2006/10/24

802.1X is working under my Ubuntu Linux

Finally the my Ubuntu linux is authenticated with the Windows IAS 802.1x RADIUS server. Thanks Xsupplicant, thanks Open1x project to provide us a such great too.
今天, 我的 Ubuntu Linux 终于可以通过公司的 802.1X 端口认证了。非常感谢 Xsupplicant, 感谢 Open1X 小组为我们提供的工具。

Before configure your Linux box, you should be look at your windows configuration carefully. In fact M$ windows didn't support too much authentication methods. For Windows 2000 with the Wireless authentication patch, it do only support 3 type of EAP, (PEAP, MD5-Challenge, and Smart-card or Certificate). The MD5-Challenge is too weak, and the smart-card isn't deployed widely. So the PEAP is the proper, maybe only choice for Windows.
在开始配置你的 Linux 前,我们需要仔细察看 Windows 中802.1X的协议设置。实际上,在 Window 系统中,对以太网卡并不支持很多的认证方法。对于应用了微软无线认证补丁的 Windows 2000 中只支持三种 EAP 方法(PEAP, MD5-Challenge, and Smart-card or Certificate)。实际上基于 MD5 的认证方式实在是太脆弱了,而 Smart-Card 的应用实际上也不广泛。因此 PEAP 实际上是可以使用的唯一选择。

Under the Linux, there are some tricks for the Xsupplicant configurations. See the sample PEAP-example.conf below:


# This is an example configuration file for xsupplicant versions after 0.8b.

### GLOBAL SECTION

# network_list: defines all of the networks in this file which
# should be kept in memory and used.Comma delimited list or "all"
# for keeping all defined configurations in memory. For efficiency,
# keep only the networks you might roam to in memory.
# To avoid errors, make sure your default network is always
# in the network_list. In general, you will want to leave this set to
# "all".

network_list = all
#network_list = default, test1, test2

# default_netname: some users may actually have a network named "default".
# since "default" is a keyword in the network section below, you can
# change which is to be used as the replacement for this keyword

default_netname = default
#default_netname = my_defaults

# When running in daemon, or non-foreground mode, you may want to have the
# output of the program. So, define a log file here. Each time XSupplicant
# is started, this file will be replaced. So, there is no need to roll the
# log file.
logfile = /var/log/xsupplicant.log

# The auth_period, held_period, and max_starts modify the timers in the state
# machine. (Please reference the 802.1x spec for info on how they are used.)
# For most people, there is no reason to define these values, as the defaults
# should work.

#auth_period = 30
#held_period = 30
#max_starts = 3

### NETWORK SECTION
# The general format of the network section is a network name followed
# by a group of variables.

# Network names may contain the following characters: a-z, A-Z, 0-9, '-',
# '_', '\', '/'
# Those interested in having an SSID with ANY character in it can use
# the ssid tag within the network clause. Otherwise, your ssid will
# be the name of the network.

## The default network is not a network itself. These values are
## the default used for any network parameters not overridden
## in another section. If it's not in your network configuration
## and not in your default, it won't work!!

default
{
# type: the type of this network. wired or wireless, if this value is not
# set, xsupplicant will attempt to determine if the interface is wired or
# wireless. In general, you should only need to define this when
# xsupplicant incorrectly identifies your network interface.
type = wire # For your Ethernet card.

# wireless_control: If this profile is forced to wired, this will not do
# anything. However, if the interface is forced, or detected to be wireless
# XSupplicant will take control of re/setting WEP keys when the machine
# first starts, and when it jumps to a different AP. In general, you won't
# need to define, or set this value.
# wireless_control = yes

# allow_types: describes which EAP types this network will allow. The
# first type listed will be requested if the server tries to use something
# not in this list.
# allow_types = eap_tls, eap_md5, eap_gtc, eap-otp
allow_types = all

# identity: what to respond with when presented with an EAP Id Request
# Typically, this is the username for this network. If this is a string
# that does not contain any spaces, or unusual characters, it can be listed
# plain. Otherwise, it should be enclosed in quotes.
identity = "DOMAIN\USERID" # For window based 802.1X RADIUS, it should be DOMAIN\USER

# Force xsupplicant to send it's packets to this destination MAC address.
# In most cases, this isn't needed, and shouldn't be defined.
#dest_mac = 00:aA:bB:cC:dD:eE

eap-peap {
inner_id = USERID # Only UserID
# As in tls, define either a root certificate or a directory
# containing root certificates. If the path contains spaces, or unusual
# characters, enclose it in quotes.

# Trusted root cert can be exported from windows
# as DER format, and translate to PEM format by using openssl
# under Linux:
# openssl x509 -inform DER .cer -outform PEM -out root.crt
root_cert = /path/to/root/certificate
root_dir = "/path /to /root /certificate /dir"
crl_dir = /path/to/dir/with/crl
chunk_size = 1398
random_file = /dev/random # /dev/random will work for most case.

# If you don't know the CN name of your RADIUS server,
# You can make the cnexact = no
# While the RADIUS server name can be saw in "Xsupplicant -d A" mode
cncheck = myradius.radius.com
cnexact = yes # Should it be an exact match?
session_resume = yes

#Currently 'all' is just mschapv2
#If no allow_types is defined, all is assumed
allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
#allow_types = eap_mschapv2

eap-mschapv2 {
# ntpwdhash was generated by using "xsup_ntpwdhash " command
ntpwdhash = E653E6452753C97E46792567DFF599B6
# Don't put your password here, use the ntpwdhash instead.
#password = "phase2 mschapv2 pass"
}
}
}

# TIP:
#
# 1. Use the foregroup mode to debug your configure.
# It will show you all the things.
# /usr/sbin/xsupplicant -i eth0 -d A -f
#
# 2. Remove all the unnecessary data cleaned

发表评论