
|
|
></LI
|
|
></OL
|
|
><P
|
|
> In addition, an optional encryption method called <SPAN
|
|
CLASS="QUOTE"
|
|
>"Wireless
|
|
Robust Authentication Protocol"</SPAN
|
|
> (WRAP) may be used instead
|
|
of CCMP. WRAP was the original AES-based proposal for 802.11i, but
|
|
was replaced by CCMP since it became plagued by property
|
|
encumbrances. Support for WRAP is optional, but CCMP support is
|
|
mandatory in 802.11i.
|
|
</P
|
|
><P
|
|
> 802.11i also has an extended key derivation/management,
|
|
described next.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect3"
|
|
><HR><H3
|
|
CLASS="sect3"
|
|
><A
|
|
NAME="Key"
|
|
></A
|
|
>1.2.3. Key Management</H3
|
|
><DIV
|
|
CLASS="sect4"
|
|
><H4
|
|
CLASS="sect4"
|
|
><A
|
|
NAME="DynKey"
|
|
></A
|
|
>1.2.3.1. Dynamic key exchange and management</H4
|
|
><P
|
|
> To enforce a security policy using encryption and integrity
|
|
algorithms, keys must be obtained. Fortunately, 802.11i implements
|
|
a key derivation/management regime. See figure <A
|
|
HREF="#keyman"
|
|
>KM</A
|
|
>.
|
|
</P
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-KeyManagement.png"
|
|
ALIGN="center"
|
|
WIDTH="550"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>Figure KM: Key management and distribution in 802.11i.</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> When the Supplicant (WN) and Authentication Server (AS)
|
|
authenticate, one of the last messages sent from AS, given that
|
|
authentication was successful, is a <EM
|
|
>Master Key
|
|
(MK)</EM
|
|
>. After it has been sent, the MK is known only to the
|
|
WN and the AS. The MK is bound to this session between the WN and
|
|
the AS.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Both the WN and the AS derive a new key, called the
|
|
<EM
|
|
>Pairwise Master Key (PMK)</EM
|
|
>, from the Master
|
|
Key.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> The PMK is then moved from the AS to the Authenticator (AP). Only
|
|
the WN and the AS can derive the PMK, else the AP could
|
|
make access-control decisions instead of the AS. The PMK is a fresh
|
|
symmetric key bound to this session between the WN and the AP.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> PMK and a 4-way handshake are used between the WN and the AP to
|
|
derive, bind, and verify a <EM
|
|
>Pairwise Transient Key
|
|
(PTK)</EM
|
|
>. The PTK is a collection of operational keys:
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Key Confirmation Key (KCK)</EM
|
|
>, as the name
|
|
implies, is used to prove the posession of the PMK and to bind
|
|
the PMK to the AP.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Key Encryption Key (KEK)</EM
|
|
> is used to
|
|
distributed the Group Transient Key (GTK). Described below.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Temporal Key 1 & 2 (TK1/TK2)</EM
|
|
> are used
|
|
for encryption. Usage of TK1 and TK2 is ciphersuite-specific.
|
|
</P
|
|
></LI
|
|
></UL
|
|
>
|
|
</P
|
|
><P
|
|
> See figure <A
|
|
HREF="#pkh"
|
|
>PKH</A
|
|
> for a overview of the
|
|
Pairwise Key Hierarchy.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> The KEK and a 4-way group handshake are then used to send the
|
|
<EM
|
|
>Group Transient Key (GTK)</EM
|
|
> from the AP to the
|
|
WN. The GTK is a shared key among all Supplicants connected to the
|
|
same Authenticator, and is used to secure multicast/broadcast
|
|
traffic.
|
|
</P
|
|
></LI
|
|
></OL
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-KeyHierarchy.png"
|
|
ALIGN="center"
|
|
WIDTH="550"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>Figure PKH: Pairwise Key Hierarchy</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect4"
|
|
><HR><H4
|
|
CLASS="sect4"
|
|
><A
|
|
NAME="PSK"
|
|
></A
|
|
>1.2.3.2. Pre-shared Key</H4
|
|
><P
|
|
> For small office / home office (SOHO), ad-hoc networks or home
|
|
usage, a pre-shared key (PSK) may be used. When using PSK, the whole
|
|
802.1X authentication process is elided. This has also been called
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"WPA Personal"</SPAN
|
|
> (WPA-PSK), whereas WPA using EAP (and
|
|
RADIUS) is <SPAN
|
|
CLASS="QUOTE"
|
|
>"WPA Enterprise"</SPAN
|
|
> or just
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"WPA"</SPAN
|
|
>.
|
|
</P
|
|
><P
|
|
> The 256-bit PSK is generated from a given password using PBKDFv2
|
|
from [<A
|
|
HREF="http://www.ietf.org/rfc/rfc2898.txt"
|
|
TARGET="_top"
|
|
>RFC2898</A
|
|
>], and is
|
|
used as the Master Key (MK) described in the key management regime
|
|
above. It can be one single PSK for the whole network (insecure), or
|
|
one PSK per Supplicant (more secure).
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect3"
|
|
><HR><H3
|
|
CLASS="sect3"
|
|
><A
|
|
NAME="WPA"
|
|
></A
|
|
>1.2.4. TSN (WPA) / RSN (WPA2)</H3
|
|
><P
|
|
> The industry didn't have time to wait until the 802.11i standard
|
|
was completed. They wanted the WEP issues fixed now! <A
|
|
HREF="http://www.wi-fi.org/"
|
|
TARGET="_top"
|
|
>Wi-Fi Alliance</A
|
|
> felt the
|
|
pressure, took a <SPAN
|
|
CLASS="QUOTE"
|
|
>"snapshot"</SPAN
|
|
> of the standard
|
|
(based on draft 3), and called it <EM
|
|
>Wi-Fi Protected Access
|
|
(WPA)</EM
|
|
>. One requirement was that existing 802.11
|
|
equipment could be used with WPA, so WPA is basically TKIP +
|
|
802.1X.
|
|
</P
|
|
><P
|
|
> WPA is not the long term solution. To get a <EM
|
|
>Robust
|
|
Secure Network (RSN)</EM
|
|
>, the hardware must support and use
|
|
CCMP. RSN is basically CCMP + 802.1X.
|
|
</P
|
|
><P
|
|
> RSN, which uses TKIP instead of CCMP, is also called Transition
|
|
Security Network (TSN). RSN may also be called WPA2, so that the
|
|
market don't get confused.
|
|
</P
|
|
><P
|
|
> Confused?
|
|
</P
|
|
><P
|
|
> Basically:
|
|
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>TSN = TKIP + 802.1X = WPA(1)</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RSN = CCMP + 802.1X = WPA2</P
|
|
></LI
|
|
></UL
|
|
>
|
|
|
|
In addition comes key management, as described in the previous
|
|
section.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="EAP"
|
|
></A
|
|
>1.3. What is EAP?</H2
|
|
><P
|
|
> Extensible Authentication Protocol (EAP) [<A
|
|
HREF="http://www.ietf.org/rfc/rfc3748.txt"
|
|
TARGET="_top"
|
|
>RFC 3748</A
|
|
>] is just
|
|
the transport protocol optimized for authentication, not the
|
|
authentication method itself:
|
|
</P
|
|
><P
|
|
> <SPAN
|
|
CLASS="QUOTE"
|
|
>"
|
|
[EAP is] an authentication framework which supports multiple
|
|
authentication methods. EAP typically runs directly over data link
|
|
layers such as Point-to-Point Protocol (PPP) or IEEE 802, without
|
|
requiring IP. EAP provides its own support for duplicate
|
|
elimination and retransmission, but is reliant on lower layer
|
|
ordering guarantees. Fragmentation is not supported within EAP
|
|
itself; however, individual EAP methods may support this."</SPAN
|
|
>
|
|
--- RFC 3748, page 3
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="auth"
|
|
></A
|
|
>1.4. EAP authentication methods</H2
|
|
><P
|
|
> Since 802.1X is using EAP, multiple different authentication
|
|
schemes may be added, including smart cards, Kerberos, public key,
|
|
one time passwords, and others.
|
|
</P
|
|
><P
|
|
> Some of the most-used EAP authentication mechanism are listed
|
|
below. A full list of registered EAP authentication types is
|
|
available at IANA: <A
|
|
HREF="http://www.iana.org/assignments/eap-numbers"
|
|
TARGET="_top"
|
|
>http://www.iana.org/assignments/eap-numbers</A
|
|
>.
|
|
</P
|
|
><DIV
|
|
CLASS="warning"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="warning"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/warning.gif"
|
|
HSPACE="5"
|
|
ALT="Warning"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> Not all authentication mechanisms are considered secure!
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>EAP-MD5:</EM
|
|
> MD5-Challenge requires
|
|
username/password, and is equivalent to the PPP CHAP protocol
|
|
[<A
|
|
HREF="http://www.ietf.org/rfc/rfc1994.txt"
|
|
TARGET="_top"
|
|
>RFC1994</A
|
|
>]. This
|
|
method does not provide dictionary attack resistance, mutual
|
|
authentication, or key derivation, and has therefore little use in a
|
|
wireless authentication enviroment.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Lightweight EAP (LEAP):</EM
|
|
> A username/password
|
|
combination is sent to a Authentication Server (RADIUS) for
|
|
authentication. Leap is a proprietary protocol developed by
|
|
Cisco, and is not considered secure. Cisco is phasing out LEAP in
|
|
favor of PEAP. The closest thing to a published standard can be
|
|
found <A
|
|
HREF="http://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.html"
|
|
TARGET="_top"
|
|
>here</A
|
|
>.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>EAP-TLS:</EM
|
|
> Creates a TLS session within EAP,
|
|
between the Supplicant and the Authentication Server. Both the
|
|
server and the client(s) need a valid (x509) certificate, and
|
|
therefore a PKI. This method provides authentication both
|
|
ways. EAP-TLS is described in [<A
|
|
HREF="http://www.ietf.org/rfc/rfc2716.txt"
|
|
TARGET="_top"
|
|
>RFC2716</A
|
|
>].
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>EAP-TTLS:</EM
|
|
> Sets up a encrypted TLS-tunnel for
|
|
safe transport of authentication data. Within the TLS tunnel,
|
|
(any) other authentication methods may be used. Developed by Funk
|
|
Software and Meetinghouse, and is currently an IETF draft.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Protected EAP (PEAP):</EM
|
|
> Uses, as EAP-TTLS, an
|
|
encrypted TLS-tunnel. Supplicant certificates for both EAP-TTLS
|
|
and EAP-PEAP are optional, but server (AS) certificates are
|
|
required. Developed by Microsoft, Cisco, and RSA Security, and is
|
|
currently an IETF draft.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>EAP-MSCHAPv2:</EM
|
|
> Requires username/password, and
|
|
is basically an EAP encapsulation of MS-CHAP-v2 [<A
|
|
HREF="http://www.ietf.org/rfc/rfc2759.txt"
|
|
TARGET="_top"
|
|
>RFC2759</A
|
|
>].
|
|
Usually used inside of a PEAP-encrypted tunnel. Developed by
|
|
Microsoft, and is currently an IETF draft.
|
|
</P
|
|
></LI
|
|
></UL
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AAA"
|
|
></A
|
|
>1.5. What is RADIUS?</H2
|
|
><P
|
|
> Remote Authentication Dial-In User Service (RADIUS) is defined in
|
|
[<A
|
|
HREF="http://www.ietf.org/rfc/rfc2865.txt"
|
|
TARGET="_top"
|
|
>RFC2865</A
|
|
>]
|
|
(with friends), and was primarily used by ISPs who authenticated
|
|
username and password before the user got authorized to use the
|
|
ISP's network.
|
|
</P
|
|
><P
|
|
> 802.1X does not specify what kind of back-end authentication
|
|
server must be present, but RADIUS is the "de-facto" back-end
|
|
authentication server used in 802.1X.
|
|
</P
|
|
><P
|
|
> There are not many AAA protocols available, but both RADIUS and
|
|
DIAMETER [<A
|
|
HREF="http://www.ietf.org/rfc/rfc3588.txt"
|
|
TARGET="_top"
|
|
>RFC3588</A
|
|
>]
|
|
(including their extensions) conform to full AAA support. AAA
|
|
stands for Authentication, Authorization, and Accounting (<A
|
|
HREF="http://www.ietf.org/html.charters/aaa-charter.html"
|
|
TARGET="_top"
|
|
>IETF's
|
|
AAA Working Group</A
|
|
>).
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><HR><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="cert"
|
|
></A
|
|
>2. Obtaining Certificates</H1
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>OpenSSL must be installed to use either EAP-TLS,
|
|
EAP-TTLS, or PEAP!</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
> When using EAP-TLS, both the Authentication Server and all the
|
|
Supplicants (clients) need certificates [<A
|
|
HREF="http://www.ietf.org/rfc/rfc2459.txt"
|
|
TARGET="_top"
|
|
>RFC2459</A
|
|
>] . Using
|
|
EAP-TTLS or PEAP, only the Authentication Server requires
|
|
certificates; Supplicant certificates are optional.
|
|
</P
|
|
><P
|
|
> You get certificates from the local certificate authority (CA). If
|
|
there is no local CA available, <SPAN
|
|
CLASS="application"
|
|
>OpenSSL</SPAN
|
|
>
|
|
may be used to generate self-signed certificates.
|
|
</P
|
|
><P
|
|
> Included with the <SPAN
|
|
CLASS="application"
|
|
>FreeRADIUS</SPAN
|
|
> source are
|
|
some helper scripts to generate self-signed certificates. The scripts
|
|
are located under the <TT
|
|
CLASS="filename"
|
|
>scripts/</TT
|
|
> folder included
|
|
with the <SPAN
|
|
CLASS="application"
|
|
>FreeRADIUS</SPAN
|
|
> source:
|
|
</P
|
|
><P
|
|
> <TT
|
|
CLASS="filename"
|
|
>CA.all</TT
|
|
> is a shell script that generates
|
|
certificates based on some questions it
|
|
ask. <TT
|
|
CLASS="filename"
|
|
>CA.certs</TT
|
|
> generates certificates
|
|
non-interactively based on pre-defined information at the start of
|
|
the script.
|
|
</P
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> The scripts uses a Perl script called <TT
|
|
CLASS="filename"
|
|
>CA.pl</TT
|
|
>,
|
|
included with OpenSSL. The path to this Perl script
|
|
in <TT
|
|
CLASS="filename"
|
|
>CA.all</TT
|
|
> and <TT
|
|
CLASS="filename"
|
|
>CA.certs</TT
|
|
> may
|
|
need to be changed to make it work.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="tip"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="tip"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/tip.gif"
|
|
HSPACE="5"
|
|
ALT="Tip"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> More information on how to generate your own certificates can be
|
|
found in the <A
|
|
HREF="http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/"
|
|
TARGET="_top"
|
|
>SSL
|
|
certificates HOWTO</A
|
|
>.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><HR><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="FreeRADIUS"
|
|
></A
|
|
>3. Authentication Server: Setting up FreeRADIUS</H1
|
|
><P
|
|
> <SPAN
|
|
CLASS="application"
|
|
>FreeRADIUS</SPAN
|
|
> is a fully GPLed RADIUS server
|
|
implementation. It supports a wide range of authentication mechanisms,
|
|
but PEAP is used for the example in this document.
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="instradius"
|
|
></A
|
|
>3.1. Installing FreeRADIUS</H2
|
|
><DIV
|
|
CLASS="procedure"
|
|
><P
|
|
><B
|
|
>Installing FreeRADIUS</B
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Head over to the <SPAN
|
|
CLASS="application"
|
|
>FreeRADIUS</SPAN
|
|
> site, <A
|
|
HREF="http://www.freeradius.org/"
|
|
TARGET="_top"
|
|
>http://www.freeradius.org/</A
|
|
>,
|
|
and download the latest release.
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cd </B
|
|
>/usr/local/src</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>wget </B
|
|
>ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>tar </B
|
|
>zxfv freeradius-1.0.0.tar.gz</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cd </B
|
|
>freeradius-1.0.0</B
|
|
></TT
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Configure, make and install:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>./configure</B
|
|
></B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>make</B
|
|
></B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>make install</B
|
|
></B
|
|
></TT
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> <EM
|
|
>You can pass options to
|
|
<B
|
|
CLASS="command"
|
|
>configure</B
|
|
>. Use <B
|
|
CLASS="command"
|
|
>./configure
|
|
--help</B
|
|
> or read the README file, for more
|
|
information.</EM
|
|
>
|
|
</P
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
><P
|
|
> The binaries are installed in <TT
|
|
CLASS="filename"
|
|
>/usr/local/bin</TT
|
|
> and
|
|
<TT
|
|
CLASS="filename"
|
|
>/usr/local/sbin</TT
|
|
>. The configuration files are found
|
|
under <TT
|
|
CLASS="filename"
|
|
>/usr/local/etc/raddb</TT
|
|
>.
|
|
</P
|
|
><P
|
|
> If something went wrong, check the <TT
|
|
CLASS="filename"
|
|
>INSTALL</TT
|
|
> and
|
|
<TT
|
|
CLASS="filename"
|
|
>README</TT
|
|
> included with the source. The <A
|
|
HREF="http://www.freeradius.org/faq/"
|
|
TARGET="_top"
|
|
>RADIUS FAQ</A
|
|
> also contains
|
|
valuable information.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="confradius"
|
|
></A
|
|
>3.2. Configuring FreeRADIUS</H2
|
|
><P
|
|
> <SPAN
|
|
CLASS="application"
|
|
>FreeRADIUS</SPAN
|
|
> has a big and mighty
|
|
configuration file. It's so big, it has been split into several
|
|
smaller files that are just <SPAN
|
|
CLASS="QUOTE"
|
|
>"included"</SPAN
|
|
> into the main
|
|
<TT
|
|
CLASS="filename"
|
|
>radius.conf</TT
|
|
> file.
|
|
</P
|
|
><P
|
|
> There is numerous ways of using and setting up FreeRADIUS to do
|
|
what you want: i.e., fetch user information from LDAP, SQL, PDC,
|
|
Kerberos, etc. In this document, user information from a plain text
|
|
file, <TT
|
|
CLASS="filename"
|
|
>users</TT
|
|
>, is used.
|
|
</P
|
|
><DIV
|
|
CLASS="tip"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="tip"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/tip.gif"
|
|
HSPACE="5"
|
|
ALT="Tip"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> The configuration files are thoroughly commented, and, if that is not
|
|
enough, the <TT
|
|
CLASS="filename"
|
|
>doc/</TT
|
|
> folder that comes with the source
|
|
contains additional information.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="procedure"
|
|
><P
|
|
><B
|
|
>Configuring FreeRADIUS</B
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> The configuration files can be found under <TT
|
|
CLASS="filename"
|
|
>/usr/local/etc/raddb/</TT
|
|
>
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cd </B
|
|
>/usr/local/etc/raddb/</B
|
|
></TT
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Open the main configuration file <TT
|
|
CLASS="filename"
|
|
>radiusd.conf</TT
|
|
>,
|
|
<EM
|
|
>and read the comments!</EM
|
|
> Inside the encrypted
|
|
PEAP tunnel, an MS-CHAPv2 authentication mechanism is used.
|
|
</P
|
|
><OL
|
|
CLASS="SUBSTEPS"
|
|
TYPE="a"
|
|
><LI
|
|
><P
|
|
> MPPE [<A
|
|
HREF="http://www.ietf.org/rfc/rfc3078.txt"
|
|
TARGET="_top"
|
|
>RFC3078</A
|
|
>] is
|
|
responsible for sending the PMK to the AP. Make sure the following
|
|
settings are set:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # under MODULES, make sure mschap is uncommented!
|
|
mschap {
|
|
# authtype value, if present, will be used
|
|
# to overwrite (or add) Auth-Type during
|
|
# authorization. Normally, should be MS-CHAP
|
|
authtype = MS-CHAP
|
|
|
|
# if use_mppe is not set to no, mschap will
|
|
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
|
|
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
|
|
#
|
|
use_mppe = yes
|
|
|
|
# if mppe is enabled, require_encryption makes
|
|
# encryption moderate
|
|
#
|
|
require_encryption = yes
|
|
|
|
# require_strong always requires 128 bit key
|
|
# encryption
|
|
#
|
|
require_strong = yes
|
|
|
|
authtype = MS-CHAP
|
|
# The module can perform authentication itself, OR
|
|
# use a Windows Domain Controller. See the radius.conf file
|
|
# for how to do this.
|
|
}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Also make sure the <SPAN
|
|
CLASS="QUOTE"
|
|
>"authorize"</SPAN
|
|
> and
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"authenticate"</SPAN
|
|
> contains:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> authorize {
|
|
preprocess
|
|
mschap
|
|
suffix
|
|
eap
|
|
files
|
|
}
|
|
|
|
authenticate {
|
|
|
|
#
|
|
# MSCHAP authentication.
|
|
Auth-Type MS-CHAP {
|
|
mschap
|
|
}
|
|
|
|
#
|
|
# Allow EAP authentication.
|
|
eap
|
|
}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></OL
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Then, change the <TT
|
|
CLASS="filename"
|
|
>clients.conf</TT
|
|
> file to specify
|
|
what network it's serving:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # Here, we specify which network we're serving
|
|
client 192.168.0.0/16 {
|
|
# This is the shared secret between the Authenticator (the
|
|
# access point) and the Authentication Server (RADIUS).
|
|
secret = SharedSecret99
|
|
shortname = testnet
|
|
}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> The <TT
|
|
CLASS="filename"
|
|
>eap.conf</TT
|
|
> should also be pretty
|
|
straightforward.
|
|
</P
|
|
><OL
|
|
CLASS="SUBSTEPS"
|
|
TYPE="a"
|
|
><LI
|
|
><P
|
|
> Set <SPAN
|
|
CLASS="QUOTE"
|
|
>"default_eap_type"</SPAN
|
|
> to <SPAN
|
|
CLASS="QUOTE"
|
|
>"peap"</SPAN
|
|
>:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> default_eap_type = peap
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Since PEAP is using TLS, the TLS section must contain:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> tls {
|
|
# The private key password
|
|
private_key_password = SecretKeyPass77
|
|
# The private key
|
|
private_key_file = ${raddbdir}/certs/cert-srv.pem
|
|
# Trusted Root CA list
|
|
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
|
|
dh_file = ${raddbdir}/certs/dh
|
|
random_file = /dev/urandom
|
|
}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Find the <SPAN
|
|
CLASS="QUOTE"
|
|
>"peap"</SPAN
|
|
> section, and make sure it contain
|
|
the following:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> peap {
|
|
# The tunneled EAP session needs a default
|
|
# EAP type, which is separate from the one for
|
|
# the non-tunneled EAP module. Inside of the
|
|
# PEAP tunnel, we recommend using MS-CHAPv2,
|
|
# as that is the default type supported by
|
|
# Windows clients.
|
|
default_eap_type = mschapv2
|
|
}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></OL
|
|
></LI
|
|
><LI
|
|
><P
|
|
> The user information is stored in a plain text file
|
|
<TT
|
|
CLASS="filename"
|
|
>users</TT
|
|
>. A more sophisticated solution to store
|
|
user information may be preferred (SQL, LDAP, PDC, etc.).
|
|
</P
|
|
><P
|
|
> Make sure the <TT
|
|
CLASS="filename"
|
|
>users</TT
|
|
> file contains the
|
|
following entry:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> "testuser" User-Password == "Secret149"
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><HR><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="xsupplicant"
|
|
></A
|
|
>4. Supplicant: Setting up Xsupplicant</H1
|
|
><P
|
|
> The Supplicant is usually a laptop or other (wireless) device that
|
|
requires authentication. <SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
>
|
|
does the bidding of being the <SPAN
|
|
CLASS="QUOTE"
|
|
>"Supplicant"</SPAN
|
|
> part of the
|
|
IEEE 802.1X-2001 standard.
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="instxsup"
|
|
></A
|
|
>4.1. Installing Xsupplicant</H2
|
|
><DIV
|
|
CLASS="procedure"
|
|
><P
|
|
><B
|
|
>Installing Xsupplicant</B
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> Download the latest source from from <A
|
|
HREF="http://www.open1x.org/"
|
|
TARGET="_top"
|
|
>http://www.open1x.org/</A
|
|
>
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cd </B
|
|
>/usr/local/src</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>wget </B
|
|
>http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>tar </B
|
|
>zxfv xsupplicant-1.0.tar.gz</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cd </B
|
|
>xsupplicant</B
|
|
></TT
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Configure, make, and install:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>./configure</B
|
|
></B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>make</B
|
|
></B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>make install</B
|
|
></B
|
|
></TT
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> If the configuration file wasn't installed (copied) into the "etc"
|
|
folder, do it manually:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>mkdir </B
|
|
>-p /usr/local/etc/1x</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cp </B
|
|
>etc/tls-example.conf /usr/local/etc/1x</B
|
|
></TT
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
><P
|
|
> If installation fails, check the <TT
|
|
CLASS="filename"
|
|
>README</TT
|
|
> and
|
|
<TT
|
|
CLASS="filename"
|
|
>INSTALL</TT
|
|
> files included with the source. You may
|
|
also check out the <A
|
|
HREF="http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236"
|
|
TARGET="_top"
|
|
>official
|
|
documentation</A
|
|
>.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="confxsup"
|
|
></A
|
|
>4.2. Configuring Xsupplicant</H2
|
|
><DIV
|
|
CLASS="procedure"
|
|
><P
|
|
><B
|
|
>Configuring Xsupplicant</B
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> The Supplicant must have access to the root certificate.
|
|
</P
|
|
><P
|
|
> If the Supplicant needs to authenticate against the Authentication
|
|
Server (authentication both ways), the Supplicant must have
|
|
certificates as well.
|
|
</P
|
|
><P
|
|
> Create a certificate folder, and move the certificates into it:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>mkdir</B
|
|
> -p /usr/local/etc/1x/certs</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>cp</B
|
|
> root.pem /usr/local/etc/1x/certs/</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
>(copy optional client certificate(s) into the same folder)
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Open and edit the configuration file:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # startup_command: the command to run when Xsupplicant is first started.
|
|
# This command can do things such as configure the card to associate with
|
|
# the network properly.
|
|
startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> The <TT
|
|
CLASS="filename"
|
|
>startup.sh</TT
|
|
> will be created shortly.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> When the client is authenticated, it will transmit a DHCP request or
|
|
manually set an IP address. Here, the Supplicant sets its IP address
|
|
manually in <TT
|
|
CLASS="filename"
|
|
>startup2.sh</TT
|
|
>:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # first_auth_command: the command to run when Xsupplicant authenticates to
|
|
# a wireless network for the first time. This will usually be used to
|
|
# start a DHCP client process.
|
|
#first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND>
|
|
first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup2.sh<END_COMMAND>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Since <SPAN
|
|
CLASS="QUOTE"
|
|
>"-i"</SPAN
|
|
> is just for debugging purpose (and may
|
|
go away according to the developers),
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"allow_interfaces"</SPAN
|
|
> must be set:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> allow_interfaces = eth0
|
|
deny_interfaces = eth1
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Next, under the <SPAN
|
|
CLASS="QUOTE"
|
|
>"NETWORK SECTION"</SPAN
|
|
>, we'll configure
|
|
PEAP:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # We'll be using PEAP
|
|
allow_types = eap_peap
|
|
|
|
# Don't want any eavesdropper to learn the username during the
|
|
# first phase (which is unencrypted), so 'identity hiding' is
|
|
# used (using a bogus username).
|
|
identity = <BEGIN_ID>anonymous<END_ID>
|
|
|
|
eap-peap {
|
|
# As in tls, define either a root certificate or a directory
|
|
# containing root certificates.
|
|
root_cert = /usr/local/etc/1x/certs/root.pem
|
|
#root_dir = /path/to/root/certificate/dir
|
|
#crl_dir = /path/to/dir/with/crl
|
|
chunk_size = 1398
|
|
random_file = /dev/urandom
|
|
#cncheck = myradius.radius.com # Verify that the server certificate
|
|
# has this value in its CN field.
|
|
#cnexact = yes # Should it be an exact match?
|
|
session_resume = yes
|
|
|
|
# Currently 'all' is just mschapv2.
|
|
# If no allow_types is defined, all is assumed.
|
|
#allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
|
|
allow_types = eap_mschapv2
|
|
|
|
# Right now, you can do any of these methods in PEAP:
|
|
eap-mschapv2 {
|
|
username = <BEGIN_UNAME>testuser<END_UNAME>
|
|
password = <BEGIN_PASS>Secret149<END_PASS>
|
|
}
|
|
}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> The Supplicant must first associate with the access point. The
|
|
script <TT
|
|
CLASS="filename"
|
|
>startup.sh</TT
|
|
> does that job. It is also
|
|
the first command <SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
> executes.
|
|
</P
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> Notice the bogus key we give to iwconfig (<EM
|
|
>enc
|
|
000000000</EM
|
|
>)! This key is used to tell the driver
|
|
to run in encrypted mode. The key gets replaced after successful
|
|
authentication. This can be set to <EM
|
|
>enc
|
|
off</EM
|
|
> only if encryption is disabled in the AP (for
|
|
testing purposes).
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
> Both <TT
|
|
CLASS="filename"
|
|
>startup.sh</TT
|
|
> and
|
|
<TT
|
|
CLASS="filename"
|
|
>startup2.sh</TT
|
|
> must be saved under
|
|
<TT
|
|
CLASS="filename"
|
|
>/usr/local/etc/1x/</TT
|
|
>.
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> #!/bin/bash
|
|
echo "Starting startup.sh"
|
|
# Take down interface (if it's up)
|
|
/sbin/ifconfig eth0 down
|
|
# To make sure the routes are flushed
|
|
sleep 1
|
|
# Configuring the interface with a bogus key
|
|
/sbin/iwconfig eth0 mode managed essid testnet enc 000000000
|
|
# Bring the interface up and make sure it listens to multicast packets
|
|
/sbin/ifconfig eth0 allmulti up
|
|
echo "Finished startup.sh"
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> This next file is used to set the IP address statically. This can
|
|
be omitted if a DHCP server is present (as it typically is, in many
|
|
access points).
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> #!/bin/bash
|
|
echo "Starting startup2.sh"
|
|
# Assigning an IP address
|
|
/sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0
|
|
echo "Finished startup2.sh"
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><HR><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="authenticator"
|
|
></A
|
|
>5. Authenticator: Setting up the Authenticator (Access
|
|
Point)</H1
|
|
><P
|
|
> During the authentication process, the Authenticator just relays all
|
|
messages between the Supplicant and the Authentication Server
|
|
(RADIUS). EAPOL is used between the Supplicant and the Authenticator;
|
|
and, between the Authenticator and the Authentication Server, UDP is
|
|
used.
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AP"
|
|
></A
|
|
>5.1. Access Point</H2
|
|
><P
|
|
> Many access point have support for 802.1X (and RADIUS)
|
|
authentication. It must first be configured to use 802.1X
|
|
authentication.
|
|
</P
|
|
><DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> <EM
|
|
>Configuring and setting up 802.1X on the AP may differ
|
|
between vendors.</EM
|
|
> Listed below are the required settings to
|
|
make a Cisco AP350 work. Other settings to TIKP, CCMP etc. may also
|
|
be configured.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
> The AP must set the ESSID to <SPAN
|
|
CLASS="QUOTE"
|
|
>"testnet"</SPAN
|
|
> and must
|
|
activate:
|
|
</P
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-CiscoAP.png"
|
|
ALIGN="center"
|
|
WIDTH="599"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>Figure AP350: The RADIUS configuration screen for a Cisco
|
|
AP-350</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>802.1X-2001:</EM
|
|
> Make sure the 802.1X Protocol
|
|
version is set to <SPAN
|
|
CLASS="QUOTE"
|
|
>"802.1X-2001"</SPAN
|
|
>. Some older Access
|
|
Points support only the draft version of the 802.1X standard (and
|
|
may therefore not work).
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>RADIUS Server:</EM
|
|
> the name/IP address of the
|
|
RADIUS server and the shared secret between the RADIUS server and
|
|
the Access Point (which in this document is "SharedSecret99"). See
|
|
figure <A
|
|
HREF="#ciscoAP"
|
|
>AP350</A
|
|
>.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>EAP Authentication:</EM
|
|
> The RADIUS server should be
|
|
used for EAP authentication.
|
|
</P
|
|
></LI
|
|
></UL
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-CiscoAP2.png"
|
|
ALIGN="center"
|
|
WIDTH="604"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>Figure AP350-2: The Encryption configuration screen for a
|
|
Cisco AP-350</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Full Encryption</EM
|
|
> to allow only encrypted
|
|
traffic. Note that 802.1X may be used without using encryption,
|
|
which is nice for test purposes.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Open Authentication</EM
|
|
> to make the Supplicant
|
|
associate with the Access Point before encryption keys are
|
|
available. Once the association is done, the Supplicant may start EAP
|
|
authentication.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> <EM
|
|
>Require EAP</EM
|
|
> for the <SPAN
|
|
CLASS="QUOTE"
|
|
>"Open
|
|
Authentication"</SPAN
|
|
>. That will ensure that only authenticated
|
|
users are allowed into the network.
|
|
</P
|
|
></LI
|
|
></UL
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="LinuxAP"
|
|
></A
|
|
>5.2. Linux Authenticator</H2
|
|
><P
|
|
> An ordinary Linux node can be set up to function as a wireless Access
|
|
Point and Authenticator. How to set up and use Linux as an AP is
|
|
beyond the scope of this document. Simon Anderson's <A
|
|
HREF="http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html"
|
|
TARGET="_top"
|
|
>Linux
|
|
Wireless Access Point HOWTO</A
|
|
> may be of guidance.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><HR><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="testbed"
|
|
></A
|
|
>6. Testbed</H1
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="testcase"
|
|
></A
|
|
>6.1. Testcase</H2
|
|
><DIV
|
|
CLASS="mediaobject"
|
|
><P
|
|
><IMG
|
|
SRC="images/8021X-Testbed.png"
|
|
ALIGN="center"
|
|
WIDTH="500"><DIV
|
|
CLASS="caption"
|
|
><P
|
|
>figure testbed: A wireless node request authentication.</P
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><P
|
|
> Our testbed consists of two nodes and one Access Point (AP). One
|
|
node functions as the Supplicant (WN), the other as the back-end
|
|
Authentication Server running RADIUS (AS). The Access Point is the
|
|
Authenticator. See figure <A
|
|
HREF="#testbedimg"
|
|
>testbed</A
|
|
>
|
|
for explanation.
|
|
</P
|
|
><DIV
|
|
CLASS="important"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="important"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/important.gif"
|
|
HSPACE="5"
|
|
ALT="Important"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> It is crucial that the Access Point be able to reach (ping) the
|
|
Authentication Server, and vice versa!
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="startrad"
|
|
></A
|
|
>6.2. Running some tests</H2
|
|
><DIV
|
|
CLASS="procedure"
|
|
><P
|
|
><B
|
|
>Running some tests</B
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> The RADIUS server is started in debug mode. This produces
|
|
<EM
|
|
>a lot</EM
|
|
> of debug information. The important
|
|
snippets are below:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>radiusd</B
|
|
> -X</B
|
|
></TT
|
|
>
|
|
Starting - reading configuration files ...
|
|
reread_config: reading radiusd.conf
|
|
Config: including file: /usr/local/etc/raddb/proxy.conf
|
|
Config: including file: /usr/local/etc/raddb/clients.conf
|
|
Config: including file: /usr/local/etc/raddb/snmp.conf
|
|
Config: including file: /usr/local/etc/raddb/eap.conf
|
|
Config: including file: /usr/local/etc/raddb/sql.conf
|
|
......
|
|
Module: Loaded MS-CHAP
|
|
mschap: use_mppe = yes
|
|
mschap: require_encryption = no
|
|
mschap: require_strong = no
|
|
mschap: with_ntdomain_hack = no
|
|
mschap: passwd = "(null)"
|
|
mschap: authtype = "MS-CHAP"
|
|
mschap: ntlm_auth = "(null)"
|
|
Module: Instantiated mschap (mschap)
|
|
......
|
|
Module: Loaded eap
|
|
eap: default_eap_type = "peap" <A
|
|
NAME="rad_peap"
|
|
><IMG
|
|
SRC="../images/callouts/1.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(1)"></A
|
|
>
|
|
eap: timer_expire = 60
|
|
eap: ignore_unknown_eap_types = no
|
|
eap: cisco_accounting_username_bug = no
|
|
rlm_eap: Loaded and initialized type md5
|
|
tls: rsa_key_exchange = no <A
|
|
NAME="rad_tls"
|
|
><IMG
|
|
SRC="../images/callouts/2.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(2)"></A
|
|
>
|
|
tls: dh_key_exchange = yes
|
|
tls: rsa_key_length = 512
|
|
tls: dh_key_length = 512
|
|
tls: verify_depth = 0
|
|
tls: CA_path = "(null)"
|
|
tls: pem_file_type = yes
|
|
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
|
|
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
|
|
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
|
|
tls: private_key_password = "SecretKeyPass77"
|
|
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
|
|
tls: random_file = "/usr/local/etc/raddb/certs/random"
|
|
tls: fragment_size = 1024
|
|
tls: include_length = yes
|
|
tls: check_crl = no
|
|
tls: check_cert_cn = "(null)"
|
|
rlm_eap: Loaded and initialized type tls
|
|
peap: default_eap_type = "mschapv2" <A
|
|
NAME="rad_mschapv2"
|
|
><IMG
|
|
SRC="../images/callouts/3.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(3)"></A
|
|
>
|
|
peap: copy_request_to_tunnel = no
|
|
peap: use_tunneled_reply = no
|
|
peap: proxy_tunneled_request_as_eap = yes
|
|
rlm_eap: Loaded and initialized type peap
|
|
mschapv2: with_ntdomain_hack = no
|
|
rlm_eap: Loaded and initialized type mschapv2
|
|
Module: Instantiated eap (eap)
|
|
......
|
|
Module: Loaded files
|
|
files: usersfile = "/usr/local/etc/raddb/users" <A
|
|
NAME="rad_users"
|
|
><IMG
|
|
SRC="../images/callouts/4.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(4)"></A
|
|
>
|
|
......
|
|
Module: Instantiated radutmp (radutmp)
|
|
Listening on authentication *:1812
|
|
Listening on accounting *:1813
|
|
Ready to process requests. <A
|
|
NAME="rad_finished"
|
|
><IMG
|
|
SRC="../images/callouts/5.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(5)"></A
|
|
>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="calloutlist"
|
|
><DL
|
|
COMPACT="COMPACT"
|
|
><DT
|
|
><A
|
|
HREF="#rad_peap"
|
|
><IMG
|
|
SRC="../images/callouts/1.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(1)"></A
|
|
></DT
|
|
><DD
|
|
> Default EAP type is set to PEAP.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="#rad_tls"
|
|
><IMG
|
|
SRC="../images/callouts/2.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(2)"></A
|
|
></DT
|
|
><DD
|
|
> RADIUS's TLS settings are initiated here. The certificate type,
|
|
location, and password are listet here.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="#rad_mschapv2"
|
|
><IMG
|
|
SRC="../images/callouts/3.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(3)"></A
|
|
></DT
|
|
><DD
|
|
> Inside the PEAP tunnel, MS-CHAPv2 is used.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="#rad_users"
|
|
><IMG
|
|
SRC="../images/callouts/4.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(4)"></A
|
|
></DT
|
|
><DD
|
|
> The username/password information is found in the
|
|
<TT
|
|
CLASS="filename"
|
|
>users</TT
|
|
> file.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="#rad_finished"
|
|
><IMG
|
|
SRC="../images/callouts/5.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(5)"></A
|
|
></DT
|
|
><DD
|
|
> RADIUS server started successfully. Waiting for incoming requests.
|
|
</DD
|
|
></DL
|
|
></DIV
|
|
><P
|
|
>The radius server is now ready to process requests!</P
|
|
><P
|
|
> The most interesting output is included above. If you get any
|
|
error message instead of the last line, go over the configuration
|
|
(above) carefully.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Now the Supplicant is ready to get authenticated. Start
|
|
<SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
> in debug mode. Note that
|
|
we'll see output produced by the two startup scripts:
|
|
<TT
|
|
CLASS="filename"
|
|
>startup.sh</TT
|
|
> and
|
|
<TT
|
|
CLASS="filename"
|
|
>startup2.sh</TT
|
|
>.
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> <TT
|
|
CLASS="prompt"
|
|
># </TT
|
|
><TT
|
|
CLASS="userinput"
|
|
><B
|
|
><B
|
|
CLASS="command"
|
|
>xsupplicant</B
|
|
> -c /usr/local/etc/1x/1x.conf -i eth0 -d 6</B
|
|
></TT
|
|
>
|
|
Starting /etc/1x/startup.sh
|
|
Finished /etc/1x/startup.sh
|
|
Starting /etc/1x/startup2.sh
|
|
Finished /etc/1x/startup2.sh
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
><LI
|
|
><P
|
|
> At the same time, the RADIUS server is producing a lot of
|
|
output. Key snippets are shown below:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> ......
|
|
rlm_eap: Request found, released from the list
|
|
rlm_eap: EAP/peap
|
|
rlm_eap: processing type peap
|
|
rlm_eap_peap: Authenticate
|
|
rlm_eap_tls: processing TLS <A
|
|
NAME="rpro_tls"
|
|
><IMG
|
|
SRC="../images/callouts/1.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(1)"></A
|
|
>
|
|
eaptls_verify returned 7
|
|
rlm_eap_tls: Done initial handshake
|
|
eaptls_process returned 7
|
|
rlm_eap_peap: EAPTLS_OK <A
|
|
NAME="rpro_peap"
|
|
><IMG
|
|
SRC="../images/callouts/2.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(2)"></A
|
|
>
|
|
rlm_eap_peap: Session established. Decoding tunneled attributes.
|
|
rlm_eap_peap: Received EAP-TLV response.
|
|
rlm_eap_peap: Tunneled data is valid.
|
|
rlm_eap_peap: Success
|
|
rlm_eap: Freeing handler
|
|
modcall[authenticate]: module "eap" returns ok for request 8
|
|
modcall: group authenticate returns ok for request 8
|
|
Login OK: [testuser/<no User-Password attribute>] (from client testnet port 37 cli 0002a56fa08a)
|
|
Sending Access-Accept of id 8 to 192.168.2.1:1032 <A
|
|
NAME="rpro_accept"
|
|
><IMG
|
|
SRC="../images/callouts/3.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(3)"></A
|
|
>
|
|
MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206 <A
|
|
NAME="rpro_reckey"
|
|
><IMG
|
|
SRC="../images/callouts/4.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(4)"></A
|
|
>
|
|
MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18
|
|
EAP-Message = 0x030a0004
|
|
Message-Authenticator = 0x00000000000000000000000000000000
|
|
User-Name = "testuser"
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="calloutlist"
|
|
><DL
|
|
COMPACT="COMPACT"
|
|
><DT
|
|
><A
|
|
HREF="#rpro_tls"
|
|
><IMG
|
|
SRC="../images/callouts/1.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(1)"></A
|
|
></DT
|
|
><DD
|
|
> TLS session startup. Doing TLS-handshake.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="#rpro_peap"
|
|
><IMG
|
|
SRC="../images/callouts/2.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(2)"></A
|
|
></DT
|
|
><DD
|
|
> The TLS session (PEAP-encrypted tunnel) is up.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="#rpro_accept"
|
|
><IMG
|
|
SRC="../images/callouts/3.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(3)"></A
|
|
></DT
|
|
><DD
|
|
> The Supplicant has been authenticated successfully by the
|
|
RADIUS server. An <SPAN
|
|
CLASS="QUOTE"
|
|
>"Access-Accept"</SPAN
|
|
> message is
|
|
sent.
|
|
</DD
|
|
><DT
|
|
><A
|
|
HREF="#rpro_reckey"
|
|
><IMG
|
|
SRC="../images/callouts/4.gif"
|
|
HSPACE="0"
|
|
VSPACE="0"
|
|
BORDER="0"
|
|
ALT="(4)"></A
|
|
></DT
|
|
><DD
|
|
> The <EM
|
|
>MS-MPPE-Recv-Key</EM
|
|
> [<A
|
|
HREF="http://www.ietf.org/rfc/rfc2548.txt"
|
|
TARGET="_top"
|
|
>RFC2548</A
|
|
>
|
|
section 2.4.3] contains the Pairwise Master Key (PMK) destined
|
|
to the Authenticator (access point), encrypted with the MPPE
|
|
Protocol [<A
|
|
HREF="http://www.ietf.org/rfc/rfc3078.txt"
|
|
TARGET="_top"
|
|
>RFC3078</A
|
|
>],
|
|
using the shared secret between the Authenticator and
|
|
Authentication Server as key. The Supplicant derives the same
|
|
PMK from MK, as described in <A
|
|
HREF="#Key"
|
|
>Key
|
|
Management</A
|
|
>.
|
|
</DD
|
|
></DL
|
|
></DIV
|
|
></LI
|
|
><LI
|
|
><P
|
|
> The Authenticator (access point) may also show something like this
|
|
in its log:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> 00:02:16 (Info): Station 0002a56fa08a Associated
|
|
00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
><P
|
|
> That's it! The Supplicant is now authenticated to use the Access
|
|
Point!
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><HR><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="dynWEP"
|
|
></A
|
|
>7. Note about driver support and Xsupplicant</H1
|
|
><P
|
|
> As described in <A
|
|
HREF="#Key"
|
|
>Key Management</A
|
|
>, one of
|
|
the big advantages of using Dynamic WEP/802.11i with 802.1X is the
|
|
support for session keys. A new encryption key is generated for each
|
|
session.
|
|
</P
|
|
><P
|
|
> <SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
> only supports <SPAN
|
|
CLASS="QUOTE"
|
|
>"Dynamic
|
|
WEP"</SPAN
|
|
> as of this writing. Support for WPA and RSN/WPA2
|
|
(802.11i) is being worked on, and is estimated to be supported at
|
|
the end of the year/early next year (2004/2005), according to Chris
|
|
Hessing (one of the <SPAN
|
|
CLASS="application"
|
|
>Xsupplicants</SPAN
|
|
>
|
|
developers).
|
|
</P
|
|
><P
|
|
> Not all wireless drives support dynamic WEP, nor WPA. To use RSN
|
|
(WPA2), new support in hardware may even be required. Many older
|
|
drivers assume only one WEP key will be used on the network at any
|
|
time. The card is reset whenever the key is changed to let the new
|
|
key take effect. This triggers a new authentication, and there is a
|
|
never-ending loop.
|
|
</P
|
|
><P
|
|
> At the time of writing, most of the wireless drivers in the base
|
|
Linux kernel require patching to make dynamic WEP/WPA work. They
|
|
will, in time, be upgraded to support these new features. Many drivers
|
|
developed outside the kernel, however, support for dynamic WEP;
|
|
HostAP, madwifi, Orinoco, and atmel should work without problems.
|
|
</P
|
|
><P
|
|
> Instead of using Xsupplicant, <A
|
|
HREF="http://hostap.epitest.fi/wpa_supplicant/"
|
|
TARGET="_top"
|
|
>wpa_supplicant</A
|
|
>
|
|
may be used. It has support for both WPA and RSN (WPA2), and a wide
|
|
range of EAP authentication methods.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><HR><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="faq"
|
|
></A
|
|
>8. FAQ</H1
|
|
><P
|
|
> Do not forget to check out the FAQ section of both the <A
|
|
HREF="http://www.freeradius.org/faq/"
|
|
TARGET="_top"
|
|
>FreeRADIUS</A
|
|
> (highly
|
|
recommended!) and <A
|
|
HREF="http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236#ch7"
|
|
TARGET="_top"
|
|
> Xsupplicant</A
|
|
> Web sites!
|
|
</P
|
|
><DIV
|
|
CLASS="qandaset"
|
|
><DL
|
|
><DT
|
|
>8.1. <A
|
|
HREF="#AEN626"
|
|
> Is it possible to allow user-specific
|
|
<SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
> configuration, to avoid
|
|
having a global configuration file?
|
|
</A
|
|
></DT
|
|
><DT
|
|
>8.2. <A
|
|
HREF="#AEN632"
|
|
>I don't want to use PEAP; can I use EAP-TTLS or EAP-TLS instead?</A
|
|
></DT
|
|
><DT
|
|
>8.3. <A
|
|
HREF="#AEN637"
|
|
> Can I use a Windows Supplicant (client) instead of GNU/Linux?
|
|
</A
|
|
></DT
|
|
><DT
|
|
>8.4. <A
|
|
HREF="#AEN643"
|
|
> Can I use a Active Directory to authenticate users?
|
|
</A
|
|
></DT
|
|
><DT
|
|
>8.5. <A
|
|
HREF="#AEN649"
|
|
> Is there any Windows Supplicant clients available?
|
|
</A
|
|
></DT
|
|
></DL
|
|
><DIV
|
|
CLASS="qandaentry"
|
|
><DIV
|
|
CLASS="question"
|
|
><P
|
|
><A
|
|
NAME="AEN626"
|
|
></A
|
|
><B
|
|
>8.1. </B
|
|
>
|
|
Is it possible to allow user-specific
|
|
<SPAN
|
|
CLASS="application"
|
|
>Xsupplicant</SPAN
|
|
> configuration, to avoid
|
|
having a global configuration file?
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="answer"
|
|
><P
|
|
><B
|
|
> </B
|
|
>
|
|
No, not at the moment.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="qandaentry"
|
|
><DIV
|
|
CLASS="question"
|
|
><P
|
|
><A
|
|
NAME="AEN632"
|
|
></A
|
|
><B
|
|
>8.2. </B
|
|
>I don't want to use PEAP; can I use EAP-TTLS or EAP-TLS instead?</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="answer"
|
|
><P
|
|
><B
|
|
> </B
|
|
>
|
|
Yes. To use EAP-TTLS, only small changes to the configuration used
|
|
in this document are required. To use EAP-TLS, client certificates
|
|
must be used as well.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="qandaentry"
|
|
><DIV
|
|
CLASS="question"
|
|
><P
|
|
><A
|
|
NAME="AEN637"
|
|
></A
|
|
><B
|
|
>8.3. </B
|
|
>
|
|
Can I use a Windows Supplicant (client) instead of GNU/Linux?
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="answer"
|
|
><P
|
|
><B
|
|
> </B
|
|
>
|
|
Yes. Windows XP SP1/Windows 2000 SP3 has support for PEAP MSCHAPv2
|
|
(used in this document). A Windows HOWTO can be found here: <A
|
|
HREF="http://text.dslreports.com/forum/remark,9286052~mode=flat"
|
|
TARGET="_top"
|
|
>FreeRADIUS/WinXP
|
|
Authentication Setup</A
|
|
>
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="qandaentry"
|
|
><DIV
|
|
CLASS="question"
|
|
><P
|
|
><A
|
|
NAME="AEN643"
|
|
></A
|
|
><B
|
|
>8.4. </B
|
|
>
|
|
Can I use a Active Directory to authenticate users?
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="answer"
|
|
><P
|
|
><B
|
|
> </B
|
|
>
|
|
Yes. FreeRADIUS can authenticate users from AD by using
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"ntlm_auth"</SPAN
|
|
>.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="qandaentry"
|
|
><DIV
|
|
CLASS="question"
|
|
><P
|
|
><A
|
|
NAME="AEN649"
|
|
></A
|
|
><B
|
|
>8.5. </B
|
|
>
|
|
Is there any Windows Supplicant clients available?
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="answer"
|
|
><P
|
|
><B
|
|
> </B
|
|
>
|
|
Yes. As of Windows XP SP1 or Windows 2000 SP3, support for WPA
|
|
(PEAP/MS-CHAPv2) is supported. Other clients include (not tested)
|
|
<A
|
|
HREF="http://www.securew2.com"
|
|
TARGET="_top"
|
|
>Secure W2</A
|
|
> (free for
|
|
non-commercial) and <A
|
|
HREF="http://wire.cs.nthu.edu.tw/wire1x/"
|
|
TARGET="_top"
|
|
>WIRE1X</A
|
|
>. <A
|
|
HREF="http://www.funk.com"
|
|
TARGET="_top"
|
|
>Funk Software</A
|
|
> also has a
|
|
commercial client available.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><HR><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="resources"
|
|
></A
|
|
>9. Useful Resources</H1
|
|
><P
|
|
> Only IEEE standards older than 12 months are available to
|
|
the public in general (through the <A
|
|
HREF="http://standards.ieee.org/getieee802/"
|
|
TARGET="_top"
|
|
><SPAN
|
|
CLASS="QUOTE"
|
|
>"Get IEEE 802
|
|
Program"</SPAN
|
|
></A
|
|
>). So the new <EM
|
|
>802.11i</EM
|
|
> and
|
|
<EM
|
|
>802.1X-2004</EM
|
|
> standards documents are not
|
|
available. You must be a IEEE participant to get hold of any
|
|
drafts/work in progress papers (which actually isn't that hard -
|
|
just join a mailing list and say you are interested).
|
|
</P
|
|
><P
|
|
> <P
|
|
></P
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
>FreeRADIUS Server Project<A
|
|
HREF="http://www.freeradius.org/"
|
|
TARGET="_top"
|
|
> http://www.freeradius.org/</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Open1x: Open Source implementation of IEEE 802.1X (Xsupplicant)<A
|
|
HREF="http://www.open1x.org/"
|
|
TARGET="_top"
|
|
> http://www.open1x.org/</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>The Open1x User's Guide<A
|
|
HREF="http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236"
|
|
TARGET="_top"
|
|
>
|
|
http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Port-Based Network Access Control (802.1X-2001)<A
|
|
HREF="http://standards.ieee.org/getieee802/download/802.1X-2001.pdf"
|
|
TARGET="_top"
|
|
> http://standards.ieee.org/getieee802/download/802.1X-2001.pdf</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC2246: The TLS Protocol Version 1.0<A
|
|
HREF="http://www.ietf.org/rfc/rfc2246.txt"
|
|
TARGET="_top"
|
|
>
|
|
http://www.ietf.org/rfc/rfc2246.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC2459: Internet X.509 Public Key Infrastructure -
|
|
Certificate and CRL Profile<A
|
|
HREF="http://www.ietf.org/rfc/rfc2459.txt"
|
|
TARGET="_top"
|
|
>
|
|
http://www.ietf.org/rfc/rfc2459.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC2548: Microsoft Vendor-specific RADIUS Attributes<A
|
|
HREF="http://www.ietf.org/rfc/rfc2548.txt"
|
|
TARGET="_top"
|
|
>
|
|
http://www.ietf.org/rfc/rfc2548.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC2716: PPP EAP TLS Authentication Protocol<A
|
|
HREF="http://www.ietf.org/rfc/rfc2716.txt"
|
|
TARGET="_top"
|
|
>
|
|
http://www.ietf.org/rfc/rfc2716.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC2865: Remote Authentication Dial-In User Service (RADIUS)<A
|
|
HREF="http://www.ietf.org/rfc/rfc2865.txt"
|
|
TARGET="_top"
|
|
> http://www.ietf.org/rfc/rfc2865.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC3079: Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE)<A
|
|
HREF="http://www.ietf.org/rfc/rfc3079.txt"
|
|
TARGET="_top"
|
|
> http://www.ietf.org/rfc/rfc3079.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC3579: RADIUS Support For EAP<A
|
|
HREF="http://www.ietf.org/rfc/rfc3579.txt"
|
|
TARGET="_top"
|
|
> http://www.ietf.org/rfc/rfc3579.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC3580: IEEE 802.1X RADIUS Usage Guidelines<A
|
|
HREF="http://www.ietf.org/rfc/rfc3580.txt"
|
|
TARGET="_top"
|
|
> http://www.ietf.org/rfc/rfc3580.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC3588: Diameter Base Protocol<A
|
|
HREF="http://www.ietf.org/rfc/rfc3588.txt"
|
|
TARGET="_top"
|
|
> http://www.ietf.org/rfc/rfc3588.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC3610: Counter with CBC-MAC (CCM)<A
|
|
HREF="http://www.ietf.org/rfc/rfc3610.txt"
|
|
TARGET="_top"
|
|
> http://www.ietf.org/rfc/rfc3610.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>RFC3748: Extensible Authentication Protocol (EAP)<A
|
|
HREF="http://www.ietf.org/rfc/rfc3748.txt"
|
|
TARGET="_top"
|
|
> http://www.ietf.org/rfc/rfc3748.txt</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Linux Wireless Access Point HOWTO <A
|
|
HREF="http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html"
|
|
TARGET="_top"
|
|
> http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>SSL Certificates HOWTO<A
|
|
HREF="http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/"
|
|
TARGET="_top"
|
|
>
|
|
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/</A
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>OpenSSL: x509(1)<A
|
|
HREF="http://www.openssl.org/docs/apps/x509.html"
|
|
TARGET="_top"
|
|
>
|
|
http://www.openssl.org/docs/apps/x509.html</A
|
|
>
|
|
</P
|
|
></LI
|
|
></OL
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><HR><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="copyack"
|
|
></A
|
|
>10. Copyright, acknowledgments and miscellaneous</H1
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="copyright"
|
|
></A
|
|
>10.1. Copyright and License</H2
|
|
><P
|
|
> Copyright (c) 2004 Lars Strand.</P
|
|
><P
|
|
> Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the <A
|
|
HREF="http://www.gnu.org/licenses/fdl.html"
|
|
TARGET="_top"
|
|
>GNU Free
|
|
Documentation License</A
|
|
>, Version 1.2 or any later version
|
|
published by the Free Software Foundation; with no Invariant
|
|
Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy
|
|
of the license is included in the section entitled "GNU Free
|
|
Documentation License".
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="produced"
|
|
></A
|
|
>10.2. How this document was produced</H2
|
|
><P
|
|
>This document was written in DocBook XML using Emacs.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="feedback"
|
|
></A
|
|
>10.3. Feedback</H2
|
|
><P
|
|
> Suggestions, corrections, additions wanted. Contributors wanted
|
|
and acknowledged. Flames not wanted.
|
|
</P
|
|
><P
|
|
> I can always be reached at <TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:lars strand at gnist org"
|
|
>lars strand at gnist org</A
|
|
>></TT
|
|
>
|
|
</P
|
|
><P
|
|
> Homepage: <A
|
|
HREF="http://www.gnist.org/~lars/"
|
|
TARGET="_top"
|
|
>http://www.gnist.org/~lars/</A
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><HR><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="ack"
|
|
></A
|
|
>10.4. Acknowledgments</H2
|
|
><P
|
|
> Thanks to Andreas Hafslund <TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:andreha at unik no"
|
|
>andreha at unik no</A
|
|
>></TT
|
|
> and Thales
|
|
Communication for initial support.
|
|
</P
|
|
><P
|
|
> Also thanks to Artur Hecker <TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:hecker at enst fr"
|
|
>hecker at enst fr</A
|
|
>></TT
|
|
>,
|
|
Chris Hessing <TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:chris hessing at utah edu"
|
|
>chris hessing at utah edu</A
|
|
>></TT
|
|
>, Jouni
|
|
Malinen <TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:jkmaline at cc hut fi"
|
|
>jkmaline at cc hut fi</A
|
|
>></TT
|
|
> and Terry
|
|
Simons <TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:galimore at mac com"
|
|
>galimore at mac com</A
|
|
>></TT
|
|
> for valuable feedback!
|
|
</P
|
|
><P
|
|
> Thanks to Rick Moen <TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:rick at linuxmafia com"
|
|
>rick at linuxmafia com</A
|
|
>></TT
|
|
> for
|
|
doing a language review!
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="appendix"
|
|
><HR><H1
|
|
CLASS="appendix"
|
|
><A
|
|
NAME="gfdl"
|
|
></A
|
|
>A. GNU Free Documentation License</H1
|
|
><FONT
|
|
COLOR="RED"
|
|
>Version 1.2, November 2002</FONT
|
|
><A
|
|
NAME="fsf-copyright"
|
|
></A
|
|
><BLOCKQUOTE
|
|
CLASS="BLOCKQUOTE"
|
|
><P
|
|
>Copyright (C) 2000,2001,2002 Free Software Foundation, Inc.
|
|
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
Everyone is permitted to copy and distribute verbatim copies
|
|
of this license document, but changing it is not allowed.</P
|
|
></BLOCKQUOTE
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-0"
|
|
></A
|
|
>A.1. PREAMBLE</H1
|
|
><P
|
|
>The purpose of this License is to make a manual, textbook, or
|
|
other functional and useful document "free" in the sense of freedom: to
|
|
assure everyone the effective freedom to copy and redistribute it, with
|
|
or without modifying it, either commercially or noncommercially.
|
|
Secondarily, this License preserves for the author and publisher a way
|
|
to get credit for their work, while not being considered responsible for
|
|
modifications made by others.</P
|
|
><P
|
|
>This License is a kind of "copyleft", which means that derivative
|
|
works of the document must themselves be free in the same sense. It
|
|
complements the GNU General Public License, which is a copyleft license
|
|
designed for free software.</P
|
|
><P
|
|
>We have designed this License in order to use it for manuals for
|
|
free software, because free software needs free documentation: a free
|
|
program should come with manuals providing the same freedoms that the
|
|
software does. But this License is not limited to software manuals; it
|
|
can be used for any textual work, regardless of subject matter or
|
|
whether it is published as a printed book. We recommend this License
|
|
principally for works whose purpose is instruction or reference.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-1"
|
|
></A
|
|
>A.2. APPLICABILITY AND DEFINITIONS</H1
|
|
><P
|
|
>This License applies to any manual or other work, in
|
|
any medium, that contains a notice placed by the copyright holder saying
|
|
it can be distributed under the terms of this License. Such a notice
|
|
grants a world-wide, royalty-free license, unlimited in duration, to use
|
|
that work under the conditions stated herein. The "Document", below,
|
|
refers to any such manual or work. Any member of the public is a
|
|
licensee, and is addressed as "you". You accept the license if you
|
|
copy, modify or distribute the work in a way requiring permission under
|
|
copyright law.</P
|
|
><P
|
|
>A "Modified Version" of the Document means any
|
|
work containing the Document or a portion of it, either copied verbatim,
|
|
or with modifications and/or translated into another language.</P
|
|
><P
|
|
>A "Secondary Section" is a named appendix or
|
|
a front-matter section of the Document that deals exclusively with the
|
|
relationship of the publishers or authors of the Document to the
|
|
Document's overall subject (or to related matters) and contains nothing
|
|
that could fall directly within that overall subject. (Thus, if the
|
|
Document is in part a textbook of mathematics, a Secondary Section may
|
|
not explain any mathematics.) The relationship could be a matter of
|
|
historical connection with the subject or with related matters, or of
|
|
legal, commercial, philosophical, ethical or political position
|
|
regarding them.</P
|
|
><P
|
|
>The "Invariant Sections" are certain Secondary
|
|
Sections whose titles are designated, as being those of Invariant
|
|
Sections, in the notice that says that the Document is released under
|
|
this License. If a section does not fit the above definition of
|
|
Secondary then it is not allowed to be designated as Invariant. The
|
|
Document may contain zero Invariant Sections. If the Document does not
|
|
identify any Invariant Sections then there are none.</P
|
|
><P
|
|
>The "Cover Texts" are certain short passages of
|
|
text that are listed, as Front-Cover Texts or Back-Cover Texts, in the
|
|
notice that says that the Document is released under this License. A
|
|
Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at
|
|
most 25 words.</P
|
|
><P
|
|
>A "Transparent" copy of the Document means a
|
|
machine-readable copy, represented in a format whose specification is
|
|
available to the general public, that is suitable for revising the
|
|
document straightforwardly with generic text editors or (for images
|
|
composed of pixels) generic paint programs or (for drawings) some widely
|
|
available drawing editor, and that is suitable for input to text
|
|
formatters or for automatic translation to a variety of formats suitable
|
|
for input to text formatters. A copy made in an otherwise Transparent
|
|
file format whose markup, or absence of markup, has been arranged to
|
|
thwart or discourage subsequent modification by readers is not
|
|
Transparent. An image format is not Transparent if used for any
|
|
substantial amount of text. A copy that is not "Transparent" is called
|
|
"Opaque".</P
|
|
><P
|
|
>Examples of suitable formats for Transparent copies include plain
|
|
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
|
|
XML using a publicly available DTD, and standard-conforming simple HTML,
|
|
PostScript or PDF designed for human modification. Examples of
|
|
transparent image formats include PNG, XCF and JPG. Opaque formats
|
|
include proprietary formats that can be read and edited only by
|
|
proprietary word processors, SGML or XML for which the DTD and/or
|
|
processing tools are not generally available, and the machine-generated
|
|
HTML, PostScript or PDF produced by some word processors for output
|
|
purposes only.</P
|
|
><P
|
|
>The "Title Page" means, for a printed book,
|
|
the title page itself, plus such following pages as are needed to hold,
|
|
legibly, the material this License requires to appear in the title page.
|
|
For works in formats which do not have any title page as such, "Title
|
|
Page" means the text near the most prominent appearance of the work's
|
|
title, preceding the beginning of the body of the text.</P
|
|
><P
|
|
>A section "Entitled XYZ" means a named subunit
|
|
of the Document whose title either is precisely XYZ or contains XYZ in
|
|
parentheses following text that translates XYZ in another language.
|
|
(Here XYZ stands for a specific section name mentioned below, such as
|
|
"Acknowledgements", "Dedications", "Endorsements", or "History".) To
|
|
"Preserve the Title" of such a section when you modify the Document
|
|
means that it remains a section "Entitled XYZ" according to this
|
|
definition.</P
|
|
><P
|
|
>The Document may include Warranty Disclaimers next to the notice
|
|
which states that this License applies to the Document. These Warranty
|
|
Disclaimers are considered to be included by reference in this License,
|
|
but only as regards disclaiming warranties: any other implication that
|
|
these Warranty Disclaimers may have is void and has no effect on the
|
|
meaning of this License.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-2"
|
|
></A
|
|
>A.3. VERBATIM COPYING</H1
|
|
><P
|
|
>You may copy and distribute the Document in any medium, either
|
|
commercially or noncommercially, provided that this License, the
|
|
copyright notices, and the license notice saying this License applies to
|
|
the Document are reproduced in all copies, and that you add no other
|
|
conditions whatsoever to those of this License. You may not use
|
|
technical measures to obstruct or control the reading or further copying
|
|
of the copies you make or distribute. However, you may accept
|
|
compensation in exchange for copies. If you distribute a large enough
|
|
number of copies you must also follow the conditions in section 3.
|
|
</P
|
|
><P
|
|
>You may also lend copies, under the same conditions stated above,
|
|
and you may publicly display copies.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-3"
|
|
></A
|
|
>A.4. COPYING IN QUANTITY</H1
|
|
><P
|
|
>If you publish printed copies (or copies in media that commonly
|
|
have printed covers) of the Document, numbering more than 100, and the
|
|
Document's license notice requires Cover Texts, you must enclose the
|
|
copies in covers that carry, clearly and legibly, all these Cover Texts:
|
|
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
|
|
cover. Both covers must also clearly and legibly identify you as the
|
|
publisher of these copies. The front cover must present the full title
|
|
with all words of the title equally prominent and visible. You may add
|
|
other material on the covers in addition. Copying with changes limited
|
|
to the covers, as long as they preserve the title of the Document and
|
|
satisfy these conditions, can be treated as verbatim copying in other
|
|
respects.</P
|
|
><P
|
|
>If the required texts for either cover are too voluminous to fit
|
|
legibly, you should put the first ones listed (as many as fit
|
|
reasonably) on the actual cover, and continue the rest onto adjacent
|
|
pages.</P
|
|
><P
|
|
>If you publish or distribute Opaque copies of the Document
|
|
numbering more than 100, you must either include a machine-readable
|
|
Transparent copy along with each Opaque copy, or state in or with each
|
|
Opaque copy a computer-network location from which the general
|
|
network-using public has access to download using public-standard
|
|
network protocols a complete Transparent copy of the Document, free of
|
|
added material. If you use the latter option, you must take reasonably
|
|
prudent steps, when you begin distribution of Opaque copies in quantity,
|
|
to ensure that this Transparent copy will remain thus accessible at the
|
|
stated location until at least one year after the last time you
|
|
distribute an Opaque copy (directly or through your agents or retailers)
|
|
of that edition to the public.</P
|
|
><P
|
|
>It is requested, but not required, that you contact the authors of
|
|
the Document well before redistributing any large number of copies, to
|
|
give them a chance to provide you with an updated version of the
|
|
Document.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-4"
|
|
></A
|
|
>A.5. MODIFICATIONS</H1
|
|
><P
|
|
>You may copy and distribute a Modified Version of the Document
|
|
under the conditions of sections 2 and 3 above, provided that you
|
|
release the Modified Version under precisely this License, with the
|
|
Modified Version filling the role of the Document, thus licensing
|
|
distribution and modification of the Modified Version to whoever
|
|
possesses a copy of it. In addition, you must do these things in the
|
|
Modified Version:</P
|
|
><P
|
|
></P
|
|
><OL
|
|
TYPE="A"
|
|
><LI
|
|
><P
|
|
>Use in the Title Page (and on the covers, if any) a
|
|
title distinct from that of the Document, and from those of previous
|
|
versions (which should, if there were any, be listed in the History
|
|
section of the Document). You may use the same title as a previous
|
|
version if the original publisher of that version gives permission.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>List on the Title Page, as authors, one or more
|
|
persons or entities responsible for authorship of the modifications in
|
|
the Modified Version, together with at least five of the principal
|
|
authors of the Document (all of its principal authors, if it has fewer
|
|
than five), unless they release you from this requirement.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>State on the Title page the name of the publisher of
|
|
the Modified Version, as the publisher.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Preserve all the copyright notices of the Document.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Add an appropriate copyright notice for your
|
|
modifications adjacent to the other copyright notices.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Include, immediately after the copyright notices, a
|
|
license notice giving the public permission to use the Modified
|
|
Version under the terms of this License, in the form shown in the
|
|
<A
|
|
HREF="#gfdl-addendum"
|
|
>Addendum</A
|
|
> below.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Preserve in that license notice the full lists of
|
|
Invariant Sections and required Cover Texts given in the Document's
|
|
license notice.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Include an unaltered copy of this License.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Preserve the section Entitled "History", Preserve its
|
|
Title, and add to it an item stating at least the title, year, new
|
|
authors, and publisher of the Modified Version as given on the Title
|
|
Page. If there is no section Entitled "History" in the Document,
|
|
create one stating the title, year, authors, and publisher of the
|
|
Document as given on its Title Page, then add an item describing the
|
|
Modified Version as stated in the previous sentence.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Preserve the network location, if any, given in the
|
|
Document for public access to a Transparent copy of the Document, and
|
|
likewise the network locations given in the Document for previous
|
|
versions it was based on. These may be placed in the "History"
|
|
section. You may omit a network location for a work that was
|
|
published at least four years before the Document itself, or if the
|
|
original publisher of the version it refers to gives permission.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>For any section Entitled "Acknowledgements" or
|
|
"Dedications", Preserve the Title of the section, and preserve in the
|
|
section all the substance and tone of each of the contributor
|
|
acknowledgements and/or dedications given therein.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Preserve all the Invariant Sections of the Document,
|
|
unaltered in their text and in their titles. Section numbers or the
|
|
equivalent are not considered part of the section titles.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Delete any section Entitled "Endorsements".
|
|
Such a section may not be included in the Modified Version.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Do not retitle any existing section to be Entitled
|
|
"Endorsements" or to conflict in title with any Invariant Section.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Preserve any Warranty Disclaimers.
|
|
</P
|
|
></LI
|
|
></OL
|
|
><P
|
|
>If the Modified Version includes new front-matter sections or
|
|
appendices that qualify as Secondary Sections and contain no material
|
|
copied from the Document, you may at your option designate some or all
|
|
of these sections as invariant. To do this, add their titles to the
|
|
list of Invariant Sections in the Modified Version's license notice.
|
|
These titles must be distinct from any other section titles.</P
|
|
><P
|
|
>You may add a section Entitled "Endorsements", provided it
|
|
contains nothing but endorsements of your Modified Version by various
|
|
parties--for example, statements of peer review or that the text has
|
|
been approved by an organization as the authoritative definition of a
|
|
standard.</P
|
|
><P
|
|
>You may add a passage of up to five words as a Front-Cover Text,
|
|
and a passage of up to 25 words as a Back-Cover Text, to the end of the
|
|
list of Cover Texts in the Modified Version. Only one passage of
|
|
Front-Cover Text and one of Back-Cover Text may be added by (or through
|
|
arrangements made by) any one entity. If the Document already includes
|
|
a cover text for the same cover, previously added by you or by
|
|
arrangement made by the same entity you are acting on behalf of, you may
|
|
not add another; but you may replace the old one, on explicit permission
|
|
from the previous publisher that added the old one.</P
|
|
><P
|
|
>The author(s) and publisher(s) of the Document do not by this
|
|
License give permission to use their names for publicity for or to
|
|
assert or imply endorsement of any Modified Version.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-5"
|
|
></A
|
|
>A.6. COMBINING DOCUMENTS</H1
|
|
><P
|
|
>You may combine the Document with other documents released under
|
|
this License, under the terms defined in <A
|
|
HREF="#gfdl-4"
|
|
>section
|
|
4</A
|
|
> above for modified versions, provided that you include in the
|
|
combination all of the Invariant Sections of all of the original
|
|
documents, unmodified, and list them all as Invariant Sections of your
|
|
combined work in its license notice, and that you preserve all their
|
|
Warranty Disclaimers.</P
|
|
><P
|
|
>The combined work need only contain one copy of this License, and
|
|
multiple identical Invariant Sections may be replaced with a single
|
|
copy. If there are multiple Invariant Sections with the same name but
|
|
different contents, make the title of each such section unique by adding
|
|
at the end of it, in parentheses, the name of the original author or
|
|
publisher of that section if known, or else a unique number. Make the
|
|
same adjustment to the section titles in the list of Invariant Sections
|
|
in the license notice of the combined work.</P
|
|
><P
|
|
>In the combination, you must combine any sections Entitled
|
|
"History" in the various original documents, forming one section
|
|
Entitled "History"; likewise combine any sections Entitled
|
|
"Acknowledgements", and any sections Entitled "Dedications". You must
|
|
delete all sections Entitled "Endorsements".</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-6"
|
|
></A
|
|
>A.7. COLLECTIONS OF DOCUMENTS</H1
|
|
><P
|
|
>You may make a collection consisting of the Document and other
|
|
documents released under this License, and replace the individual copies
|
|
of this License in the various documents with a single copy that is
|
|
included in the collection, provided that you follow the rules of this
|
|
License for verbatim copying of each of the documents in all other
|
|
respects.</P
|
|
><P
|
|
>You may extract a single document from such a collection, and
|
|
distribute it individually under this License, provided you insert a
|
|
copy of this License into the extracted document, and follow this
|
|
License in all other respects regarding verbatim copying of that
|
|
document.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-7"
|
|
></A
|
|
>A.8. AGGREGATION WITH INDEPENDENT WORKS</H1
|
|
><P
|
|
>A compilation of the Document or its derivatives with other
|
|
separate and independent documents or works, in or on a volume of a
|
|
storage or distribution medium, is called an "aggregate" if the
|
|
copyright resulting from the compilation is not used to limit the legal
|
|
rights of the compilation's users beyond what the individual works
|
|
permit. When the Document is included in an aggregate, this License does
|
|
not apply to the other works in the aggregate which are not themselves
|
|
derivative works of the Document.</P
|
|
><P
|
|
>If the Cover Text requirement of section 3 is applicable to these
|
|
copies of the Document, then if the Document is less than one half of
|
|
the entire aggregate, the Document's Cover Texts may be placed on covers
|
|
that bracket the Document within the aggregate, or the electronic
|
|
equivalent of covers if the Document is in electronic form. Otherwise
|
|
they must appear on printed covers that bracket the whole
|
|
aggregate.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-8"
|
|
></A
|
|
>A.9. TRANSLATION</H1
|
|
><P
|
|
>Translation is considered a kind of modification, so you may
|
|
distribute translations of the Document under the terms of section 4.
|
|
Replacing Invariant Sections with translations requires special
|
|
permission from their copyright holders, but you may include
|
|
translations of some or all Invariant Sections in addition to the
|
|
original versions of these Invariant Sections. You may include a
|
|
translation of this License, and all the license notices in the
|
|
Document, and any Warranty Disclaimers, provided that you also include
|
|
the original English version of this License and the original versions
|
|
of those notices and disclaimers. In case of a disagreement between the
|
|
translation and the original version of this License or a notice or
|
|
disclaimer, the original version will prevail.</P
|
|
><P
|
|
>If a section in the Document is Entitled "Acknowledgements",
|
|
"Dedications", or "History", the requirement (section 4) to Preserve its
|
|
Title (section 1) will typically require changing the actual
|
|
title.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-9"
|
|
></A
|
|
>A.10. TERMINATION</H1
|
|
><P
|
|
>You may not copy, modify, sublicense, or distribute the Document
|
|
except as expressly provided for under this License. Any other attempt
|
|
to copy, modify, sublicense or distribute the Document is void, and will
|
|
automatically terminate your rights under this License. However,
|
|
parties who have received copies, or rights, from you under this License
|
|
will not have their licenses terminated so long as such parties remain
|
|
in full compliance.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-10"
|
|
></A
|
|
>A.11. FUTURE REVISIONS OF THIS LICENSE</H1
|
|
><P
|
|
>The Free Software Foundation may publish new, revised versions of
|
|
the GNU Free Documentation License from time to time. Such new versions
|
|
will be similar in spirit to the present version, but may differ in
|
|
detail to address new problems or concerns. See
|
|
http://www.gnu.org/copyleft/.</P
|
|
><P
|
|
>Each version of the License is given a distinguishing version
|
|
number. If the Document specifies that a particular numbered version of
|
|
this License "or any later version" applies to it, you have the option
|
|
of following the terms and conditions either of that specified version
|
|
or of any later version that has been published (not as a draft) by the
|
|
Free Software Foundation. If the Document does not specify a version
|
|
number of this License, you may choose any version ever published (not
|
|
as a draft) by the Free Software Foundation.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><HR><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="gfdl-addendum"
|
|
></A
|
|
>A.12. ADDENDUM: How to use this License for
|
|
your documents</H1
|
|
><P
|
|
>To use this License in a document you have written, include a copy
|
|
of the License in the document and put the following copyright and
|
|
license notices just after the title page:</P
|
|
><A
|
|
NAME="copyright-sample"
|
|
></A
|
|
><BLOCKQUOTE
|
|
CLASS="BLOCKQUOTE"
|
|
><P
|
|
> Copyright (c) YEAR YOUR NAME.
|
|
Permission is granted to copy, distribute and/or modify this document
|
|
under the terms of the GNU Free Documentation License, Version 1.2
|
|
or any later version published by the Free Software Foundation;
|
|
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
|
A copy of the license is included in the section entitled "GNU
|
|
Free Documentation License".
|
|
</P
|
|
></BLOCKQUOTE
|
|
><P
|
|
>If you have Invariant Sections, Front-Cover Texts and Back-Cover
|
|
Texts, replace the "with...Texts." line with this:</P
|
|
><A
|
|
NAME="inv-cover-sample"
|
|
></A
|
|
><BLOCKQUOTE
|
|
CLASS="BLOCKQUOTE"
|
|
><P
|
|
> with the Invariant Sections being LIST THEIR TITLES, with the
|
|
Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
|
|
</P
|
|
></BLOCKQUOTE
|
|
><P
|
|
>If you have Invariant Sections without Cover Texts, or some other
|
|
combination of the three, merge those two alternatives to suit the
|
|
situation.</P
|
|
><P
|
|
>If your document contains nontrivial examples of program code, we
|
|
recommend releasing these examples in parallel under your choice of free
|
|
software license, such as the GNU General Public License, to permit
|
|
their use in free software.</P
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |