HOWTO on using 802.1x in IPW hardware --- EAP/TLS authentication between FreeRADIUS and XSupplicant v 0.1 08/20/2004 Yan Nan Initial Verison v 0.5 08/26/2004 Xiong Crystal Add detailed hardware/software configuration Add link to the tarball provide by Terry Simons Incorporate the comments from Terry Simons v 1.0 07/28/2005 Xie Weiyi/Yan Yechun Change some setting with new version freeradius/xsupplicant. Use new wireless card. 1. Introduction ---------------- 802.1X is an IEEE standard (ratified in 2001) that provides port-based authentication at layer 2 of the OSI model. 802.1X prevents unauthorized network access until appropriate credentials are supplied to access the network. If you need to authenticate to an 802.1X- enabled network in IPW hardware in Linux, then this HOWTO is probably for you. It will describe how to use Xsupplicant v1.0 and FreeRADIUS v1.0.2 to do EAP/TLS authentication. Thanks Terry Simons for providing the Xsupplicant config files and certificates! 2. Hardware and Software Configuration ----------------------------------- Basically, to configure the 802.1x environment, users need to a Radius server, a 802.1x client and an AP supporing Radius Mode. The following is the sample configuration we used: FreeRadius server: hardware -- Compaq X1000 built in 100 Mbps ethernet (Laptop A) software -- Fedora Core 3, 2.6.11 FreeRadius v1.0.2 OpenSSL openssl-0.9.7a-23 Authenticator (AP): # hardware -- Linksys WRT54G in Radius Mode # WRT54G might have some problem on 802.1x, it will not response to 802.1x Start request. hardware -- ASUS-WL500g 802.1x client (Xsupplicant): hardware -- IBM R50 (Laptop B) Intel 21003B/2200BG/2915ABG Mini PCI Adapter software -- Fedora Core 3, 2.6.11 xsupplicant v1.2-pre OpenSSL openssl-0.9.7a-23 ipw2100 v1.1.2/ipw2200 v1.0.6/ieee80211-1.0.2 3. Installation & configuration -------------------------------- Configure Laptop A with FreeRadius Server, Laptop B with Xsupplicant, Configure AP in Radius Mode: 1) Get the certificates and Xsupplicant tarball from the following link: http://www.bughost.org/ipw/validation/tests/tarball/xsupplicant-tests-0.2.tar.gz. The tarball includes TLS, TTLS, PEAP, and LEAP configuration files. Radiator server configuration files and example users file. Radiator certificates for TLS, TTLS, PEAP. (Only root.pem, and cert-srv.pem are needed for PEAP/TTLS, and root.pem and cert-clt.pem are required for TLS on the client side). [NOTE] We are using FreeRadius as the Radius server instead of Radiator. So we will only use the certificates and Xsupplicant config files in this tarball. Thanks Terry Simons for providing this tarball! 2) Install and configure FreeRadius on laptop A: download FreeRADIUS v1.0.2 from http://www.freeradius.org/ tar zxvf freeradius-1.0.2.tar.gz cd freeradius-1.0.2 ./configure make make install Then you should change several configuration file for your needs. In my case, suppose the wireless card is eth1, "whatever" is the password, and $raddbdir is /usr/local/etc/raddb and ${raddbdir}/certs is where you store your certificates): In /usr/local/etc/raddb/eap.conf: --------------------------------- - eap{ - default_eap_type = md5 + eap{ + default_eap_type = tls - #tls { - # private_key_password = password - # private_key_file = /path/filename + tls { + private_key_password = whatever + private_key_file = ${raddbdir}/certs/cert-srv.pem # Since directory above is where i store my # certificates # Sometimes Private key & Certificate are # located # in the same file, then private_key_file & # certificate_file # must contain the same file name. - # certificate_file = /path/filename + certificate_file = ${raddbdir}/certs/cert-srv.pem # Trusted Root CA list - # CA_file = /path/filename + CA_file = ${raddbdir}/certs/root.pem - # dh_file = /path/filename - # random_file = /path/filename + dh_file = ${raddbdir}/certs/dh + random_file = ${raddbdir}/dev/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. fragment_size = 1024 + } } In /usr/local/etc/raddb/clients.conf: --------------------------------- Subnet must be your AP subnet range. + client 192.168.1.0/24 { + secret = whatever + shortname = ipwasus + } In /usr/local/etc/raddb/users: -------------------------------- # + testuser 3) Install and configure Xsupplicant on laptop B: download Xsupplicant v1.2pre from http://www.open1x.org/ tar zxvf xsupplicant-1.2pre.tar.gz cd xsupplicant-1.2pre ./configure make make install Change the Xsupplicant config files (xsupplicant-tls.conf) got from http://www.bughost.org/ipw/validation/tests/tarball/xsupplicant-tests-0.2.tar.gz. [NOTE]In this HOWTO, we only cover EAP/TLS, so we just use xsupplicant-tls.conf. There are other config files in this tarball, such as xsupplicant-leap.conf, xsupplicant-ttls.conf, etc. They can be used for LEAP, TTLS authentication. In xsupplicant-tls.conf, suppose the wireless card is eth1,"whatever" is the password, and /root/certs is where you store your certificates. In xsupplicant-tls.conf: ----------------------- And then do some changes in configuration file, take tls as example(xsupplicant-tls.conf) network_list = all default_netname = default logfile = /var/log/xsupplicant.log deny_interfaces = eth0,lo default { allow_types = all #This is used to authenticat on radius server identity = testuser eap-tls { #Certificates we will use, included in tarball. user_cert = /root/certs/cert-clt.pem user_key = /root/certs/cert-clt.pem user_key_pass = whatever root_cert = /root/certs/root.pem random_file = /dev/urandom session_resume = no } } 4) Configure AP to Radius with 802.1x mode,you'd better open WEP mode, just open it, WEP key is not important, and set RADIUS server address and port in AP configuration. The most important is shared secret: here we use "whatever". No encryption might be OK, but it didn't work for me, when I configure it to be open mode with radius and 802.1x, ipw can't associate with AP, even AP can't be scan. 5) On laptop A, configure its connection with AP and start the FreeRadius: use a wired cable to connect it to the AP. %ifup eth0 %ifconfig # remember the ip it got, and set the AP's radius server address to # this value. % radiusd -X it runs like this: Listening on authentication *: 1812 Listening on accounting*: 1813 Listening on proxy*: 1814 Ready to process requests. 6) On laptop B, configure its wireless card eth1 and start xsupplicant: % iwconfig eth1 essid ipwasus key 1234567890 open # ipwasus is my network essid and 1234567890 # is a fake key, but seems to be essential # for the card to associate with AP. % ifconfig eth1 netmask 255.255.255.0 up # Configure a static IP to eth1, such as 192.168.1.11 % xsupplicant -d 4 -f -i eth1 -c /root/xsupplicant-tls.conf # /root/xsupplicant-tls.conf # is my Then they complete the authentication and show the result. On laptop B if the authentication is succesfull: We can verify key sets: % iwlist eth1 key # Verify against output from authentication we can then get ip: % dhclient eth1 # get ip. # Verify DHCP successful, ip got successfully: % ifconfig eth1 Verify traffic flows: % ping -I eth1 # Verify all packets # received. Copyright (c) 2004 Intel Corporation. All rights reserved. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).