![[PukiWiki]](image/logo_pub.png "[PukiWiki]"){kind=logo}
&size(24){&color(darkgreen){''IEEE802.1x''};}; #navi(Linux) ~''CONTENTS'' #contents ---- ~''REFERENCES'' -[[OpenSSL & FreeRADIUS による 802.1x 環境の構築>http://www.t3.rim.or.jp/~ohyama/TIPS/OpenSSL/]] //-[[HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant >http://www.missl.cs.umd.edu/wireless/eaptls/]] -[[Open 1x>http://www.open1x.org/]] -[[FreeRADIUS on FreeBSD>http://www.y-min.or.jp/~nob/FreeBSD/freeradius.html]] ---- **はじめに [#efc65a13] 802.1xはport単位で接続の認証を行うプロトコル -認証サーバ -オーセンティケータ -サプリカント ***用語・略語 [#z8837672] :RADIUS|Remote Authentication Dial-In User Service :EAP|Extensible Authentication Protocol :PAE|Port Access Entity :CCMP|Counter with CBC-MAC Protocol **XSupplicant [#ba7d17d9] ''Debian'' # apt-get install xsupplicant /etc/xsupplicant/xsupplicant.confで deny_interfaces = eth0 して /etc/init.d/xsupplicant restart しないと一切リモートアクセスできません:-) ちなみにWPA Supplicantも同様の機能をもっているので上の作業は''無駄''です。 # apt-get remove xsupplicant **実験 [#f5ea3781] ***WPA EAP-TLS on KS2970 [#m775ae5f] 予定 ***WPA EAP-TLS on WN-AG/CB2[#aed568ad] ''/etc/wpa_supplicant.conf'' network={ ssid="tacoma" key_mgmt=WPA-EAP eap=TLS identity="hasebe" ca_cert="/etc/cert/cacert.pem" client_cert="/etc/cert/cert-clt.pem" private_key="/etc/cert/cert-clt.pem" private_key_passwd="whatever" priority=1 } ***WPA EAP-TLS on WN-AG/CB2 (Windows) [#e340c6c6] +Certificate Autority関係を何とかする。 +/usr/local/etc/raddb以下の環境ファイル(死ぬほどある)を何とかする。 +APの設定を何とかする。 +証明書などをクライアントマシンにコピーして何とかする。 ''radiusd -X'' rad_recv: Access-Request packet from host 192.168.100.1:1202, id=204, length=142 User-Name = "hasebe" NAS-IP-Address = 192.168.123.1 NAS-Port = 0 Called-Station-Id = "00-A0-B0-46-85-E2" Calling-Station-Id = "00-A0-B0-4C-5B-B8" NAS-Identifier = "tacoma" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500060d00 State = 0xa400d73454b06110b20bb42ad551e5d4 Message-Authenticator = 0xf25aa2cbda033033b6f726c1486e395f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 modcall[authorize]: module "preprocess" returns ok for request 17 modcall[authorize]: module "chap" returns noop for request 17 modcall[authorize]: module "mschap" returns noop for request 17 rlm_realm: No '@' in User-Name = "hasebe", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 17 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 17 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 17 modcall: group authorize returns updated for request 17 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 17 modcall: group authenticate returns ok for request 17 Sending Access-Accept of id 204 to 192.168.100.1:1202 MS-MPPE-Recv-Key = 0x3002dbe723b42c89fe8794040232857a811157e23e7d4775bd4d6f3a8068243c MS-MPPE-Send-Key = 0x8c3358754b17c94c6e8be4d3c6c46562a353030f304506410030f01c63c883fe EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "hasebe" Finished request 17 -WPA-EAP成功。REFERENCEのリンク先をみながら設定すれば何とかなる。
