802.1X Port-Based Authentication HOWTO, Lars Strand [early reader chapter books txt] 📗

Authenticator: Setting up the Authenticator (Access Point)

During the authentication process, the Authenticator just relays all

messages between the Supplicant and the Authentication Server (RADIUS). EAPOL

is used between the Supplicant and the Authenticator; and, between the

Authenticator and the Authentication Server, UDP is used.

5.1. Access Point

Many access point have support for 802.1X (and RADIUS) authentication. It

must first be configured to use 802.1X authentication.

Note Configuring and setting up 802.1X on the AP may differ between vendors.

Listed below are the required settings to make a Cisco AP350 work. Other settings to TIKP, CCMP etc. may also be configured.

The AP must set the ESSID to "testnet" and must activate:

[8021X-CiscoAP]

Figure AP350: The RADIUS configuration screen for a Cisco AP-350

��*� 802.1X-2001: Make sure the 802.1X Protocol version is set to

"802.1X-2001". Some older Access Points support only the draft version of the 802.1X standard (and may therefore not work).

��*� RADIUS Server: the name/IP address of the RADIUS server and the shared

secret between the RADIUS server and the Access Point (which in this document is "SharedSecret99"). See figure AP350.

��*� EAP Authentication: The RADIUS server should be used for EAP

authentication.

[8021X-CiscoAP2]

Figure AP350-2: The Encryption configuration screen for a Cisco AP-350

��*� Full Encryption to allow only encrypted traffic. Note that 802.1X may

be used without using encryption, which is nice for test purposes.

��*� Open Authentication to make the Supplicant associate with the Access

Point before encryption keys are available. Once the association is done, the Supplicant may start EAP authentication.

��*� Require EAP for the "Open Authentication". That will ensure that only

authenticated users are allowed into the network.

5.2. Linux Authenticator

An ordinary Linux node can be set up to function as a wireless Access Point

and Authenticator. How to set up and use Linux as an AP is beyond the scope

of this document. Simon Anderson's Linux Wireless Access Point HOWTO may be

of guidance.

Testbed

6.1. Testcase

[8021X-Testbed]

figure testbed: A wireless node request authentication.

Our testbed consists of two nodes and one Access Point (AP). One node

functions as the Supplicant (WN), the other as the back-end Authentication

Server running RADIUS (AS). The Access Point is the Authenticator. See figure

testbed for explanation.

Important It is crucial that the Access Point be able to reach (ping) the

Authentication Server, and vice versa!

6.2. Running some tests

Running some tests

The RADIUS server is started in debug mode. This produces a lot of

debug information. The important snippets are below:

# radiusd -X

Starting - reading configuration files ...

reread_config: reading radiusd.conf

Config: including file: /usr/local/etc/raddb/proxy.conf

Config: including file: /usr/local/etc/raddb/clients.conf

Config: including file: /usr/local/etc/raddb/snmp.conf

Config: including file: /usr/local/etc/raddb/eap.conf

Config: including file: /usr/local/etc/raddb/sql.conf

......

Module: Loaded MS-CHAP

mschap: use_mppe = yes

mschap: require_encryption = no

mschap: require_strong = no

mschap: with_ntdomain_hack = no

mschap: passwd = "(null)"

mschap: authtype = "MS-CHAP"

mschap: ntlm_auth = "(null)"

Module: Instantiated mschap (mschap)

......

Module: Loaded eap

eap: default_eap_type = "peap" (1)

eap: timer_expire = 60

eap: ignore_unknown_eap_types = no

eap: cisco_accounting_username_bug = no

rlm_eap: Loaded and initialized type md5

tls: rsa_key_exchange = no (2)

tls: dh_key_exchange = yes

tls: rsa_key_length = 512

tls: dh_key_length = 512

tls: verify_depth = 0

tls: CA_path = "(null)"

tls: pem_file_type = yes

tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"

tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"

tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"

tls: private_key_password = "SecretKeyPass77"

tls: dh_file = "/usr/local/etc/raddb/certs/dh"

tls: random_file = "/usr/local/etc/raddb/certs/random"

tls: fragment_size = 1024