eap-md5 howto.htm

802.1x认证的认证服务器freeradius的howto文档

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>
<title>EAP/MD5 HOWTO - FreeRADIUS Wiki</title>
<meta http-equiv="Content-type" content="text/html; charset=UTF-8" />
<meta name="keywords" content="EAP/MD5 HOWTO,AAA,AP,FreeRADIUS,NAS,RADIUS,AS" />
<link rel="shortcut icon" href="/favicon.ico" />
<link rel="search" type="application/opensearchdescription+xml" href="/opensearch_desc.php" title="FreeRADIUS Wiki (English)" />
<link rel='stylesheet' type='text/css' media='print' href='/skins/common/wikiprintable.css' />
<script type= "text/javascript">
			var skin = "cologneblue";
			var stylepath = "/skins";

			var wgArticlePath = "/$1";
			var wgScriptPath = "";
			var wgServer = "http://wiki.freeradius.org";
                        
			var wgCanonicalNamespace = "";
			var wgNamespaceNumber = 0;
			var wgPageName = "EAP/MD5_HOWTO";
			var wgTitle = "EAP/MD5 HOWTO";
			var wgArticleId = 1564;
			var wgIsArticle = true;
                        
			var wgUserName = null;
			var wgUserLanguage = "en";
			var wgContentLanguage = "en";
		</script>
		<script type="text/javascript" src="/skins/common/wikibits.js"></script>
<style type='text/css'>
/*/*/ /*<![CDATA[*/
@import "/skins/common/cologneblue.css?2";
@import "/index.php?title=MediaWiki:Common.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000";
@import "/index.php?title=MediaWiki:Cologneblue.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000";
a.new, #quickbar a.new { color: #CC2200; }
#quickbar { position: absolute; left: 4px; }
#article { margin-left: 148px; margin-right: 4px; }

/*]]>*/ /* */
</style>
</head>

<body bgcolor='#FFFFFF' onload='' class='ns-0 ltr'>

<div id='content'>
<div id='topbar'><table width='100%' border='0' cellspacing='0' cellpadding='8'><tr><td class='top' align='left' valign='middle' nowrap='nowrap'><a href="/Main_Page"><span id='sitetitle'>FreeRADIUS Wiki</span></a></td><td class='top' align='right' valign='bottom' width='100%'><a href="/Main_Page" title="Main Page">Main Page</a> | <a href="/FreeRADIUS_Wiki:About" title="FreeRADIUS Wiki:About">About</a> | <a href="/Help:Contents" title="Help:Contents">Help</a> | <a href="/FreeRADIUS_Wiki:FAQ" title="FreeRADIUS Wiki:FAQ">FAQ</a> | <a href="/Special:Specialpages" title="Special:Specialpages">Special pages</a> | <a href="/index.php?title=Special:Userlogin&amp;returnto=EAP/MD5_HOWTO" title="Special:Userlogin">Log in</a></td></tr><tr><td valign='top'><font size='-1'><span id='sitesub'></span></font></td><td align='right'><font size='-1'><span id='langlinks'><br /><a href="/index.php?title=EAP/MD5_HOWTO&amp;printable=yes">Printable version</a> | <a href="/FreeRADIUS_Wiki:General_disclaimer" title="FreeRADIUS Wiki:General disclaimer">Disclaimers</a> | <a href="/FreeRADIUS_Wiki:Privacy_policy" title="FreeRADIUS Wiki:Privacy policy">Privacy policy</a></span></font></td></tr></table>

</div>
<div id='article'><h1 class="pagetitle">EAP/MD5 HOWTO</h1><p class='subtitle'>From FreeRADIUS Wiki</p>

<table id="toc" class="toc" summary="Contents"><tr><td><div id="toctitle"><h2>Contents</h2></div>
<ul>
<li class="toclevel-1"><a href="#Very_basic_understanding"><span class="tocnumber">1</span> <span class="toctext">Very basic understanding</span></a></li>
<li class="toclevel-1"><a href="#Server_configuration"><span class="tocnumber">2</span> <span class="toctext">Server configuration</span></a>
<ul>
<li class="toclevel-2"><a href="#User_configuration_.28users.29"><span class="tocnumber">2.1</span> <span class="toctext">User configuration (users)</span></a>
<ul>
<li class="toclevel-3"><a href="#Sections_.28radiusd.conf.29"><span class="tocnumber">2.1.1</span> <span class="toctext">Sections (radiusd.conf)</span></a></li>
</ul>
</li>
</ul>
</li>
<li class="toclevel-1"><a href="#Client_configuration"><span class="tocnumber">3</span> <span class="toctext">Client configuration</span></a>
<ul>
<li class="toclevel-2"><a href="#Windows_XP_as_supplicant"><span class="tocnumber">3.1</span> <span class="toctext">Windows XP as supplicant</span></a></li>
</ul>
</li>
<li class="toclevel-1"><a href="#User_configuration"><span class="tocnumber">4</span> <span class="toctext">User configuration</span></a>
<ul>
<li class="toclevel-2"><a href="#Windows_XP_.28before_SP1.29"><span class="tocnumber">4.1</span> <span class="toctext">Windows XP (before SP1)</span></a></li>
</ul>
</li>
<li class="toclevel-1"><a href="#Troubleshooting"><span class="tocnumber">5</span> <span class="toctext">Troubleshooting</span></a></li>
<li class="toclevel-1"><a href="#Exchange_and_log_examples"><span class="tocnumber">6</span> <span class="toctext">Exchange and log examples</span></a></li>
</ul>
</td></tr></table><script type="text/javascript"> if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } </script>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=EAP/MD5_HOWTO&amp;action=edit&amp;section=1" title="Edit section: Very basic understanding">edit</a>]</div><a name="Very_basic_understanding"></a><h2>Very basic understanding</h2>
<p>EAP/MD5 and other types of EAP authentication are part of &quot;Port based network access control&quot;, as defined in the IEEE 802.1X standard. All you have to know at this time are the three main actors:
</p>
<dl><dt>Authentication Server (called <a href="/index.php?title=AS&amp;action=edit" class="new" title="AS">AS</a> or server in this document)
</dt><dd><a href="/AAA" title="AAA">AAA</a> server (<a href="/RADIUS" title="RADIUS">RADIUS</a>) which will verify user credentials and give commands to accept or reject the user login request.
</dd></dl>
<dl><dt>authenticator (called client or access point - <a href="/AP" title="AP">AP</a> - in this document)</dt><dd>
</dd><dd>the network access device (<a href="/NAS" title="NAS">NAS</a>), which will take the EAP-frames out of the traffic on one side and translate them into RADIUS-attributes on the other and vice versa, thus acting as pass-through device.
</dd></dl>
<dl><dt>supplicant (user)
</dt><dd>the one to be authenticated, i.e. your Windows/Linux whatever machine using the WLAN
</dd></dl>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=EAP/MD5_HOWTO&amp;action=edit&amp;section=2" title="Edit section: Server configuration">edit</a>]</div><a name="Server_configuration"></a><h2>Server configuration</h2>
<p><b>Assumptions:</b>
</p>
<ul><li> You have a server that starts without any errors when doing <i><b>radiusd -s -X</b></i>
</li></ul>
<ul><li> You have at least one properly configured client (i.e. Access Point, <a href="/AP" title="AP">AP</a>)
</li></ul>
<ul><li> You have at least one configured user and your <b>radtest </b><i>user password</i><b> 10 </b><i>secret''</i><b> works from a test host (e.g. <i>localhost</i>), i.e. you receive an Accept message from your server</b>
</li></ul>
<p>Please take a look at the provided configuration files in order to accomplish
the setup so far. Its really not difficult to have the system configured
this way by just correcting the supplied configuration files. The files
concerned here are typically in the <i>/etc/raddb/</i> directory of your <a href="/FreeRADIUS" title="FreeRADIUS">FreeRADIUS</a> server:
</p>
<ul><li> users
</li><li> clients.conf
</li><li> radiusd.conf
</li></ul>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=EAP/MD5_HOWTO&amp;action=edit&amp;section=3" title="Edit section: User configuration (users)">edit</a>]</div><a name="User_configuration_.28users.29"></a><h3>User configuration (users)</h3>
<p>Alter the existent user or add another one which will be used for test
purposes. The simplest possible configuration is given in the example.
More complicated configurations are out of the scope of this document.
</p><p>Example:
</p><p>bob   Cleartext-Password&nbsp;:= "Hello"
</p><p><br />
Note the <b>":="</b> operator. <b>"="</b> instead will not work.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=EAP/MD5_HOWTO&amp;action=edit&amp;section=4" title="Edit section: Sections (radiusd.conf)">edit</a>]</div><a name="Sections_.28radiusd.conf.29"></a><h4>Sections (<i>radiusd.conf</i>)</h4>
<p>The interesting part here are <i>authorize</i> AND <i>authenticate</i> sections. (At the very bottom of the file.) Ignore all the following as those will deal with the accounting.
</p>
<pre>authorize {
   preprocess
   files
   eap
}
</pre>
<p>authenticate {
</p>
<pre>   eap
</pre>
<p>}
</p><p>Finally, the EAP module itself has to be configured at least this way:
</p>
<pre>eap {
   md5 {
   }
}
</pre>
<p><b>Note</b>: EAP/MD5 will "just work" with default configuration.
</p><p>Thats it for <a href="/FreeRADIUS" title="FreeRADIUS">FreeRADIUS</a>
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=EAP/MD5_HOWTO&amp;action=edit&amp;section=5" title="Edit section: Client configuration">edit</a>]</div><a name="Client_configuration"></a><h2>Client configuration</h2>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=EAP/MD5_HOWTO&amp;action=edit&amp;section=6" title="Edit section: Windows XP as supplicant">edit</a>]</div><a name="Windows_XP_as_supplicant"></a><h3>Windows XP as supplicant</h3>
<p>First of all: please read the documentation of your client. There are a
plenty of different clients on the market, we cant provide any help for
them. Basically, you have to activate &quot;Network port based 802.1X authentication&quot;,
sometimes called  similar. Please see the Technical
Documentation of your AP. Then, of course, you have to find the "Authentication Server" configuration part and supply the data about the used RADIUS server,
</p><p>i.e. its IP-address, UDP-port and the pre-shared secret (the same one
you configured for your access point  client  in the <a href="/FreeRADIUS" title="FreeRADIUS">FreeRADIUS</a> configuration files). Sometimes you can supply a bunch of those servers
and sometimes you can use them for other purposes, too, like e.g. MAC-based
access control. You only have to activate the EAP-Authentication.
</p>