802.1X Port-Based Authentication HOWTO by Lars Strand (top rated ebook readers txt) π
The binaries are installed in /usr/local/bin and /usr/local/sbin. The configuration files are found under /usr/local/etc/raddb.
If something went wrong, check the INSTALL and README included with the source. The [http://www.freeradius.org/faq/] RADIUS FAQ also contains valuable information.
-----
3.2. Configuring FreeRADIUS
FreeRADIUS has a big and mighty configuration file. It's so big, it has been split into several smaller files that are just "included" into the main radius.conf file.
There is numerous ways of using and setting up FreeRADIUS to do what you want: i.e., fetch user information from LDAP, SQL, PDC, Kerberos, etc. In this document, user information from a plain text file, users, is used.
Tip The configuration
Read free book Β«802.1X Port-Based Authentication HOWTO by Lars Strand (top rated ebook readers txt) πΒ» - read online or download for free at americanlibrarybooks.com
- Author: Lars Strand
- Performer: -
Read book online Β«802.1X Port-Based Authentication HOWTO by Lars Strand (top rated ebook readers txt) πΒ». Author - Lars Strand
During the authentication process, the Authenticator just relays all
messages between the Supplicant and the Authentication Server (RADIUS). EAPOL
is used between the Supplicant and the Authenticator; and, between the
Authenticator and the Authentication Server, UDP is used.
5.1. Access Point
Many access point have support for 802.1X (and RADIUS) authentication. It
must first be configured to use 802.1X authentication.
Note Configuring and setting up 802.1X on the AP may differ between vendors.
Listed below are the required settings to make a Cisco AP350 work. Other settings to TIKP, CCMP etc. may also be configured.The AP must set the ESSID to "testnet" and must activate:
[8021X-CiscoAP]
Figure AP350: The RADIUS configuration screen for a Cisco AP-350
οΏ½οΏ½*οΏ½ 802.1X-2001: Make sure the 802.1X Protocol version is set to
"802.1X-2001". Some older Access Points support only the draft version of the 802.1X standard (and may therefore not work).οΏ½οΏ½*οΏ½ RADIUS Server: the name/IP address of the RADIUS server and the shared
secret between the RADIUS server and the Access Point (which in this document is "SharedSecret99"). See figure AP350.οΏ½οΏ½*οΏ½ EAP Authentication: The RADIUS server should be used for EAP
authentication.[8021X-CiscoAP2]
Figure AP350-2: The Encryption configuration screen for a Cisco AP-350
οΏ½οΏ½*οΏ½ Full Encryption to allow only encrypted traffic. Note that 802.1X may
be used without using encryption, which is nice for test purposes.οΏ½οΏ½*οΏ½ Open Authentication to make the Supplicant associate with the Access
Point before encryption keys are available. Once the association is done, the Supplicant may start EAP authentication.οΏ½οΏ½*οΏ½ Require EAP for the "Open Authentication". That will ensure that only
authenticated users are allowed into the network.5.2. Linux Authenticator
An ordinary Linux node can be set up to function as a wireless Access Point
and Authenticator. How to set up and use Linux as an AP is beyond the scope
of this document. Simon Anderson's Linux Wireless Access Point HOWTO may be
of guidance.
Testbed6.1. Testcase
[8021X-Testbed]
figure testbed: A wireless node request authentication.
Our testbed consists of two nodes and one Access Point (AP). One node
functions as the Supplicant (WN), the other as the back-end Authentication
Server running RADIUS (AS). The Access Point is the Authenticator. See figure
testbed for explanation.
Important It is crucial that the Access Point be able to reach (ping) the
Authentication Server, and vice versa!6.2. Running some tests
Running some tests
The RADIUS server is started in debug mode. This produces a lot of
debug information. The important snippets are below:
# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
......
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
......
Module: Loaded eap
eap: default_eap_type = "peap" (1)
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no (2)
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "SecretKeyPass77"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
Comments (0)