LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/html_single/8021X-HOWTO/index.html

4415 lines
89 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>802.1X Port-Based Authentication HOWTO</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
><BODY
CLASS="article"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="ARTICLE"
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="title"
><A
NAME="AEN2"
></A
>802.1X Port-Based Authentication HOWTO</H1
><H3
CLASS="author"
><A
NAME="AEN5"
>Lars Strand</A
></H3
><DIV
CLASS="affiliation"
><DIV
CLASS="address"
><P
CLASS="address"
><TT
CLASS="email"
>&#60;<A
HREF="mailto:lars strand (at) gnist org"
>lars strand (at) gnist org</A
>&#62;</TT
></P
></DIV
></DIV
><P
CLASS="pubdate"
>2004-08-18<BR></P
><DIV
CLASS="revhistory"
><TABLE
WIDTH="100%"
BORDER="0"
><TR
><TH
ALIGN="LEFT"
VALIGN="TOP"
COLSPAN="3"
><B
>Revision History</B
></TH
></TR
><TR
><TD
ALIGN="LEFT"
>Revision 1.0</TD
><TD
ALIGN="LEFT"
>2004-10-18</TD
><TD
ALIGN="LEFT"
>Revised by: LKS</TD
></TR
><TR
><TD
ALIGN="LEFT"
COLSPAN="3"
>Initial Release, reviewed by TLDP.</TD
></TR
><TR
><TD
ALIGN="LEFT"
>Revision 0.2b</TD
><TD
ALIGN="LEFT"
>2004-10-13</TD
><TD
ALIGN="LEFT"
>Revised by: LKS</TD
></TR
><TR
><TD
ALIGN="LEFT"
COLSPAN="3"
>Various updates. Thanks to Rick Moen &#60;rick
(at) linuxmafia com&#62; for language review.</TD
></TR
><TR
><TD
ALIGN="LEFT"
>Revision 0.0</TD
><TD
ALIGN="LEFT"
>2004-07-23</TD
><TD
ALIGN="LEFT"
>Revised by: LKS</TD
></TR
><TR
><TD
ALIGN="LEFT"
COLSPAN="3"
>Initial draft.</TD
></TR
></TABLE
></DIV
><DIV
><DIV
CLASS="abstract"
><A
NAME="AEN32"
></A
><P
></P
><P
>&#13; This document describes the software and procedures to set up
and use <A
HREF="http://standards.ieee.org/getieee802/download/802.1X-2001.pdf"
TARGET="_top"
>IEEE
802.1X Port-Based Network Access Control</A
> using <A
HREF="http://www.open1x.org"
TARGET="_top"
><SPAN
CLASS="application"
>Xsupplicant</SPAN
></A
>
as Supplicant with <A
HREF="http://www.freeradius.org"
TARGET="_top"
><SPAN
CLASS="application"
>FreeRADIUS</SPAN
></A
>
as a back-end Authentication Server.
</P
><P
></P
></DIV
></DIV
><HR></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="#intro"
>Introduction</A
></DT
><DD
><DL
><DT
>1.1. <A
HREF="#what8021x"
>What is 802.1X?</A
></DT
><DT
>1.2. <A
HREF="#what80211i"
>What is 802.11i?</A
></DT
><DT
>1.3. <A
HREF="#EAP"
>What is EAP?</A
></DT
><DT
>1.4. <A
HREF="#auth"
>EAP authentication methods</A
></DT
><DT
>1.5. <A
HREF="#AAA"
>What is RADIUS?</A
></DT
></DL
></DD
><DT
>2. <A
HREF="#cert"
>Obtaining Certificates</A
></DT
><DT
>3. <A
HREF="#FreeRADIUS"
>Authentication Server: Setting up FreeRADIUS</A
></DT
><DD
><DL
><DT
>3.1. <A
HREF="#instradius"
>Installing FreeRADIUS</A
></DT
><DT
>3.2. <A
HREF="#confradius"
>Configuring FreeRADIUS</A
></DT
></DL
></DD
><DT
>4. <A
HREF="#xsupplicant"
>Supplicant: Setting up Xsupplicant</A
></DT
><DD
><DL
><DT
>4.1. <A
HREF="#instxsup"
>Installing Xsupplicant</A
></DT
><DT
>4.2. <A
HREF="#confxsup"
>Configuring Xsupplicant</A
></DT
></DL
></DD
><DT
>5. <A
HREF="#authenticator"
>Authenticator: Setting up the Authenticator (Access
Point)</A
></DT
><DD
><DL
><DT
>5.1. <A
HREF="#AP"
>Access Point</A
></DT
><DT
>5.2. <A
HREF="#LinuxAP"
>Linux Authenticator</A
></DT
></DL
></DD
><DT
>6. <A
HREF="#testbed"
>Testbed</A
></DT
><DD
><DL
><DT
>6.1. <A
HREF="#testcase"
>Testcase</A
></DT
><DT
>6.2. <A
HREF="#startrad"
>Running some tests</A
></DT
></DL
></DD
><DT
>7. <A
HREF="#dynWEP"
>Note about driver support and Xsupplicant</A
></DT
><DT
>8. <A
HREF="#faq"
>FAQ</A
></DT
><DT
>9. <A
HREF="#resources"
>Useful Resources</A
></DT
><DT
>10. <A
HREF="#copyack"
>Copyright, acknowledgments and miscellaneous</A
></DT
><DD
><DL
><DT
>10.1. <A
HREF="#copyright"
>Copyright and License</A
></DT
><DT
>10.2. <A
HREF="#produced"
>How this document was produced</A
></DT
><DT
>10.3. <A
HREF="#feedback"
>Feedback</A
></DT
><DT
>10.4. <A
HREF="#ack"
>Acknowledgments</A
></DT
></DL
></DD
><DT
>A. <A
HREF="#gfdl"
>GNU Free Documentation License</A
></DT
><DD
><DL
><DT
>A.1. <A
HREF="#gfdl-0"
>PREAMBLE</A
></DT
><DT
>A.2. <A
HREF="#gfdl-1"
>APPLICABILITY AND DEFINITIONS</A
></DT
><DT
>A.3. <A
HREF="#gfdl-2"
>VERBATIM COPYING</A
></DT
><DT
>A.4. <A
HREF="#gfdl-3"
>COPYING IN QUANTITY</A
></DT
><DT
>A.5. <A
HREF="#gfdl-4"
>MODIFICATIONS</A
></DT
><DT
>A.6. <A
HREF="#gfdl-5"
>COMBINING DOCUMENTS</A
></DT
><DT
>A.7. <A
HREF="#gfdl-6"
>COLLECTIONS OF DOCUMENTS</A
></DT
><DT
>A.8. <A
HREF="#gfdl-7"
>AGGREGATION WITH INDEPENDENT WORKS</A
></DT
><DT
>A.9. <A
HREF="#gfdl-8"
>TRANSLATION</A
></DT
><DT
>A.10. <A
HREF="#gfdl-9"
>TERMINATION</A
></DT
><DT
>A.11. <A
HREF="#gfdl-10"
>FUTURE REVISIONS OF THIS LICENSE</A
></DT
><DT
>A.12. <A
HREF="#gfdl-addendum"
>ADDENDUM: How to use this License for
your documents</A
></DT
></DL
></DD
></DL
></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="intro"
></A
>1. Introduction</H1
><P
>&#13; This document describes the software and procedures to set up and use <A
HREF="http://standards.ieee.org/getieee802/download/802.1X-2001.pdf"
TARGET="_top"
>802.1X:
Port-Based Network Access Control</A
> using <A
HREF="http://www.open1x.org"
TARGET="_top"
><SPAN
CLASS="application"
>Xsupplicant</SPAN
></A
>
with PEAP (PEAP/MS-CHAPv2) as authentication method and <A
HREF="http://www.freeradius.org/"
TARGET="_top"
><SPAN
CLASS="application"
>FreeRADIUS</SPAN
></A
>
as back-end authentication server.
</P
><P
>&#13; If another authentication mechanism than PEAP is preferred, e.g.,
EAP-TLS or EAP-TTLS, only a small number of configuration options
needs to be changed. PEAP/MS-CHAPv2 are also supported by Windows XP
SP1/Windows 2000 SP3.
</P
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="what8021x"
></A
>1.1. What is 802.1X?</H2
><P
>The 802.1X-2001 standard states:</P
><P
>&#13; <SPAN
CLASS="QUOTE"
>"Port-based network access control makes use of the physical
access characteristics of IEEE 802 LAN infrastructures in order to
provide a means of <EM
>authenticating</EM
> and
<EM
>authorizing</EM
> devices attached
to a LAN port that has point-to-point connection characteristics,
and of <EM
>preventing access</EM
> to that port in cases
which the authentication and authorization fails. A port in this
context is a single point of attachment to the LAN
infrastructure."</SPAN
> --- 802.1X-2001, page 1.
</P
><DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/8021X-Overview.png"
ALIGN="center"
WIDTH="550"><DIV
CLASS="caption"
><P
>Figure 802.1X: A wireless node must be authenticated before it
can gain access to other LAN resources.</P
></DIV
></P
></DIV
><P
></P
><OL
TYPE="1"
><LI
><P
>&#13; When a new wireless node (WN) requests access to a LAN resource,
the access point (AP) asks for the WN's identity. <EM
>No
other traffic than EAP is allowed before the WN is authenticated
(the <SPAN
CLASS="QUOTE"
>"port"</SPAN
> is closed).</EM
>
</P
><P
>&#13; The wireless node that requests authentication is often called
<EM
>Supplicant</EM
>, although it is more correct to
say that the wireless node <EM
>contains</EM
> a
Supplicant. The Supplicant is responsible for responding to
Authenticator data that will establish its credentials. The same
goes for the access point; the
<EM
>Authenticator is</EM
> not the access point. Rather,
the access point contains an Authenticator. The Authenticator does
not even need to be in the access point; it can be an external
component.
</P
><P
>&#13; EAP, which is the protocol used for authentication, was originally
used for dial-up PPP. The identity was the username, and either
PAP or CHAP authentication [<A
HREF="http://www.ietf.org/rfc/rfc1994.txt"
TARGET="_top"
>RFC1994</A
>] was
used to check the user's password. Since the identity is sent in
clear (not encrypted), a malicious sniffer may learn the user's
identity. <SPAN
CLASS="QUOTE"
>"Identity hiding"</SPAN
> is therefore used; the
real identity is not sent before the encrypted TLS tunnel is up.
</P
></LI
><LI
><P
>&#13; After the identity has been sent, the authentication process
begins. The protocol used between the Supplicant and the
Authenticator is EAP, or, more correctly, EAP encapsulation over
LAN (EAPOL). The Authenticator re-encapsulates the EAP messages to
RADIUS format, and passes them to the Authentication Server.
</P
><P
>&#13; During authentication, the Authenticator just relays packets
between the Supplicant and the Authentication Server. When the
authentication process finishes, the Authentication Server sends a
success message (or failure, if the authentication
failed).<EM
> The Authenticator then opens the
<SPAN
CLASS="QUOTE"
>"port"</SPAN
> for the Supplicant.</EM
>
</P
></LI
><LI
><P
>&#13; After a successful authentication, the Supplicant is granted
access to other LAN resources/Internet.
</P
></LI
></OL
><P
>&#13; See figure <A
HREF="#p8021x"
>802.1X</A
> for explanation.
</P
><P
>&#13; Why is it called <SPAN
CLASS="QUOTE"
>"port"</SPAN
>-based authentication? The
Authenticator deals with <EM
>controlled</EM
> and
<EM
>uncontrolled</EM
> ports. Both the controlled and the
uncontrolled port are logical entities (virtual ports), but use the
same physical connection to the LAN (same point of attachment).
</P
><DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/8021X-Ports.png"
ALIGN="center"
WIDTH="550"><DIV
CLASS="caption"
><P
>Figure port: The authorization state of the controlled
port.</P
></DIV
></P
></DIV
><P
>&#13; Before authentication, only the uncontrolled port is
<SPAN
CLASS="QUOTE"
>"open"</SPAN
>. The only traffic allowed is EAPOL; see
Authenticator System 1 on figure <A
HREF="#port"
>port</A
>. After the Supplicant has been
authenticated, the controlled port is opened, and access to other LAN
resources are granted; see Authenticator System 2 on figure <A
HREF="#port"
>port</A
>.
</P
><P
>&#13; 802.1X plays a major role in the new IEEE wireless standard 802.11i.
</P
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="what80211i"
></A
>1.2. What is 802.11i?</H2
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="WEP"
></A
>1.2.1. WEP</H3
><P
>&#13; Wired Equivalent Privacy (WEP), which is part of the original
802.11 standard, should provide confidentiality. Unfortunately WEP
is poorly designed and easily cracked. There is no authentication
mechanism, only a weak form of access control (must have the
shared key to communicate). Read more <A
HREF="http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html"
TARGET="_top"
>here</A
>.
</P
><P
>&#13; As a response to WEP broken security, IEEE has come up with
a new wireless security standard named 802.11i. 802.1X plays a
major role in this new standard.
</P
></DIV
><DIV
CLASS="sect3"
><HR><H3
CLASS="sect3"
><A
NAME="RSN"
></A
>1.2.2. 802.11i</H3
><P
>&#13; The new security standard, 802.11i, which was ratified in June
2004, fixes all WEP weaknesses. It is divided into three main
categories:
</P
><P
></P
><OL
TYPE="1"
><LI
><P
>&#13; <EM
>Temporary Key Integrity Protocol (TKIP)</EM
> is
a short-term solution that fixes all WEP weaknesses. TKIP can be
used with old 802.11 equipment (after a driver/firmware upgrade)
and provides integrity and confidentiality.
</P
></LI
><LI
><P
>&#13; <EM
>Counter Mode with CBC-MAC Protocol (CCMP) [<A
HREF="http://www.ietf.org/rfc/rfc3610.txt"
TARGET="_top"
>RFC2610</A
>]</EM
>
is a new protocol, designed from ground up. It uses AES [<A
HREF="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf"
TARGET="_top"
>FIPS
197</A
>] as its cryptographic algorithm, and, since this is
more CPU intensive than RC4 (used in WEP and TKIP), new 802.11
hardware may be required. Some drivers can implement CCMP in
software. CCMP provides integrity and confidentiality.
</P
></LI
><LI
><P
>&#13; <EM
>802.1X Port-Based Network Access Control:</EM
>
Either when using TKIP or CCMP, 802.1X is used for
authentication.
</P
></LI
></OL
><P
>&#13; In addition, an optional encryption method called <SPAN
CLASS="QUOTE"
>"Wireless
Robust Authentication Protocol"</SPAN
> (WRAP) may be used instead
of CCMP. WRAP was the original AES-based proposal for 802.11i, but
was replaced by CCMP since it became plagued by property
encumbrances. Support for WRAP is optional, but CCMP support is
mandatory in 802.11i.
</P
><P
>&#13; 802.11i also has an extended key derivation/management,
described next.
</P
></DIV
><DIV
CLASS="sect3"
><HR><H3
CLASS="sect3"
><A
NAME="Key"
></A
>1.2.3. Key Management</H3
><DIV
CLASS="sect4"
><H4
CLASS="sect4"
><A
NAME="DynKey"
></A
>1.2.3.1. Dynamic key exchange and management</H4
><P
>&#13; To enforce a security policy using encryption and integrity
algorithms, keys must be obtained. Fortunately, 802.11i implements
a key derivation/management regime. See figure <A
HREF="#keyman"
>KM</A
>.
</P
><DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/8021X-KeyManagement.png"
ALIGN="center"
WIDTH="550"><DIV
CLASS="caption"
><P
>Figure KM: Key management and distribution in 802.11i.</P
></DIV
></P
></DIV
><P
></P
><OL
TYPE="1"
><LI
><P
>&#13; When the Supplicant (WN) and Authentication Server (AS)
authenticate, one of the last messages sent from AS, given that
authentication was successful, is a <EM
>Master Key
(MK)</EM
>. After it has been sent, the MK is known only to the
WN and the AS. The MK is bound to this session between the WN and
the AS.
</P
></LI
><LI
><P
>&#13; Both the WN and the AS derive a new key, called the
<EM
>Pairwise Master Key (PMK)</EM
>, from the Master
Key.
</P
></LI
><LI
><P
>&#13; The PMK is then moved from the AS to the Authenticator (AP). Only
the WN and the AS can derive the PMK, else the AP could
make access-control decisions instead of the AS. The PMK is a fresh
symmetric key bound to this session between the WN and the AP.
</P
></LI
><LI
><P
>&#13; PMK and a 4-way handshake are used between the WN and the AP to
derive, bind, and verify a <EM
>Pairwise Transient Key
(PTK)</EM
>. The PTK is a collection of operational keys:
<P
></P
><UL
><LI
><P
>&#13; <EM
>Key Confirmation Key (KCK)</EM
>, as the name
implies, is used to prove the posession of the PMK and to bind
the PMK to the AP.
</P
></LI
><LI
><P
>&#13; <EM
>Key Encryption Key (KEK)</EM
> is used to
distributed the Group Transient Key (GTK). Described below.
</P
></LI
><LI
><P
>&#13; <EM
>Temporal Key 1 &#38; 2 (TK1/TK2)</EM
> are used
for encryption. Usage of TK1 and TK2 is ciphersuite-specific.
</P
></LI
></UL
>
</P
><P
>&#13; See figure <A
HREF="#pkh"
>PKH</A
> for a overview of the
Pairwise Key Hierarchy.
</P
></LI
><LI
><P
>&#13; The KEK and a 4-way group handshake are then used to send the
<EM
>Group Transient Key (GTK)</EM
> from the AP to the
WN. The GTK is a shared key among all Supplicants connected to the
same Authenticator, and is used to secure multicast/broadcast
traffic.
</P
></LI
></OL
><DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/8021X-KeyHierarchy.png"
ALIGN="center"
WIDTH="550"><DIV
CLASS="caption"
><P
>Figure PKH: Pairwise Key Hierarchy</P
></DIV
></P
></DIV
></DIV
><DIV
CLASS="sect4"
><HR><H4
CLASS="sect4"
><A
NAME="PSK"
></A
>1.2.3.2. Pre-shared Key</H4
><P
>&#13; For small office / home office (SOHO), ad-hoc networks or home
usage, a pre-shared key (PSK) may be used. When using PSK, the whole
802.1X authentication process is elided. This has also been called
<SPAN
CLASS="QUOTE"
>"WPA Personal"</SPAN
> (WPA-PSK), whereas WPA using EAP (and
RADIUS) is <SPAN
CLASS="QUOTE"
>"WPA Enterprise"</SPAN
> or just
<SPAN
CLASS="QUOTE"
>"WPA"</SPAN
>.
</P
><P
>&#13; The 256-bit PSK is generated from a given password using PBKDFv2
from [<A
HREF="http://www.ietf.org/rfc/rfc2898.txt"
TARGET="_top"
>RFC2898</A
>], and is
used as the Master Key (MK) described in the key management regime
above. It can be one single PSK for the whole network (insecure), or
one PSK per Supplicant (more secure).
</P
></DIV
></DIV
><DIV
CLASS="sect3"
><HR><H3
CLASS="sect3"
><A
NAME="WPA"
></A
>1.2.4. TSN (WPA) / RSN (WPA2)</H3
><P
>&#13; The industry didn't have time to wait until the 802.11i standard
was completed. They wanted the WEP issues fixed now! <A
HREF="http://www.wi-fi.org/"
TARGET="_top"
>Wi-Fi Alliance</A
> felt the
pressure, took a <SPAN
CLASS="QUOTE"
>"snapshot"</SPAN
> of the standard
(based on draft 3), and called it <EM
>Wi-Fi Protected Access
(WPA)</EM
>. One requirement was that existing 802.11
equipment could be used with WPA, so WPA is basically TKIP +
802.1X.
</P
><P
>&#13; WPA is not the long term solution. To get a <EM
>Robust
Secure Network (RSN)</EM
>, the hardware must support and use
CCMP. RSN is basically CCMP + 802.1X.
</P
><P
>&#13; RSN, which uses TKIP instead of CCMP, is also called Transition
Security Network (TSN). RSN may also be called WPA2, so that the
market don't get confused.
</P
><P
>&#13; Confused?
</P
><P
>&#13; Basically:
<P
></P
><UL
><LI
><P
>TSN = TKIP + 802.1X = WPA(1)</P
></LI
><LI
><P
>RSN = CCMP + 802.1X = WPA2</P
></LI
></UL
>
In addition comes key management, as described in the previous
section.
</P
></DIV
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="EAP"
></A
>1.3. What is EAP?</H2
><P
>&#13; Extensible Authentication Protocol (EAP) [<A
HREF="http://www.ietf.org/rfc/rfc3748.txt"
TARGET="_top"
>RFC 3748</A
>] is just
the transport protocol optimized for authentication, not the
authentication method itself:
</P
><P
>&#13; <SPAN
CLASS="QUOTE"
>"
[EAP is] an authentication framework which supports multiple
authentication methods. EAP typically runs directly over data link
layers such as Point-to-Point Protocol (PPP) or IEEE 802, without
requiring IP. EAP provides its own support for duplicate
elimination and retransmission, but is reliant on lower layer
ordering guarantees. Fragmentation is not supported within EAP
itself; however, individual EAP methods may support this."</SPAN
>
--- RFC 3748, page 3
</P
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="auth"
></A
>1.4. EAP authentication methods</H2
><P
>&#13; Since 802.1X is using EAP, multiple different authentication
schemes may be added, including smart cards, Kerberos, public key,
one time passwords, and others.
</P
><P
>&#13; Some of the most-used EAP authentication mechanism are listed
below. A full list of registered EAP authentication types is
available at IANA: <A
HREF="http://www.iana.org/assignments/eap-numbers"
TARGET="_top"
>http://www.iana.org/assignments/eap-numbers</A
>.
</P
><DIV
CLASS="warning"
><P
></P
><TABLE
CLASS="warning"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/warning.gif"
HSPACE="5"
ALT="Warning"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>&#13; Not all authentication mechanisms are considered secure!
</P
></TD
></TR
></TABLE
></DIV
><P
></P
><UL
><LI
><P
>&#13; <EM
>EAP-MD5:</EM
> MD5-Challenge requires
username/password, and is equivalent to the PPP CHAP protocol
[<A
HREF="http://www.ietf.org/rfc/rfc1994.txt"
TARGET="_top"
>RFC1994</A
>]. This
method does not provide dictionary attack resistance, mutual
authentication, or key derivation, and has therefore little use in a
wireless authentication enviroment.
</P
></LI
><LI
><P
>&#13; <EM
>Lightweight EAP (LEAP):</EM
> A username/password
combination is sent to a Authentication Server (RADIUS) for
authentication. Leap is a proprietary protocol developed by
Cisco, and is not considered secure. Cisco is phasing out LEAP in
favor of PEAP. The closest thing to a published standard can be
found <A
HREF="http://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.html"
TARGET="_top"
>here</A
>.
</P
></LI
><LI
><P
>&#13; <EM
>EAP-TLS:</EM
> Creates a TLS session within EAP,
between the Supplicant and the Authentication Server. Both the
server and the client(s) need a valid (x509) certificate, and
therefore a PKI. This method provides authentication both
ways. EAP-TLS is described in [<A
HREF="http://www.ietf.org/rfc/rfc2716.txt"
TARGET="_top"
>RFC2716</A
>].
</P
></LI
><LI
><P
>&#13; <EM
>EAP-TTLS:</EM
> Sets up a encrypted TLS-tunnel for
safe transport of authentication data. Within the TLS tunnel,
(any) other authentication methods may be used. Developed by Funk
Software and Meetinghouse, and is currently an IETF draft.
</P
></LI
><LI
><P
>&#13; <EM
>Protected EAP (PEAP):</EM
> Uses, as EAP-TTLS, an
encrypted TLS-tunnel. Supplicant certificates for both EAP-TTLS
and EAP-PEAP are optional, but server (AS) certificates are
required. Developed by Microsoft, Cisco, and RSA Security, and is
currently an IETF draft.
</P
></LI
><LI
><P
>&#13; <EM
>EAP-MSCHAPv2:</EM
> Requires username/password, and
is basically an EAP encapsulation of MS-CHAP-v2 [<A
HREF="http://www.ietf.org/rfc/rfc2759.txt"
TARGET="_top"
>RFC2759</A
>].
Usually used inside of a PEAP-encrypted tunnel. Developed by
Microsoft, and is currently an IETF draft.
</P
></LI
></UL
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="AAA"
></A
>1.5. What is RADIUS?</H2
><P
>&#13; Remote Authentication Dial-In User Service (RADIUS) is defined in
[<A
HREF="http://www.ietf.org/rfc/rfc2865.txt"
TARGET="_top"
>RFC2865</A
>]
(with friends), and was primarily used by ISPs who authenticated
username and password before the user got authorized to use the
ISP's network.
</P
><P
>&#13; 802.1X does not specify what kind of back-end authentication
server must be present, but RADIUS is the "de-facto" back-end
authentication server used in 802.1X.
</P
><P
>&#13; There are not many AAA protocols available, but both RADIUS and
DIAMETER [<A
HREF="http://www.ietf.org/rfc/rfc3588.txt"
TARGET="_top"
>RFC3588</A
>]
(including their extensions) conform to full AAA support. AAA
stands for Authentication, Authorization, and Accounting (<A
HREF="http://www.ietf.org/html.charters/aaa-charter.html"
TARGET="_top"
>IETF's
AAA Working Group</A
>).
</P
></DIV
></DIV
><DIV
CLASS="sect1"
><HR><H1
CLASS="sect1"
><A
NAME="cert"
></A
>2. Obtaining Certificates</H1
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>OpenSSL must be installed to use either EAP-TLS,
EAP-TTLS, or PEAP!</P
></TD
></TR
></TABLE
></DIV
><P
>&#13; When using EAP-TLS, both the Authentication Server and all the
Supplicants (clients) need certificates [<A
HREF="http://www.ietf.org/rfc/rfc2459.txt"
TARGET="_top"
>RFC2459</A
>] . Using
EAP-TTLS or PEAP, only the Authentication Server requires
certificates; Supplicant certificates are optional.
</P
><P
>&#13; You get certificates from the local certificate authority (CA). If
there is no local CA available, <SPAN
CLASS="application"
>OpenSSL</SPAN
>
may be used to generate self-signed certificates.
</P
><P
>&#13; Included with the <SPAN
CLASS="application"
>FreeRADIUS</SPAN
> source are
some helper scripts to generate self-signed certificates. The scripts
are located under the <TT
CLASS="filename"
>scripts/</TT
> folder included
with the <SPAN
CLASS="application"
>FreeRADIUS</SPAN
> source:
</P
><P
>&#13; <TT
CLASS="filename"
>CA.all</TT
> is a shell script that generates
certificates based on some questions it
ask. <TT
CLASS="filename"
>CA.certs</TT
> generates certificates
non-interactively based on pre-defined information at the start of
the script.
</P
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>&#13; The scripts uses a Perl script called <TT
CLASS="filename"
>CA.pl</TT
>,
included with OpenSSL. The path to this Perl script
in <TT
CLASS="filename"
>CA.all</TT
> and <TT
CLASS="filename"
>CA.certs</TT
> may
need to be changed to make it work.
</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="tip"
><P
></P
><TABLE
CLASS="tip"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/tip.gif"
HSPACE="5"
ALT="Tip"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>&#13; More information on how to generate your own certificates can be
found in the <A
HREF="http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/"
TARGET="_top"
>SSL
certificates HOWTO</A
>.
</P
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="sect1"
><HR><H1
CLASS="sect1"
><A
NAME="FreeRADIUS"
></A
>3. Authentication Server: Setting up FreeRADIUS</H1
><P
>&#13; <SPAN
CLASS="application"
>FreeRADIUS</SPAN
> is a fully GPLed RADIUS server
implementation. It supports a wide range of authentication mechanisms,
but PEAP is used for the example in this document.
</P
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="instradius"
></A
>3.1. Installing FreeRADIUS</H2
><DIV
CLASS="procedure"
><P
><B
>Installing FreeRADIUS</B
></P
><OL
TYPE="1"
><LI
><P
>&#13; Head over to the <SPAN
CLASS="application"
>FreeRADIUS</SPAN
> site, <A
HREF="http://www.freeradius.org/"
TARGET="_top"
>http://www.freeradius.org/</A
>,
and download the latest release.
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>/usr/local/src</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>wget </B
>ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.0.tar.gz</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>tar </B
>zxfv freeradius-1.0.0.tar.gz</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>freeradius-1.0.0</B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; Configure, make and install:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>./configure</B
></B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>make</B
></B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>make install</B
></B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
><P
>&#13; <EM
>You can pass options to
<B
CLASS="command"
>configure</B
>. Use <B
CLASS="command"
>./configure
--help</B
> or read the README file, for more
information.</EM
>
</P
></LI
></OL
></DIV
><P
>&#13; The binaries are installed in <TT
CLASS="filename"
>/usr/local/bin</TT
> and
<TT
CLASS="filename"
>/usr/local/sbin</TT
>. The configuration files are found
under <TT
CLASS="filename"
>/usr/local/etc/raddb</TT
>.
</P
><P
>&#13; If something went wrong, check the <TT
CLASS="filename"
>INSTALL</TT
> and
<TT
CLASS="filename"
>README</TT
> included with the source. The <A
HREF="http://www.freeradius.org/faq/"
TARGET="_top"
>RADIUS FAQ</A
> also contains
valuable information.
</P
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="confradius"
></A
>3.2. Configuring FreeRADIUS</H2
><P
>&#13; <SPAN
CLASS="application"
>FreeRADIUS</SPAN
> has a big and mighty
configuration file. It's so big, it has been split into several
smaller files that are just <SPAN
CLASS="QUOTE"
>"included"</SPAN
> into the main
<TT
CLASS="filename"
>radius.conf</TT
> file.
</P
><P
>&#13; There is numerous ways of using and setting up FreeRADIUS to do
what you want: i.e., fetch user information from LDAP, SQL, PDC,
Kerberos, etc. In this document, user information from a plain text
file, <TT
CLASS="filename"
>users</TT
>, is used.
</P
><DIV
CLASS="tip"
><P
></P
><TABLE
CLASS="tip"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/tip.gif"
HSPACE="5"
ALT="Tip"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>&#13; The configuration files are thoroughly commented, and, if that is not
enough, the <TT
CLASS="filename"
>doc/</TT
> folder that comes with the source
contains additional information.
</P
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="procedure"
><P
><B
>Configuring FreeRADIUS</B
></P
><OL
TYPE="1"
><LI
><P
>&#13; The configuration files can be found under <TT
CLASS="filename"
>/usr/local/etc/raddb/</TT
>
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>/usr/local/etc/raddb/</B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; Open the main configuration file <TT
CLASS="filename"
>radiusd.conf</TT
>,
<EM
>and read the comments!</EM
> Inside the encrypted
PEAP tunnel, an MS-CHAPv2 authentication mechanism is used.
</P
><OL
CLASS="SUBSTEPS"
TYPE="a"
><LI
><P
>&#13; MPPE [<A
HREF="http://www.ietf.org/rfc/rfc3078.txt"
TARGET="_top"
>RFC3078</A
>] is
responsible for sending the PMK to the AP. Make sure the following
settings are set:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; # under MODULES, make sure mschap is uncommented!
mschap {
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally, should be MS-CHAP
authtype = MS-CHAP
# if use_mppe is not set to no, mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
use_mppe = yes
# if mppe is enabled, require_encryption makes
# encryption moderate
#
require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
require_strong = yes
authtype = MS-CHAP
# The module can perform authentication itself, OR
# use a Windows Domain Controller. See the radius.conf file
# for how to do this.
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; Also make sure the <SPAN
CLASS="QUOTE"
>"authorize"</SPAN
> and
<SPAN
CLASS="QUOTE"
>"authenticate"</SPAN
> contains:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; authorize {
preprocess
mschap
suffix
eap
files
}
authenticate {
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# Allow EAP authentication.
eap
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></LI
><LI
><P
>&#13; Then, change the <TT
CLASS="filename"
>clients.conf</TT
> file to specify
what network it's serving:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; # Here, we specify which network we're serving
client 192.168.0.0/16 {
# This is the shared secret between the Authenticator (the
# access point) and the Authentication Server (RADIUS).
secret = SharedSecret99
shortname = testnet
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; The <TT
CLASS="filename"
>eap.conf</TT
> should also be pretty
straightforward.
</P
><OL
CLASS="SUBSTEPS"
TYPE="a"
><LI
><P
>&#13; Set <SPAN
CLASS="QUOTE"
>"default_eap_type"</SPAN
> to <SPAN
CLASS="QUOTE"
>"peap"</SPAN
>:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; default_eap_type = peap
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; Since PEAP is using TLS, the TLS section must contain:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; tls {
# The private key password
private_key_password = SecretKeyPass77
# The private key
private_key_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; Find the <SPAN
CLASS="QUOTE"
>"peap"</SPAN
> section, and make sure it contain
the following:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; peap {
# The tunneled EAP session needs a default
# EAP type, which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></LI
><LI
><P
>&#13; The user information is stored in a plain text file
<TT
CLASS="filename"
>users</TT
>. A more sophisticated solution to store
user information may be preferred (SQL, LDAP, PDC, etc.).
</P
><P
>&#13; Make sure the <TT
CLASS="filename"
>users</TT
> file contains the
following entry:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; "testuser" User-Password == "Secret149"
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></DIV
></DIV
></DIV
><DIV
CLASS="sect1"
><HR><H1
CLASS="sect1"
><A
NAME="xsupplicant"
></A
>4. Supplicant: Setting up Xsupplicant</H1
><P
>&#13; The Supplicant is usually a laptop or other (wireless) device that
requires authentication. <SPAN
CLASS="application"
>Xsupplicant</SPAN
>
does the bidding of being the <SPAN
CLASS="QUOTE"
>"Supplicant"</SPAN
> part of the
IEEE 802.1X-2001 standard.
</P
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="instxsup"
></A
>4.1. Installing Xsupplicant</H2
><DIV
CLASS="procedure"
><P
><B
>Installing Xsupplicant</B
></P
><OL
TYPE="1"
><LI
><P
>&#13; Download the latest source from from <A
HREF="http://www.open1x.org/"
TARGET="_top"
>http://www.open1x.org/</A
>
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>/usr/local/src</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>wget </B
>http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>tar </B
>zxfv xsupplicant-1.0.tar.gz</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>xsupplicant</B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; Configure, make, and install:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>./configure</B
></B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>make</B
></B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>make install</B
></B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; If the configuration file wasn't installed (copied) into the "etc"
folder, do it manually:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>mkdir </B
>-p /usr/local/etc/1x</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cp </B
>etc/tls-example.conf /usr/local/etc/1x</B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></DIV
><P
>&#13; If installation fails, check the <TT
CLASS="filename"
>README</TT
> and
<TT
CLASS="filename"
>INSTALL</TT
> files included with the source. You may
also check out the <A
HREF="http://sourceforge.net/docman/display_doc.php?docid=23371&#38;group_id=60236"
TARGET="_top"
>official
documentation</A
>.
</P
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="confxsup"
></A
>4.2. Configuring Xsupplicant</H2
><DIV
CLASS="procedure"
><P
><B
>Configuring Xsupplicant</B
></P
><OL
TYPE="1"
><LI
><P
>&#13; The Supplicant must have access to the root certificate.
</P
><P
>&#13; If the Supplicant needs to authenticate against the Authentication
Server (authentication both ways), the Supplicant must have
certificates as well.
</P
><P
>&#13; Create a certificate folder, and move the certificates into it:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>mkdir</B
> -p /usr/local/etc/1x/certs</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cp</B
> root.pem /usr/local/etc/1x/certs/</B
></TT
>
<TT
CLASS="prompt"
># </TT
>(copy optional client certificate(s) into the same folder)
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; Open and edit the configuration file:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; # startup_command: the command to run when Xsupplicant is first started.
# This command can do things such as configure the card to associate with
# the network properly.
startup_command = &#60;BEGIN_COMMAND&#62;/usr/local/etc/1x/startup.sh&#60;END_COMMAND&#62;
</PRE
></FONT
></TD
></TR
></TABLE
><P
>&#13; The <TT
CLASS="filename"
>startup.sh</TT
> will be created shortly.
</P
></LI
><LI
><P
>&#13; When the client is authenticated, it will transmit a DHCP request or
manually set an IP address. Here, the Supplicant sets its IP address
manually in <TT
CLASS="filename"
>startup2.sh</TT
>:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; # first_auth_command: the command to run when Xsupplicant authenticates to
# a wireless network for the first time. This will usually be used to
# start a DHCP client process.
#first_auth_command = &#60;BEGIN_COMMAND&#62;dhclient %i&#60;END_COMMAND&#62;
first_auth_command = &#60;BEGIN_COMMAND&#62;/usr/local/etc/1x/startup2.sh&#60;END_COMMAND&#62;
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; Since <SPAN
CLASS="QUOTE"
>"-i"</SPAN
> is just for debugging purpose (and may
go away according to the developers),
<SPAN
CLASS="QUOTE"
>"allow_interfaces"</SPAN
> must be set:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; allow_interfaces = eth0
deny_interfaces = eth1
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; Next, under the <SPAN
CLASS="QUOTE"
>"NETWORK SECTION"</SPAN
>, we'll configure
PEAP:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; # We'll be using PEAP
allow_types = eap_peap
# Don't want any eavesdropper to learn the username during the
# first phase (which is unencrypted), so 'identity hiding' is
# used (using a bogus username).
identity = &#60;BEGIN_ID&#62;anonymous&#60;END_ID&#62;
eap-peap {
# As in tls, define either a root certificate or a directory
# containing root certificates.
root_cert = /usr/local/etc/1x/certs/root.pem
#root_dir = /path/to/root/certificate/dir
#crl_dir = /path/to/dir/with/crl
chunk_size = 1398
random_file = /dev/urandom
#cncheck = myradius.radius.com # Verify that the server certificate
# has this value in its CN field.
#cnexact = yes # Should it be an exact match?
session_resume = yes
# Currently 'all' is just mschapv2.
# If no allow_types is defined, all is assumed.
#allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
allow_types = eap_mschapv2
# Right now, you can do any of these methods in PEAP:
eap-mschapv2 {
username = &#60;BEGIN_UNAME&#62;testuser&#60;END_UNAME&#62;
password = &#60;BEGIN_PASS&#62;Secret149&#60;END_PASS&#62;
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; The Supplicant must first associate with the access point. The
script <TT
CLASS="filename"
>startup.sh</TT
> does that job. It is also
the first command <SPAN
CLASS="application"
>Xsupplicant</SPAN
> executes.
</P
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>&#13; Notice the bogus key we give to iwconfig (<EM
>enc
000000000</EM
>)! This key is used to tell the driver
to run in encrypted mode. The key gets replaced after successful
authentication. This can be set to <EM
>enc
off</EM
> only if encryption is disabled in the AP (for
testing purposes).
</P
></TD
></TR
></TABLE
></DIV
><P
>&#13; Both <TT
CLASS="filename"
>startup.sh</TT
> and
<TT
CLASS="filename"
>startup2.sh</TT
> must be saved under
<TT
CLASS="filename"
>/usr/local/etc/1x/</TT
>.
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; #!/bin/bash
echo "Starting startup.sh"
# Take down interface (if it's up)
/sbin/ifconfig eth0 down
# To make sure the routes are flushed
sleep 1
# Configuring the interface with a bogus key
/sbin/iwconfig eth0 mode managed essid testnet enc 000000000
# Bring the interface up and make sure it listens to multicast packets
/sbin/ifconfig eth0 allmulti up
echo "Finished startup.sh"
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; This next file is used to set the IP address statically. This can
be omitted if a DHCP server is present (as it typically is, in many
access points).
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>&#13; #!/bin/bash
echo "Starting startup2.sh"
# Assigning an IP address
/sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0
echo "Finished startup2.sh"
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></DIV
></DIV
></DIV
><DIV
CLASS="sect1"
><HR><H1
CLASS="sect1"
><A
NAME="authenticator"
></A
>5. Authenticator: Setting up the Authenticator (Access
Point)</H1
><P
>&#13; During the authentication process, the Authenticator just relays all
messages between the Supplicant and the Authentication Server
(RADIUS). EAPOL is used between the Supplicant and the Authenticator;
and, between the Authenticator and the Authentication Server, UDP is
used.
</P
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="AP"
></A
>5.1. Access Point</H2
><P
>&#13; Many access point have support for 802.1X (and RADIUS)
authentication. It must first be configured to use 802.1X
authentication.
</P
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>&#13; <EM
>Configuring and setting up 802.1X on the AP may differ
between vendors.</EM
> Listed below are the required settings to
make a Cisco AP350 work. Other settings to TIKP, CCMP etc. may also
be configured.
</P
></TD
></TR
></TABLE
></DIV
><P
>&#13; The AP must set the ESSID to <SPAN
CLASS="QUOTE"
>"testnet"</SPAN
> and must
activate:
</P
><DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/8021X-CiscoAP.png"
ALIGN="center"
WIDTH="599"><DIV
CLASS="caption"
><P
>Figure AP350: The RADIUS configuration screen for a Cisco
AP-350</P
></DIV
></P
></DIV
><P
></P
><UL
><LI
><P
>&#13; <EM
>802.1X-2001:</EM
> Make sure the 802.1X Protocol
version is set to <SPAN
CLASS="QUOTE"
>"802.1X-2001"</SPAN
>. Some older Access
Points support only the draft version of the 802.1X standard (and
may therefore not work).
</P
></LI
><LI
><P
>&#13; <EM
>RADIUS Server:</EM
> the name/IP address of the
RADIUS server and the shared secret between the RADIUS server and
the Access Point (which in this document is "SharedSecret99"). See
figure <A
HREF="#ciscoAP"
>AP350</A
>.
</P
></LI
><LI
><P
>&#13; <EM
>EAP Authentication:</EM
> The RADIUS server should be
used for EAP authentication.
</P
></LI
></UL
><DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/8021X-CiscoAP2.png"
ALIGN="center"
WIDTH="604"><DIV
CLASS="caption"
><P
>Figure AP350-2: The Encryption configuration screen for a
Cisco AP-350</P
></DIV
></P
></DIV
><P
></P
><UL
><LI
><P
>&#13; <EM
>Full Encryption</EM
> to allow only encrypted
traffic. Note that 802.1X may be used without using encryption,
which is nice for test purposes.
</P
></LI
><LI
><P
>&#13; <EM
>Open Authentication</EM
> to make the Supplicant
associate with the Access Point before encryption keys are
available. Once the association is done, the Supplicant may start EAP
authentication.
</P
></LI
><LI
><P
>&#13; <EM
>Require EAP</EM
> for the <SPAN
CLASS="QUOTE"
>"Open
Authentication"</SPAN
>. That will ensure that only authenticated
users are allowed into the network.
</P
></LI
></UL
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="LinuxAP"
></A
>5.2. Linux Authenticator</H2
><P
>&#13; An ordinary Linux node can be set up to function as a wireless Access
Point and Authenticator. How to set up and use Linux as an AP is
beyond the scope of this document. Simon Anderson's <A
HREF="http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html"
TARGET="_top"
>Linux
Wireless Access Point HOWTO</A
> may be of guidance.
</P
></DIV
></DIV
><DIV
CLASS="sect1"
><HR><H1
CLASS="sect1"
><A
NAME="testbed"
></A
>6. Testbed</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="testcase"
></A
>6.1. Testcase</H2
><DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/8021X-Testbed.png"
ALIGN="center"
WIDTH="500"><DIV
CLASS="caption"
><P
>figure testbed: A wireless node request authentication.</P
></DIV
></P
></DIV
><P
>&#13; Our testbed consists of two nodes and one Access Point (AP). One
node functions as the Supplicant (WN), the other as the back-end
Authentication Server running RADIUS (AS). The Access Point is the
Authenticator. See figure <A
HREF="#testbedimg"
>testbed</A
>
for explanation.
</P
><DIV
CLASS="important"
><P
></P
><TABLE
CLASS="important"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/important.gif"
HSPACE="5"
ALT="Important"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>&#13; It is crucial that the Access Point be able to reach (ping) the
Authentication Server, and vice versa!
</P
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="startrad"
></A
>6.2. Running some tests</H2
><DIV
CLASS="procedure"
><P
><B
>Running some tests</B
></P
><OL
TYPE="1"
><LI
><P
>&#13; The RADIUS server is started in debug mode. This produces
<EM
>a lot</EM
> of debug information. The important
snippets are below:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>radiusd</B
> -X</B
></TT
>
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
......
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
......
Module: Loaded eap
eap: default_eap_type = "peap" <A
NAME="rad_peap"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
>
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no <A
NAME="rad_tls"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
>
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "SecretKeyPass77"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2" <A
NAME="rad_mschapv2"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
>
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
......
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users" <A
NAME="rad_users"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
>
......
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests. <A
NAME="rad_finished"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
>
</PRE
></FONT
></TD
></TR
></TABLE
><DIV
CLASS="calloutlist"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="#rad_peap"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>&#13; Default EAP type is set to PEAP.
</DD
><DT
><A
HREF="#rad_tls"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
></DT
><DD
>&#13; RADIUS's TLS settings are initiated here. The certificate type,
location, and password are listet here.
</DD
><DT
><A
HREF="#rad_mschapv2"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
></DT
><DD
>&#13; Inside the PEAP tunnel, MS-CHAPv2 is used.
</DD
><DT
><A
HREF="#rad_users"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
></DT
><DD
>&#13; The username/password information is found in the
<TT
CLASS="filename"
>users</TT
> file.
</DD
><DT
><A
HREF="#rad_finished"
><IMG
SRC="../images/callouts/5.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(5)"></A
></DT
><DD
>&#13; RADIUS server started successfully. Waiting for incoming requests.
</DD
></DL
></DIV
><P
>The radius server is now ready to process requests!</P
><P
>&#13; The most interesting output is included above. If you get any
error message instead of the last line, go over the configuration
(above) carefully.
</P
></LI
><LI
><P
>&#13; Now the Supplicant is ready to get authenticated. Start
<SPAN
CLASS="application"
>Xsupplicant</SPAN
> in debug mode. Note that
we'll see output produced by the two startup scripts:
<TT
CLASS="filename"
>startup.sh</TT
> and
<TT
CLASS="filename"
>startup2.sh</TT
>.
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>xsupplicant</B
> -c /usr/local/etc/1x/1x.conf -i eth0 -d 6</B
></TT
>
Starting /etc/1x/startup.sh
Finished /etc/1x/startup.sh
Starting /etc/1x/startup2.sh
Finished /etc/1x/startup2.sh
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
>&#13; At the same time, the RADIUS server is producing a lot of
output. Key snippets are shown below:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; ......
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS <A
NAME="rpro_tls"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
>
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK <A
NAME="rpro_peap"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
>
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: group authenticate returns ok for request 8
Login OK: [testuser/&#60;no User-Password attribute&#62;] (from client testnet port 37 cli 0002a56fa08a)
Sending Access-Accept of id 8 to 192.168.2.1:1032 <A
NAME="rpro_accept"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
>
MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206 <A
NAME="rpro_reckey"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
>
MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
</PRE
></FONT
></TD
></TR
></TABLE
><DIV
CLASS="calloutlist"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="#rpro_tls"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>&#13; TLS session startup. Doing TLS-handshake.
</DD
><DT
><A
HREF="#rpro_peap"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
></DT
><DD
>&#13; The TLS session (PEAP-encrypted tunnel) is up.
</DD
><DT
><A
HREF="#rpro_accept"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
></DT
><DD
>&#13; The Supplicant has been authenticated successfully by the
RADIUS server. An <SPAN
CLASS="QUOTE"
>"Access-Accept"</SPAN
> message is
sent.
</DD
><DT
><A
HREF="#rpro_reckey"
><IMG
SRC="../images/callouts/4.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(4)"></A
></DT
><DD
>&#13; The <EM
>MS-MPPE-Recv-Key</EM
> [<A
HREF="http://www.ietf.org/rfc/rfc2548.txt"
TARGET="_top"
>RFC2548</A
>
section 2.4.3] contains the Pairwise Master Key (PMK) destined
to the Authenticator (access point), encrypted with the MPPE
Protocol [<A
HREF="http://www.ietf.org/rfc/rfc3078.txt"
TARGET="_top"
>RFC3078</A
>],
using the shared secret between the Authenticator and
Authentication Server as key. The Supplicant derives the same
PMK from MK, as described in <A
HREF="#Key"
>Key
Management</A
>.
</DD
></DL
></DIV
></LI
><LI
><P
>&#13; The Authenticator (access point) may also show something like this
in its log:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; 00:02:16 (Info): Station 0002a56fa08a Associated
00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></DIV
><P
>&#13; That's it! The Supplicant is now authenticated to use the Access
Point!
</P
></DIV
></DIV
><DIV
CLASS="sect1"
><HR><H1
CLASS="sect1"
><A
NAME="dynWEP"
></A
>7. Note about driver support and Xsupplicant</H1
><P
>&#13; As described in <A
HREF="#Key"
>Key Management</A
>, one of
the big advantages of using Dynamic WEP/802.11i with 802.1X is the
support for session keys. A new encryption key is generated for each
session.
</P
><P
>&#13; <SPAN
CLASS="application"
>Xsupplicant</SPAN
> only supports <SPAN
CLASS="QUOTE"
>"Dynamic
WEP"</SPAN
> as of this writing. Support for WPA and RSN/WPA2
(802.11i) is being worked on, and is estimated to be supported at
the end of the year/early next year (2004/2005), according to Chris
Hessing (one of the <SPAN
CLASS="application"
>Xsupplicants</SPAN
>
developers).
</P
><P
>&#13; Not all wireless drives support dynamic WEP, nor WPA. To use RSN
(WPA2), new support in hardware may even be required. Many older
drivers assume only one WEP key will be used on the network at any
time. The card is reset whenever the key is changed to let the new
key take effect. This triggers a new authentication, and there is a
never-ending loop.
</P
><P
>&#13; At the time of writing, most of the wireless drivers in the base
Linux kernel require patching to make dynamic WEP/WPA work. They
will, in time, be upgraded to support these new features. Many drivers
developed outside the kernel, however, support for dynamic WEP;
HostAP, madwifi, Orinoco, and atmel should work without problems.
</P
><P
>&#13; Instead of using Xsupplicant, <A
HREF="http://hostap.epitest.fi/wpa_supplicant/"
TARGET="_top"
>wpa_supplicant</A
>
may be used. It has support for both WPA and RSN (WPA2), and a wide
range of EAP authentication methods.
</P
></DIV
><DIV
CLASS="sect1"
><HR><H1
CLASS="sect1"
><A
NAME="faq"
></A
>8. FAQ</H1
><P
>&#13; Do not forget to check out the FAQ section of both the <A
HREF="http://www.freeradius.org/faq/"
TARGET="_top"
>FreeRADIUS</A
> (highly
recommended!) and <A
HREF="http://sourceforge.net/docman/display_doc.php?docid=23371&#38;group_id=60236#ch7"
TARGET="_top"
>&#13; Xsupplicant</A
> Web sites!
</P
><DIV
CLASS="qandaset"
><DL
><DT
>8.1. <A
HREF="#AEN626"
>&#13; Is it possible to allow user-specific
<SPAN
CLASS="application"
>Xsupplicant</SPAN
> configuration, to avoid
having a global configuration file?
</A
></DT
><DT
>8.2. <A
HREF="#AEN632"
>I don't want to use PEAP; can I use EAP-TTLS or EAP-TLS instead?</A
></DT
><DT
>8.3. <A
HREF="#AEN637"
>&#13; Can I use a Windows Supplicant (client) instead of GNU/Linux?
</A
></DT
><DT
>8.4. <A
HREF="#AEN643"
>&#13; Can I use a Active Directory to authenticate users?
</A
></DT
><DT
>8.5. <A
HREF="#AEN649"
>&#13; Is there any Windows Supplicant clients available?
</A
></DT
></DL
><DIV
CLASS="qandaentry"
><DIV
CLASS="question"
><P
><A
NAME="AEN626"
></A
><B
>8.1. </B
>
Is it possible to allow user-specific
<SPAN
CLASS="application"
>Xsupplicant</SPAN
> configuration, to avoid
having a global configuration file?
</P
></DIV
><DIV
CLASS="answer"
><P
><B
> </B
>
No, not at the moment.
</P
></DIV
></DIV
><DIV
CLASS="qandaentry"
><DIV
CLASS="question"
><P
><A
NAME="AEN632"
></A
><B
>8.2. </B
>I don't want to use PEAP; can I use EAP-TTLS or EAP-TLS instead?</P
></DIV
><DIV
CLASS="answer"
><P
><B
> </B
>
Yes. To use EAP-TTLS, only small changes to the configuration used
in this document are required. To use EAP-TLS, client certificates
must be used as well.
</P
></DIV
></DIV
><DIV
CLASS="qandaentry"
><DIV
CLASS="question"
><P
><A
NAME="AEN637"
></A
><B
>8.3. </B
>
Can I use a Windows Supplicant (client) instead of GNU/Linux?
</P
></DIV
><DIV
CLASS="answer"
><P
><B
> </B
>
Yes. Windows XP SP1/Windows 2000 SP3 has support for PEAP MSCHAPv2
(used in this document). A Windows HOWTO can be found here: <A
HREF="http://text.dslreports.com/forum/remark,9286052~mode=flat"
TARGET="_top"
>FreeRADIUS/WinXP
Authentication Setup</A
>
</P
></DIV
></DIV
><DIV
CLASS="qandaentry"
><DIV
CLASS="question"
><P
><A
NAME="AEN643"
></A
><B
>8.4. </B
>
Can I use a Active Directory to authenticate users?
</P
></DIV
><DIV
CLASS="answer"
><P
><B
> </B
>
Yes. FreeRADIUS can authenticate users from AD by using
<SPAN
CLASS="QUOTE"
>"ntlm_auth"</SPAN
>.
</P
></DIV
></DIV
><DIV
CLASS="qandaentry"
><DIV
CLASS="question"
><P
><A
NAME="AEN649"
></A
><B
>8.5. </B
>
Is there any Windows Supplicant clients available?
</P
></DIV
><DIV
CLASS="answer"
><P
><B
> </B
>
Yes. As of Windows XP SP1 or Windows 2000 SP3, support for WPA
(PEAP/MS-CHAPv2) is supported. Other clients include (not tested)
<A
HREF="http://www.securew2.com"
TARGET="_top"
>Secure W2</A
> (free for
non-commercial) and <A
HREF="http://wire.cs.nthu.edu.tw/wire1x/"
TARGET="_top"
>WIRE1X</A
>. <A
HREF="http://www.funk.com"
TARGET="_top"
>Funk Software</A
> also has a
commercial client available.
</P
></DIV
></DIV
></DIV
></DIV
><DIV
CLASS="sect1"
><HR><H1
CLASS="sect1"
><A
NAME="resources"
></A
>9. Useful Resources</H1
><P
>&#13; Only IEEE standards older than 12 months are available to
the public in general (through the <A
HREF="http://standards.ieee.org/getieee802/"
TARGET="_top"
><SPAN
CLASS="QUOTE"
>"Get IEEE 802
Program"</SPAN
></A
>). So the new <EM
>802.11i</EM
> and
<EM
>802.1X-2004</EM
> standards documents are not
available. You must be a IEEE participant to get hold of any
drafts/work in progress papers (which actually isn't that hard -
just join a mailing list and say you are interested).
</P
><P
>&#13; <P
></P
><OL
TYPE="1"
><LI
><P
>FreeRADIUS Server Project<A
HREF="http://www.freeradius.org/"
TARGET="_top"
>&#13; http://www.freeradius.org/</A
>
</P
></LI
><LI
><P
>Open1x: Open Source implementation of IEEE 802.1X (Xsupplicant)<A
HREF="http://www.open1x.org/"
TARGET="_top"
>&#13; http://www.open1x.org/</A
>
</P
></LI
><LI
><P
>The Open1x User's Guide<A
HREF="http://sourceforge.net/docman/display_doc.php?docid=23371&#38;group_id=60236"
TARGET="_top"
>
http://sourceforge.net/docman/display_doc.php?docid=23371&#38;group_id=60236</A
>
</P
></LI
><LI
><P
>Port-Based Network Access Control (802.1X-2001)<A
HREF="http://standards.ieee.org/getieee802/download/802.1X-2001.pdf"
TARGET="_top"
>&#13; http://standards.ieee.org/getieee802/download/802.1X-2001.pdf</A
>
</P
></LI
><LI
><P
>RFC2246: The TLS Protocol Version 1.0<A
HREF="http://www.ietf.org/rfc/rfc2246.txt"
TARGET="_top"
>
http://www.ietf.org/rfc/rfc2246.txt</A
>
</P
></LI
><LI
><P
>RFC2459: Internet X.509 Public Key Infrastructure -
Certificate and CRL Profile<A
HREF="http://www.ietf.org/rfc/rfc2459.txt"
TARGET="_top"
>
http://www.ietf.org/rfc/rfc2459.txt</A
>
</P
></LI
><LI
><P
>RFC2548: Microsoft Vendor-specific RADIUS Attributes<A
HREF="http://www.ietf.org/rfc/rfc2548.txt"
TARGET="_top"
>
http://www.ietf.org/rfc/rfc2548.txt</A
>
</P
></LI
><LI
><P
>RFC2716: PPP EAP TLS Authentication Protocol<A
HREF="http://www.ietf.org/rfc/rfc2716.txt"
TARGET="_top"
>
http://www.ietf.org/rfc/rfc2716.txt</A
>
</P
></LI
><LI
><P
>RFC2865: Remote Authentication Dial-In User Service (RADIUS)<A
HREF="http://www.ietf.org/rfc/rfc2865.txt"
TARGET="_top"
>&#13; http://www.ietf.org/rfc/rfc2865.txt</A
>
</P
></LI
><LI
><P
>RFC3079: Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE)<A
HREF="http://www.ietf.org/rfc/rfc3079.txt"
TARGET="_top"
>&#13; http://www.ietf.org/rfc/rfc3079.txt</A
>
</P
></LI
><LI
><P
>RFC3579: RADIUS Support For EAP<A
HREF="http://www.ietf.org/rfc/rfc3579.txt"
TARGET="_top"
>&#13; http://www.ietf.org/rfc/rfc3579.txt</A
>
</P
></LI
><LI
><P
>RFC3580: IEEE 802.1X RADIUS Usage Guidelines<A
HREF="http://www.ietf.org/rfc/rfc3580.txt"
TARGET="_top"
>&#13; http://www.ietf.org/rfc/rfc3580.txt</A
>
</P
></LI
><LI
><P
>RFC3588: Diameter Base Protocol<A
HREF="http://www.ietf.org/rfc/rfc3588.txt"
TARGET="_top"
>&#13; http://www.ietf.org/rfc/rfc3588.txt</A
>
</P
></LI
><LI
><P
>RFC3610: Counter with CBC-MAC (CCM)<A
HREF="http://www.ietf.org/rfc/rfc3610.txt"
TARGET="_top"
>&#13; http://www.ietf.org/rfc/rfc3610.txt</A
>
</P
></LI
><LI
><P
>RFC3748: Extensible Authentication Protocol (EAP)<A
HREF="http://www.ietf.org/rfc/rfc3748.txt"
TARGET="_top"
>&#13; http://www.ietf.org/rfc/rfc3748.txt</A
>
</P
></LI
><LI
><P
>Linux Wireless Access Point HOWTO <A
HREF="http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html"
TARGET="_top"
>&#13; http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html</A
>
</P
></LI
><LI
><P
>SSL Certificates HOWTO<A
HREF="http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/"
TARGET="_top"
>
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/</A
>
</P
></LI
><LI
><P
>OpenSSL: x509(1)<A
HREF="http://www.openssl.org/docs/apps/x509.html"
TARGET="_top"
>
http://www.openssl.org/docs/apps/x509.html</A
>
</P
></LI
></OL
>
</P
></DIV
><DIV
CLASS="sect1"
><HR><H1
CLASS="sect1"
><A
NAME="copyack"
></A
>10. Copyright, acknowledgments and miscellaneous</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="copyright"
></A
>10.1. Copyright and License</H2
><P
> Copyright (c) 2004 Lars Strand.</P
><P
>&#13; Permission is granted to copy, distribute and/or modify this
document under the terms of the <A
HREF="http://www.gnu.org/licenses/fdl.html"
TARGET="_top"
>GNU Free
Documentation License</A
>, Version 1.2 or any later version
published by the Free Software Foundation; with no Invariant
Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy
of the license is included in the section entitled "GNU Free
Documentation License".
</P
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="produced"
></A
>10.2. How this document was produced</H2
><P
>This document was written in DocBook XML using Emacs.</P
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="feedback"
></A
>10.3. Feedback</H2
><P
>&#13; Suggestions, corrections, additions wanted. Contributors wanted
and acknowledged. Flames not wanted.
</P
><P
>&#13; I can always be reached at <TT
CLASS="email"
>&#60;<A
HREF="mailto:lars strand at gnist org"
>lars strand at gnist org</A
>&#62;</TT
>
</P
><P
>&#13; Homepage: <A
HREF="http://www.gnist.org/~lars/"
TARGET="_top"
>http://www.gnist.org/~lars/</A
>
</P
></DIV
><DIV
CLASS="sect2"
><HR><H2
CLASS="sect2"
><A
NAME="ack"
></A
>10.4. Acknowledgments</H2
><P
>&#13; Thanks to Andreas Hafslund <TT
CLASS="email"
>&#60;<A
HREF="mailto:andreha at unik no"
>andreha at unik no</A
>&#62;</TT
> and Thales
Communication for initial support.
</P
><P
>&#13; Also thanks to Artur Hecker <TT
CLASS="email"
>&#60;<A
HREF="mailto:hecker at enst fr"
>hecker at enst fr</A
>&#62;</TT
>,
Chris Hessing <TT
CLASS="email"
>&#60;<A
HREF="mailto:chris hessing at utah edu"
>chris hessing at utah edu</A
>&#62;</TT
>, Jouni
Malinen <TT
CLASS="email"
>&#60;<A
HREF="mailto:jkmaline at cc hut fi"
>jkmaline at cc hut fi</A
>&#62;</TT
> and Terry
Simons <TT
CLASS="email"
>&#60;<A
HREF="mailto:galimore at mac com"
>galimore at mac com</A
>&#62;</TT
> for valuable feedback!
</P
><P
>&#13; Thanks to Rick Moen <TT
CLASS="email"
>&#60;<A
HREF="mailto:rick at linuxmafia com"
>rick at linuxmafia com</A
>&#62;</TT
> for
doing a language review!
</P
></DIV
></DIV
><DIV
CLASS="appendix"
><HR><H1
CLASS="appendix"
><A
NAME="gfdl"
></A
>A. GNU Free Documentation License</H1
><FONT
COLOR="RED"
>Version 1.2, November 2002</FONT
><A
NAME="fsf-copyright"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
><P
>Copyright (C) 2000,2001,2002 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.</P
></BLOCKQUOTE
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-0"
></A
>A.1. PREAMBLE</H1
><P
>The purpose of this License is to make a manual, textbook, or
other functional and useful document "free" in the sense of freedom: to
assure everyone the effective freedom to copy and redistribute it, with
or without modifying it, either commercially or noncommercially.
Secondarily, this License preserves for the author and publisher a way
to get credit for their work, while not being considered responsible for
modifications made by others.</P
><P
>This License is a kind of "copyleft", which means that derivative
works of the document must themselves be free in the same sense. It
complements the GNU General Public License, which is a copyleft license
designed for free software.</P
><P
>We have designed this License in order to use it for manuals for
free software, because free software needs free documentation: a free
program should come with manuals providing the same freedoms that the
software does. But this License is not limited to software manuals; it
can be used for any textual work, regardless of subject matter or
whether it is published as a printed book. We recommend this License
principally for works whose purpose is instruction or reference.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-1"
></A
>A.2. APPLICABILITY AND DEFINITIONS</H1
><P
>This License applies to any manual or other work, in
any medium, that contains a notice placed by the copyright holder saying
it can be distributed under the terms of this License. Such a notice
grants a world-wide, royalty-free license, unlimited in duration, to use
that work under the conditions stated herein. The "Document", below,
refers to any such manual or work. Any member of the public is a
licensee, and is addressed as "you". You accept the license if you
copy, modify or distribute the work in a way requiring permission under
copyright law.</P
><P
>A "Modified Version" of the Document means any
work containing the Document or a portion of it, either copied verbatim,
or with modifications and/or translated into another language.</P
><P
>A "Secondary Section" is a named appendix or
a front-matter section of the Document that deals exclusively with the
relationship of the publishers or authors of the Document to the
Document's overall subject (or to related matters) and contains nothing
that could fall directly within that overall subject. (Thus, if the
Document is in part a textbook of mathematics, a Secondary Section may
not explain any mathematics.) The relationship could be a matter of
historical connection with the subject or with related matters, or of
legal, commercial, philosophical, ethical or political position
regarding them.</P
><P
>The "Invariant Sections" are certain Secondary
Sections whose titles are designated, as being those of Invariant
Sections, in the notice that says that the Document is released under
this License. If a section does not fit the above definition of
Secondary then it is not allowed to be designated as Invariant. The
Document may contain zero Invariant Sections. If the Document does not
identify any Invariant Sections then there are none.</P
><P
>The "Cover Texts" are certain short passages of
text that are listed, as Front-Cover Texts or Back-Cover Texts, in the
notice that says that the Document is released under this License. A
Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at
most 25 words.</P
><P
>A "Transparent" copy of the Document means a
machine-readable copy, represented in a format whose specification is
available to the general public, that is suitable for revising the
document straightforwardly with generic text editors or (for images
composed of pixels) generic paint programs or (for drawings) some widely
available drawing editor, and that is suitable for input to text
formatters or for automatic translation to a variety of formats suitable
for input to text formatters. A copy made in an otherwise Transparent
file format whose markup, or absence of markup, has been arranged to
thwart or discourage subsequent modification by readers is not
Transparent. An image format is not Transparent if used for any
substantial amount of text. A copy that is not "Transparent" is called
"Opaque".</P
><P
>Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
XML using a publicly available DTD, and standard-conforming simple HTML,
PostScript or PDF designed for human modification. Examples of
transparent image formats include PNG, XCF and JPG. Opaque formats
include proprietary formats that can be read and edited only by
proprietary word processors, SGML or XML for which the DTD and/or
processing tools are not generally available, and the machine-generated
HTML, PostScript or PDF produced by some word processors for output
purposes only.</P
><P
>The "Title Page" means, for a printed book,
the title page itself, plus such following pages as are needed to hold,
legibly, the material this License requires to appear in the title page.
For works in formats which do not have any title page as such, "Title
Page" means the text near the most prominent appearance of the work's
title, preceding the beginning of the body of the text.</P
><P
>A section "Entitled XYZ" means a named subunit
of the Document whose title either is precisely XYZ or contains XYZ in
parentheses following text that translates XYZ in another language.
(Here XYZ stands for a specific section name mentioned below, such as
"Acknowledgements", "Dedications", "Endorsements", or "History".) To
"Preserve the Title" of such a section when you modify the Document
means that it remains a section "Entitled XYZ" according to this
definition.</P
><P
>The Document may include Warranty Disclaimers next to the notice
which states that this License applies to the Document. These Warranty
Disclaimers are considered to be included by reference in this License,
but only as regards disclaiming warranties: any other implication that
these Warranty Disclaimers may have is void and has no effect on the
meaning of this License.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-2"
></A
>A.3. VERBATIM COPYING</H1
><P
>You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and the license notice saying this License applies to
the Document are reproduced in all copies, and that you add no other
conditions whatsoever to those of this License. You may not use
technical measures to obstruct or control the reading or further copying
of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough
number of copies you must also follow the conditions in section 3.
</P
><P
>You may also lend copies, under the same conditions stated above,
and you may publicly display copies.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-3"
></A
>A.4. COPYING IN QUANTITY</H1
><P
>If you publish printed copies (or copies in media that commonly
have printed covers) of the Document, numbering more than 100, and the
Document's license notice requires Cover Texts, you must enclose the
copies in covers that carry, clearly and legibly, all these Cover Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
cover. Both covers must also clearly and legibly identify you as the
publisher of these copies. The front cover must present the full title
with all words of the title equally prominent and visible. You may add
other material on the covers in addition. Copying with changes limited
to the covers, as long as they preserve the title of the Document and
satisfy these conditions, can be treated as verbatim copying in other
respects.</P
><P
>If the required texts for either cover are too voluminous to fit
legibly, you should put the first ones listed (as many as fit
reasonably) on the actual cover, and continue the rest onto adjacent
pages.</P
><P
>If you publish or distribute Opaque copies of the Document
numbering more than 100, you must either include a machine-readable
Transparent copy along with each Opaque copy, or state in or with each
Opaque copy a computer-network location from which the general
network-using public has access to download using public-standard
network protocols a complete Transparent copy of the Document, free of
added material. If you use the latter option, you must take reasonably
prudent steps, when you begin distribution of Opaque copies in quantity,
to ensure that this Transparent copy will remain thus accessible at the
stated location until at least one year after the last time you
distribute an Opaque copy (directly or through your agents or retailers)
of that edition to the public.</P
><P
>It is requested, but not required, that you contact the authors of
the Document well before redistributing any large number of copies, to
give them a chance to provide you with an updated version of the
Document.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-4"
></A
>A.5. MODIFICATIONS</H1
><P
>You may copy and distribute a Modified Version of the Document
under the conditions of sections 2 and 3 above, provided that you
release the Modified Version under precisely this License, with the
Modified Version filling the role of the Document, thus licensing
distribution and modification of the Modified Version to whoever
possesses a copy of it. In addition, you must do these things in the
Modified Version:</P
><P
></P
><OL
TYPE="A"
><LI
><P
>Use in the Title Page (and on the covers, if any) a
title distinct from that of the Document, and from those of previous
versions (which should, if there were any, be listed in the History
section of the Document). You may use the same title as a previous
version if the original publisher of that version gives permission.
</P
></LI
><LI
><P
>List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in
the Modified Version, together with at least five of the principal
authors of the Document (all of its principal authors, if it has fewer
than five), unless they release you from this requirement.
</P
></LI
><LI
><P
>State on the Title page the name of the publisher of
the Modified Version, as the publisher.</P
></LI
><LI
><P
>Preserve all the copyright notices of the Document.
</P
></LI
><LI
><P
>Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices.
</P
></LI
><LI
><P
>Include, immediately after the copyright notices, a
license notice giving the public permission to use the Modified
Version under the terms of this License, in the form shown in the
<A
HREF="#gfdl-addendum"
>Addendum</A
> below.
</P
></LI
><LI
><P
>Preserve in that license notice the full lists of
Invariant Sections and required Cover Texts given in the Document's
license notice.</P
></LI
><LI
><P
>Include an unaltered copy of this License.
</P
></LI
><LI
><P
>Preserve the section Entitled "History", Preserve its
Title, and add to it an item stating at least the title, year, new
authors, and publisher of the Modified Version as given on the Title
Page. If there is no section Entitled "History" in the Document,
create one stating the title, year, authors, and publisher of the
Document as given on its Title Page, then add an item describing the
Modified Version as stated in the previous sentence.
</P
></LI
><LI
><P
>Preserve the network location, if any, given in the
Document for public access to a Transparent copy of the Document, and
likewise the network locations given in the Document for previous
versions it was based on. These may be placed in the "History"
section. You may omit a network location for a work that was
published at least four years before the Document itself, or if the
original publisher of the version it refers to gives permission.
</P
></LI
><LI
><P
>For any section Entitled "Acknowledgements" or
"Dedications", Preserve the Title of the section, and preserve in the
section all the substance and tone of each of the contributor
acknowledgements and/or dedications given therein.
</P
></LI
><LI
><P
>Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the
equivalent are not considered part of the section titles.
</P
></LI
><LI
><P
>Delete any section Entitled "Endorsements".
Such a section may not be included in the Modified Version.
</P
></LI
><LI
><P
>Do not retitle any existing section to be Entitled
"Endorsements" or to conflict in title with any Invariant Section.
</P
></LI
><LI
><P
>Preserve any Warranty Disclaimers.
</P
></LI
></OL
><P
>If the Modified Version includes new front-matter sections or
appendices that qualify as Secondary Sections and contain no material
copied from the Document, you may at your option designate some or all
of these sections as invariant. To do this, add their titles to the
list of Invariant Sections in the Modified Version's license notice.
These titles must be distinct from any other section titles.</P
><P
>You may add a section Entitled "Endorsements", provided it
contains nothing but endorsements of your Modified Version by various
parties--for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a
standard.</P
><P
>You may add a passage of up to five words as a Front-Cover Text,
and a passage of up to 25 words as a Back-Cover Text, to the end of the
list of Cover Texts in the Modified Version. Only one passage of
Front-Cover Text and one of Back-Cover Text may be added by (or through
arrangements made by) any one entity. If the Document already includes
a cover text for the same cover, previously added by you or by
arrangement made by the same entity you are acting on behalf of, you may
not add another; but you may replace the old one, on explicit permission
from the previous publisher that added the old one.</P
><P
>The author(s) and publisher(s) of the Document do not by this
License give permission to use their names for publicity for or to
assert or imply endorsement of any Modified Version.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-5"
></A
>A.6. COMBINING DOCUMENTS</H1
><P
>You may combine the Document with other documents released under
this License, under the terms defined in <A
HREF="#gfdl-4"
>section
4</A
> above for modified versions, provided that you include in the
combination all of the Invariant Sections of all of the original
documents, unmodified, and list them all as Invariant Sections of your
combined work in its license notice, and that you preserve all their
Warranty Disclaimers.</P
><P
>The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy. If there are multiple Invariant Sections with the same name but
different contents, make the title of each such section unique by adding
at the end of it, in parentheses, the name of the original author or
publisher of that section if known, or else a unique number. Make the
same adjustment to the section titles in the list of Invariant Sections
in the license notice of the combined work.</P
><P
>In the combination, you must combine any sections Entitled
"History" in the various original documents, forming one section
Entitled "History"; likewise combine any sections Entitled
"Acknowledgements", and any sections Entitled "Dedications". You must
delete all sections Entitled "Endorsements".</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-6"
></A
>A.7. COLLECTIONS OF DOCUMENTS</H1
><P
>You may make a collection consisting of the Document and other
documents released under this License, and replace the individual copies
of this License in the various documents with a single copy that is
included in the collection, provided that you follow the rules of this
License for verbatim copying of each of the documents in all other
respects.</P
><P
>You may extract a single document from such a collection, and
distribute it individually under this License, provided you insert a
copy of this License into the extracted document, and follow this
License in all other respects regarding verbatim copying of that
document.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-7"
></A
>A.8. AGGREGATION WITH INDEPENDENT WORKS</H1
><P
>A compilation of the Document or its derivatives with other
separate and independent documents or works, in or on a volume of a
storage or distribution medium, is called an "aggregate" if the
copyright resulting from the compilation is not used to limit the legal
rights of the compilation's users beyond what the individual works
permit. When the Document is included in an aggregate, this License does
not apply to the other works in the aggregate which are not themselves
derivative works of the Document.</P
><P
>If the Cover Text requirement of section 3 is applicable to these
copies of the Document, then if the Document is less than one half of
the entire aggregate, the Document's Cover Texts may be placed on covers
that bracket the Document within the aggregate, or the electronic
equivalent of covers if the Document is in electronic form. Otherwise
they must appear on printed covers that bracket the whole
aggregate.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-8"
></A
>A.9. TRANSLATION</H1
><P
>Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections in addition to the
original versions of these Invariant Sections. You may include a
translation of this License, and all the license notices in the
Document, and any Warranty Disclaimers, provided that you also include
the original English version of this License and the original versions
of those notices and disclaimers. In case of a disagreement between the
translation and the original version of this License or a notice or
disclaimer, the original version will prevail.</P
><P
>If a section in the Document is Entitled "Acknowledgements",
"Dedications", or "History", the requirement (section 4) to Preserve its
Title (section 1) will typically require changing the actual
title.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-9"
></A
>A.10. TERMINATION</H1
><P
>You may not copy, modify, sublicense, or distribute the Document
except as expressly provided for under this License. Any other attempt
to copy, modify, sublicense or distribute the Document is void, and will
automatically terminate your rights under this License. However,
parties who have received copies, or rights, from you under this License
will not have their licenses terminated so long as such parties remain
in full compliance.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-10"
></A
>A.11. FUTURE REVISIONS OF THIS LICENSE</H1
><P
>The Free Software Foundation may publish new, revised versions of
the GNU Free Documentation License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in
detail to address new problems or concerns. See
http://www.gnu.org/copyleft/.</P
><P
>Each version of the License is given a distinguishing version
number. If the Document specifies that a particular numbered version of
this License "or any later version" applies to it, you have the option
of following the terms and conditions either of that specified version
or of any later version that has been published (not as a draft) by the
Free Software Foundation. If the Document does not specify a version
number of this License, you may choose any version ever published (not
as a draft) by the Free Software Foundation.</P
></DIV
><DIV
CLASS="section"
><HR><H1
CLASS="section"
><A
NAME="gfdl-addendum"
></A
>A.12. ADDENDUM: How to use this License for
your documents</H1
><P
>To use this License in a document you have written, include a copy
of the License in the document and put the following copyright and
license notices just after the title page:</P
><A
NAME="copyright-sample"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
><P
>&#13; Copyright (c) YEAR YOUR NAME.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU
Free Documentation License".
</P
></BLOCKQUOTE
><P
>If you have Invariant Sections, Front-Cover Texts and Back-Cover
Texts, replace the "with...Texts." line with this:</P
><A
NAME="inv-cover-sample"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
><P
>&#13; with the Invariant Sections being LIST THEIR TITLES, with the
Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
</P
></BLOCKQUOTE
><P
>If you have Invariant Sections without Cover Texts, or some other
combination of the three, merge those two alternatives to suit the
situation.</P
><P
>If your document contains nontrivial examples of program code, we
recommend releasing these examples in parallel under your choice of free
software license, such as the GNU General Public License, to permit
their use in free software.</P
></DIV
></DIV
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink