Linux Voodoo Corporation
About Us 866.309.4617 Tracking Shopping Cart Checkout
Shop Account Customer Care Services Resources
Overview Books Mailing Lists Search Howtos
 
  You are here: » Main » Howto's Log In  | Financing  
Swartz Creek, Michigan: Linux Voodoo offers Linux consulting (and support) services (both free and commercial), Linux compatible hardware and software reviews and sales, Linux servers and desktop, the Voodoo Linux distribution and hardening systems, Linux driver development, Linux news,chat, message boards, Linux embedded jobs, security advisories, Linux howto's and newbie information. linux download red hat directpc direct pc linux linux software linux driver linux tutorial linux mandrake mandrake linux linux command netapp linux mount windows source decss linux game linux hp suse linux linux downloads linux firewall linux server linux programming linux red hat wine linux linux ppt linux operating system embedded linux linux distribution corel linux free linux free linux download linux help force 10baset linux linux laptop reset linux scsi d kill tape /proc linux router linux pda linux wallpaper red hat linux download linux kernel linux router project linux iso linux howto linux how to linux os linux application linux certification linux web hosting linux hosting linux modem peanut linux nokia rs 232 linux modem setting linux for window linux free download linux documentation project linux sms1 linux call back linux problem reading directory linux boot disk linux theme linux cluster linux closing port linux security dialogic linux linux emulator linux training linux startup dual boot window 2000 linux linux magazine linux auto rpm realtek rtl8019 linux driver download robomon linux linux estrutura de diretorios 3c589d config linux timeservice linux linux samba linux dvd player linux .ppt mplayer near download and linux red hat linux 7.2 linux mail server free linux software linux hardwarelinux anti virus redmond linux linux modem driver linux vpn pic microcontroller linux programmer aol for linux linux review linux wireless
contact us: abuse@flonetwork.com webmaster@flonetwork.com info@webmaster@flonetwork.com spampoision@lnxvoodoo.com noc@sprint.net webmaster@lnxvoodoo.com wlad@lnxvoodoo.com michelle@lnxvoodoo.com ryan@lnxvoodoo.com bryan@lnxvoodo.com rambo@lnxvoodoo.com senioreditor@lnxvoodoo.com editor@lnxvoodoo.com
WOW on Linux, yes our gaming systems do include World of Warcraft for Linux! Linux Voodoo Gaming systems include one copy of World of Warcraft, 1 year paid subscription to Transgaming.com so you can play over 200 popular Windows games on our linux systems. Too good to be true? Try it out for yourself.
  Start shopping
Notebooks
notebooks 

 

Desktops
desktops 

 

Servers
servers 

 

Appliances
appliances 

 

Accessories
accessories 

 

Software
software 
Howto's  
Testbed
802.1X Port-Based Authentication HOWTO
PrevNext

6. Testbed

6.1. Testcase

figure testbed: A wireless node request authentication.

Our testbed consists of two nodes and one Access Point (AP). One node functions as the Supplicant (WN), the other as the back-end Authentication Server running RADIUS (AS). The Access Point is the Authenticator. See figure testbed for explanation.

Important

It is crucial that the Access Point be able to reach (ping) the Authentication Server, and vice versa!

6.2. Running some tests

Running some tests

  1. The RADIUS server is started in debug mode. This produces a lot of debug information. The important snippets are below: 

    
  # radiusd -X
  Starting - reading configuration files ...
  reread_config:  reading radiusd.conf
  Config:   including file: /usr/local/etc/raddb/proxy.conf
  Config:   including file: /usr/local/etc/raddb/clients.conf
  Config:   including file: /usr/local/etc/raddb/snmp.conf
  Config:   including file: /usr/local/etc/raddb/eap.conf
  Config:   including file: /usr/local/etc/raddb/sql.conf
  ......
  Module: Loaded MS-CHAP 
   mschap: use_mppe = yes
   mschap: require_encryption = no
   mschap: require_strong = no
   mschap: with_ntdomain_hack = no
   mschap: passwd = "(null)"
   mschap: authtype = "MS-CHAP"
   mschap: ntlm_auth = "(null)"
  Module: Instantiated mschap (mschap)
  ......
  Module: Loaded eap 
   eap: default_eap_type = "peap" (1)
   eap: timer_expire = 60
   eap: ignore_unknown_eap_types = no
   eap: cisco_accounting_username_bug = no
  rlm_eap: Loaded and initialized type md5
   tls: rsa_key_exchange = no (2)
   tls: dh_key_exchange = yes
   tls: rsa_key_length = 512
   tls: dh_key_length = 512
   tls: verify_depth = 0
   tls: CA_path = "(null)"
   tls: pem_file_type = yes
   tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
   tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
   tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
   tls: private_key_password = "SecretKeyPass77"
   tls: dh_file = "/usr/local/etc/raddb/certs/dh"
   tls: random_file = "/usr/local/etc/raddb/certs/random"
   tls: fragment_size = 1024
   tls: include_length = yes
   tls: check_crl = no
   tls: check_cert_cn = "(null)"
  rlm_eap: Loaded and initialized type tls
   peap: default_eap_type = "mschapv2" (3)
   peap: copy_request_to_tunnel = no
   peap: use_tunneled_reply = no
   peap: proxy_tunneled_request_as_eap = yes
  rlm_eap: Loaded and initialized type peap
   mschapv2: with_ntdomain_hack = no
  rlm_eap: Loaded and initialized type mschapv2
  Module: Instantiated eap (eap) 
  ......
  Module: Loaded files 
   files: usersfile = "/usr/local/etc/raddb/users" (4)
  ...... 
  Module: Instantiated radutmp (radutmp) 
  Listening on authentication *:1812
  Listening on accounting *:1813
  Ready to process requests. (5)
    (1)
    Default EAP type is set to PEAP.
    (2)
    RADIUS's TLS settings are initiated here. The certificate type, location, and password are listet here.
    (3)
    Inside the PEAP tunnel, MS-CHAPv2 is used.
    (4)
    The username/password information is found in the users file.
    (5)
    RADIUS server started successfully. Waiting for incoming requests.

    The radius server is now ready to process requests!

    The most interesting output is included above. If you get any error message instead of the last line, go over the configuration (above) carefully.

  2. Now the Supplicant is ready to get authenticated. Start Xsupplicant in debug mode. Note that we'll see output produced by the two startup scripts: startup.sh and startup2.sh. 

    
  # xsupplicant -c /usr/local/etc/1x/1x.conf -i eth0 -d 6
  Starting /etc/1x/startup.sh
  Finished /etc/1x/startup.sh
  Starting /etc/1x/startup2.sh
  Finished /etc/1x/startup2.sh

  3. At the same time, the RADIUS server is producing a lot of output. Key snippets are shown below: 

    
  ......
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS (1)
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake 
  eaptls_process returned 7 
  rlm_eap_peap: EAPTLS_OK (2)
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 8
modcall: group authenticate returns ok for request 8
Login OK: [testuser/<no User-Password attribute>] (from client testnet port 37 cli 0002a56fa08a)
Sending Access-Accept of id 8 to 192.168.2.1:1032 (3)
	MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206 (4)
	MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18 
	EAP-Message = 0x030a0004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "testuser"
    (1)
    TLS session startup. Doing TLS-handshake.
    (2)
    The TLS session (PEAP-encrypted tunnel) is up.
    (3)
    The Supplicant has been authenticated successfully by the RADIUS server. An "Access-Accept" message is sent.
    (4)
    The MS-MPPE-Recv-Key [RFC2548 section 2.4.3] contains the Pairwise Master Key (PMK) destined to the Authenticator (access point), encrypted with the MPPE Protocol [RFC3078], using the shared secret between the Authenticator and Authentication Server as key. The Supplicant derives the same PMK from MK, as described in Key Management.

  4. The Authenticator (access point) may also show something like this in its log: 

    
  00:02:16 (Info): Station 0002a56fa08a Associated
  00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated

That's it! The Supplicant is now authenticated to use the Access Point!

PrevHomeNext
Authenticator: Setting up the Authenticator (Access Point) Note about driver support and Xsupplicant
Continue
 



P
System Builder

Now Shipping from: California - Florida - Georgia - Massachusetts - Michigan - New Jersey - Pennsylvania - Tennessee - Texas
We only ship within the USA and APO's.
We do not ship on national US holidays or on weekends.
Linux Voodoo RSS Store Feed
About Us  |  Contact Us  |  Conditions of Use  |  Privacy Notice  |  Warranty & Returns  |  Employment |  PHP HTML Form Builder

Copyright © 2003, Linux Voodoo Corporation All rights reserved. Linux is a trademark of Linus Torvalds.
email-addresses
Asterisk Debian Linux, WOW on Linux, yes our gaming systems do include World of Warcraft for Linux! Linux Voodoo Gaming systems include one copy of World of Warcraft, 1 year paid subscription to Transgaming.com so you can play over 200 popular Windows games on our linux systems. Too good to be true? Try it out for yourself.