wpa howto.htm

802.1x认证的认证服务器freeradius的howto文档

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>
<title>WPA HOWTO - FreeRADIUS Wiki</title>
<meta http-equiv="Content-type" content="text/html; charset=UTF-8" />
<meta name="keywords" content="WPA HOWTO,WPA HOWTO,AP,EAP,HOWTO,RADIUS,WEP,WPA,TKIP,RC4,AES" />
<link rel="shortcut icon" href="/favicon.ico" />
<link rel="search" type="application/opensearchdescription+xml" href="/opensearch_desc.php" title="FreeRADIUS Wiki (English)" />
<link rel='stylesheet' type='text/css' media='print' href='/skins/common/wikiprintable.css' />
<script type= "text/javascript">
			var skin = "cologneblue";
			var stylepath = "/skins";

			var wgArticlePath = "/$1";
			var wgScriptPath = "";
			var wgServer = "http://wiki.freeradius.org";
                        
			var wgCanonicalNamespace = "";
			var wgNamespaceNumber = 0;
			var wgPageName = "WPA_HOWTO";
			var wgTitle = "WPA HOWTO";
			var wgArticleId = 1566;
			var wgIsArticle = true;
                        
			var wgUserName = null;
			var wgUserLanguage = "en";
			var wgContentLanguage = "en";
		</script>
		<script type="text/javascript" src="/skins/common/wikibits.js"></script>
<style type='text/css'>
/*/*/ /*<![CDATA[*/
@import "/skins/common/cologneblue.css?2";
@import "/index.php?title=MediaWiki:Common.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000";
@import "/index.php?title=MediaWiki:Cologneblue.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000";
a.new, #quickbar a.new { color: #CC2200; }
#quickbar { position: absolute; left: 4px; }
#article { margin-left: 148px; margin-right: 4px; }

/*]]>*/ /* */
</style>
</head>

<body bgcolor='#FFFFFF' onload='' class='ns-0 ltr'>

<div id='content'>
<div id='topbar'><table width='100%' border='0' cellspacing='0' cellpadding='8'><tr><td class='top' align='left' valign='middle' nowrap='nowrap'><a href="/Main_Page"><span id='sitetitle'>FreeRADIUS Wiki</span></a></td><td class='top' align='right' valign='bottom' width='100%'><a href="/Main_Page" title="Main Page">Main Page</a> | <a href="/FreeRADIUS_Wiki:About" title="FreeRADIUS Wiki:About">About</a> | <a href="/Help:Contents" title="Help:Contents">Help</a> | <a href="/FreeRADIUS_Wiki:FAQ" title="FreeRADIUS Wiki:FAQ">FAQ</a> | <a href="/Special:Specialpages" title="Special:Specialpages">Special pages</a> | <a href="/index.php?title=Special:Userlogin&amp;returnto=WPA_HOWTO" title="Special:Userlogin">Log in</a></td></tr><tr><td valign='top'><font size='-1'><span id='sitesub'></span></font></td><td align='right'><font size='-1'><span id='langlinks'><br /><a href="/index.php?title=WPA_HOWTO&amp;printable=yes">Printable version</a> | <a href="/FreeRADIUS_Wiki:General_disclaimer" title="FreeRADIUS Wiki:General disclaimer">Disclaimers</a> | <a href="/FreeRADIUS_Wiki:Privacy_policy" title="FreeRADIUS Wiki:Privacy policy">Privacy policy</a></span></font></td></tr></table>

</div>
<div id='article'><h1 class="pagetitle">WPA HOWTO</h1><p class='subtitle'>From FreeRADIUS Wiki</p>

<table id="toc" class="toc" summary="Contents"><tr><td><div id="toctitle"><h2>Contents</h2></div>
<ul>
<li class="toclevel-1"><a href="#Introduction"><span class="tocnumber">1</span> <span class="toctext">Introduction</span></a>
<ul>
<li class="toclevel-2"><a href="#About_this_HOWTO"><span class="tocnumber">1.1</span> <span class="toctext">About this HOWTO</span></a></li>
<li class="toclevel-2"><a href="#Why_Would_I_Want_WPA.3F"><span class="tocnumber">1.2</span> <span class="toctext">Why Would I Want WPA?</span></a>
<ul>
<li class="toclevel-3"><a href="#WPA_Encryption"><span class="tocnumber">1.2.1</span> <span class="toctext">WPA Encryption</span></a></li>
<li class="toclevel-3"><a href="#WPA_Authentication"><span class="tocnumber">1.2.2</span> <span class="toctext">WPA Authentication</span></a></li>
<li class="toclevel-3"><a href="#My_Choice"><span class="tocnumber">1.2.3</span> <span class="toctext">My Choice</span></a></li>
</ul>
</li>
<li class="toclevel-2"><a href="#Assumptions"><span class="tocnumber">1.3</span> <span class="toctext">Assumptions</span></a>
<ul>
<li class="toclevel-3"><a href="#About_You_and_Your_System"><span class="tocnumber">1.3.1</span> <span class="toctext">About You and Your System</span></a></li>
<li class="toclevel-3"><a href="#Hardware"><span class="tocnumber">1.3.2</span> <span class="toctext">Hardware</span></a></li>
<li class="toclevel-3"><a href="#Software"><span class="tocnumber">1.3.3</span> <span class="toctext">Software</span></a></li>
</ul>
</li>
<li class="toclevel-2"><a href="#What_I_Use"><span class="tocnumber">1.4</span> <span class="toctext">What I Use</span></a>
<ul>
<li class="toclevel-3"><a href="#Computers"><span class="tocnumber">1.4.1</span> <span class="toctext">Computers</span></a></li>
<li class="toclevel-3"><a href="#Wireless_Access_Point"><span class="tocnumber">1.4.2</span> <span class="toctext">Wireless Access Point</span></a></li>
<li class="toclevel-3"><a href="#Network_Topology"><span class="tocnumber">1.4.3</span> <span class="toctext">Network Topology</span></a></li>
</ul>
</li>
</ul>
</li>
<li class="toclevel-1"><a href="#HOWTO_Do_It:_An_Outline"><span class="tocnumber">2</span> <span class="toctext">HOWTO Do It: An Outline</span></a></li>
<li class="toclevel-1"><a href="#Step_1:_Make_Certificates"><span class="tocnumber">3</span> <span class="toctext">Step 1: Make Certificates</span></a>
<ul>
<li class="toclevel-2"><a href="#Certificate_Generation_Scripts"><span class="tocnumber">3.1</span> <span class="toctext">Certificate Generation Scripts</span></a>
<ul>
<li class="toclevel-3"><a href="#Script_Listings"><span class="tocnumber">3.1.1</span> <span class="toctext">Script Listings</span></a></li>
<li class="toclevel-3"><a href="#Notes_on_the_Shell_Script_Variables"><span class="tocnumber">3.1.2</span> <span class="toctext">Notes on the Shell Script Variables</span></a></li>
</ul>
</li>
<li class="toclevel-2"><a href="#Invoking_the_Scripts"><span class="tocnumber">3.2</span> <span class="toctext">Invoking the Scripts</span></a></li>
<li class="toclevel-2"><a href="#Installing_the_Certificates"><span class="tocnumber">3.3</span> <span class="toctext">Installing the Certificates</span></a>
<ul>
<li class="toclevel-3"><a href="#On_the_Windows_XP_Client"><span class="tocnumber">3.3.1</span> <span class="toctext">On the Windows XP Client</span></a></li>
<li class="toclevel-3"><a href="#On_the_RADIUS_Server"><span class="tocnumber">3.3.2</span> <span class="toctext">On the RADIUS Server</span></a></li>
</ul>
</li>
</ul>
</li>
<li class="toclevel-1"><a href="#Step_2:_Configure_FreeRADIUS"><span class="tocnumber">4</span> <span class="toctext">Step 2: Configure FreeRADIUS</span></a>
<ul>
<li class="toclevel-2"><a href="#Before_You_Proceed"><span class="tocnumber">4.1</span> <span class="toctext">Before You Proceed</span></a>
<ul>
<li class="toclevel-3"><a href="#Random_Files"><span class="tocnumber">4.1.1</span> <span class="toctext">Random Files</span></a></li>
<li class="toclevel-3"><a href="#Keys_and_Shared_Secrets"><span class="tocnumber">4.1.2</span> <span class="toctext">Keys and Shared Secrets</span></a></li>
</ul>
</li>
<li class="toclevel-2"><a href="#Configuration_Files"><span class="tocnumber">4.2</span> <span class="toctext">Configuration Files</span></a>
<ul>
<li class="toclevel-3"><a href="#FreeRADIUS_Core_Configuration"><span class="tocnumber">4.2.1</span> <span class="toctext">FreeRADIUS Core Configuration</span></a></li>
<li class="toclevel-3"><a href="#The_Access_Point_Database"><span class="tocnumber">4.2.2</span> <span class="toctext">The Access Point Database</span></a></li>
<li class="toclevel-3"><a href="#The_Users.E2.80.99_.28Supplicant.29_Database"><span class="tocnumber">4.2.3</span> <span class="toctext">The Users&rsquo; (Supplicant) Database</span></a></li>
</ul>
</li>
<li class="toclevel-2"><a href="#Starting_radiusd"><span class="tocnumber">4.3</span> <span class="toctext">Starting radiusd</span></a>
<ul>
<li class="toclevel-3"><a href="#Starting_as_a_Service"><span class="tocnumber">4.3.1</span> <span class="toctext">Starting as a Service</span></a></li>
<li class="toclevel-3"><a href="#Directly_with_Debugging_Options"><span class="tocnumber">4.3.2</span> <span class="toctext">Directly with Debugging Options</span></a></li>
</ul>
</li>
</ul>
</li>
<li class="toclevel-1"><a href="#Step_3:_Configure_the_AP"><span class="tocnumber">5</span> <span class="toctext">Step 3: Configure the AP</span></a></li>
<li class="toclevel-1"><a href="#Step_4:_Configure_the_Client"><span class="tocnumber">6</span> <span class="toctext">Step 4: Configure the Client</span></a>
<ul>
<li class="toclevel-2"><a href="#Establishing_the_Connection"><span class="tocnumber">6.1</span> <span class="toctext">Establishing the Connection</span></a></li>
</ul>
</li>
<li class="toclevel-1"><a href="#Troubleshooting"><span class="tocnumber">7</span> <span class="toctext">Troubleshooting</span></a>
<ul>
<li class="toclevel-2"><a href="#radiusd_Won.27t_Start"><span class="tocnumber">7.1</span> <span class="toctext">radiusd Won't Start</span></a></li>
<li class="toclevel-2"><a href="#Can.27t_Authenticate"><span class="tocnumber">7.2</span> <span class="toctext">Can't Authenticate</span></a></li>
</ul>
</li>
<li class="toclevel-1"><a href="#Miscellaneaous"><span class="tocnumber">8</span> <span class="toctext">Miscellaneaous</span></a>
<ul>
<li class="toclevel-2"><a href="#Questions.2C_Answers_and_Cry-For-Helps"><span class="tocnumber">8.1</span> <span class="toctext">Questions, Answers and Cry-For-Helps</span></a>
<ul>
<li class="toclevel-3"><a href="#How_can_I_add_more_APs.3F"><span class="tocnumber">8.1.1</span> <span class="toctext">How can I add more APs?</span></a></li>
<li class="toclevel-3"><a href="#Can_I_use_something_other_than_WPA.3F"><span class="tocnumber">8.1.2</span> <span class="toctext">Can I use something other than WPA?</span></a></li>
<li class="toclevel-3"><a href="#I_can.27t_find_any_mention_of_WPA_in_the_Windows_XP_property_boxes.21"><span class="tocnumber">8.1.3</span> <span class="toctext">I can't find any mention of WPA in the Windows XP property boxes!</span></a></li>
</ul>
</li>
</ul>
</li>
<li class="toclevel-1"><a href="#See_Also"><span class="tocnumber">9</span> <span class="toctext">See Also</span></a></li>
</ul>
</td></tr></table><script type="text/javascript"> if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } </script>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=1" title="Edit section: Introduction">edit</a>]</div><a name="Introduction"></a><h2>Introduction</h2>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=2" title="Edit section: About this HOWTO">edit</a>]</div><a name="About_this_HOWTO"></a><h3>About this HOWTO</h3>
<p>This document is intended as a practical document with a view to getting WPA authentication up-and-running as quickly and as easily as possible. We therefore gloss over most of the theory behind 802.1x, WPA, cryptosystems, digital signatures and certificates, etc.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=3" title="Edit section: Why Would I Want WPA?">edit</a>]</div><a name="Why_Would_I_Want_WPA.3F"></a><h3>Why Would I Want WPA?</h3>
<p>In short &mdash; security. <b>W</b>i-Fi <b>P</b>rotected <b>A</b>ccess implements a sub-set (or instance, if you like) of the IEEE's 802.1x authentication standards for wireless networks, and does so in a method compliant with the (at time of writing) forthcoming 802.11i standard. WPA provides for both <i>authentication</i> (assuring the identity of a client machine, the <i>supplicant</i>) and <i>encryption</i> (ensuring exchanges between the wireless access point and client are secure).
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=4" title="Edit section: WPA Encryption">edit</a>]</div><a name="WPA_Encryption"></a><h4>WPA Encryption</h4>
<p>The encryption provided by <a href="/WPA" title="WPA">WPA</a> is considered to be much more secure than traditional <a href="/WEP" title="WEP">WEP</a>. <a href="/WEP" title="WEP">WEP</a> uses <a href="/index.php?title=RC4&amp;action=edit" class="new" title="RC4">RC4</a> cryptography usually with a <i>fixed</i> key of 64 to 256 bits in length, and because of this an attack on a WEP-secured network can be mounted by collecting packets for analysis and extracting the key from them. Such a crack can take as long as a matter of days on a small, household network, to a few hours on a busy corporate system. WPA, on the other hand, uses the <b>T</b>emporal <b>K</b>ey <b>I</b>ntegrity <b>P</b>rotocol system, <a href="/index.php?title=TKIP&amp;action=edit" class="new" title="TKIP">TKIP</a>. This has a number of fancy features (with names like "per-packet mixing") that I don't understand, but most importantly the keys are changed over time to make an attack difficult. Some "unofficial" extensions to <a href="/WPA" title="WPA">WPA</a> (that I've found on my hardware, and will probably be on others' as well) also allow <a href="/index.php?title=AES&amp;action=edit" class="new" title="AES">AES</a> (alias "Rijndael") encryption, which I believe to the strongest of the lot (although I might be wrong here).
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=5" title="Edit section: WPA Authentication">edit</a>]</div><a name="WPA_Authentication"></a><h4>WPA Authentication</h4>
<p><a href="/WPA" title="WPA">WPA</a> Pre-Shared Key (<a href="/index.php?title=WPA-PSK&amp;action=edit" class="new" title="WPA-PSK">WPA-PSK</a>, or "WPA Personal") is the first kind of WPA, and is trivial to set up (so it's not covered in this document). This uses a password (which can be up to 63 characters in length) to shared between access point and client (a "shared secret") to authenticate, and act as the starting point for the cryptographic process.
</p><p><a href="/WPA" title="WPA">WPA</a> with 802.1x and <a href="/EAP" title="EAP">EAP</a> authentication ("WPA Enterprise") is the second form, and it's what we'll be setting up in this document. The <b>E</b>xtensible <b>A</b>uthentication <b>P</b>rotocol is a provision of 802.1x that allows a variety of means of authenticating clients, and in our case we will be using TLS. This involves issuing potential client machines with <i>digital certificates</i> which have been <i>signed</i> by some authority in such a way that they cannot (for all practical purposes) be forged by an attacker. The access point achieves this by requesting the client's certificate and passing it to a <a href="/RADIUS" title="RADIUS">RADIUS</a> server, which then checks the certificate is genuine and whether the named client is allowed access. These certificates are also used as a starting point for the cryptographic process.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=6" title="Edit section: My Choice">edit</a>]</div><a name="My_Choice"></a><h4>My Choice</h4>
<p>Personally, I chose WPA because I realised I had all the necessary hardware and software to hand &mdash; i.e. I did it because I could. I'm currently under the impression that WPA with RADIUS is the most secure way to tie down a wireless LAN. It's also more convenient for me as I don't have to cook up and distribute new WPA-PSK keys every so often; I can also allow friends to use my network with a centrally-managed database and time-limited certificates, and thereby avoid having to divulge network secrets.
</p><p>OK, so I'm a geek and I did it because I could.
</p><p>For more information on WPA, visit the Wi-Fi Alliance's WPA official home-page at <a href="http://wi-fi.org" class="external text" title="http://wi-fi.org" rel="nofollow">wi-fi.org</a>, in particular their "WPA Overview" (from which much of this section was researched).
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=7" title="Edit section: Assumptions">edit</a>]</div><a name="Assumptions"></a><h3>Assumptions</h3>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=8" title="Edit section: About You and Your System">edit</a>]</div><a name="About_You_and_Your_System"></a><h4>About You and Your System</h4>
<p>I am assuming a basic level of competence/experience with UNIX/Linux system administration (i.e., no less basic than my own despotic experience as a home sysadmin), so all the usual <tt>cp</tt>, <tt>mv</tt> business, basic TCP/IP, networking, etc. I also assume that you, like I, might not know much about FreeRADIUS or the full extent of its capabilities except that it can be used to control access to wireless networks, and wish to use it exclusively for this purpose.
</p><p><br />
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=9" title="Edit section: Hardware">edit</a>]</div><a name="Hardware"></a><h4>Hardware</h4>
<ul><li> Something running Linux. For an ideas on specifications, see <a href="/WPA_HOWTO#Computers" title="WPA HOWTO">&sect;&sect;1.4.1</a>
</li><li> A Wireless Access Point (<a href="/AP" title="AP">AP</a>) capable <a href="/WPA" title="WPA">WPA</a> (or 802.1x) authentication with <a href="/RADIUS" title="RADIUS">RADIUS</a>
</li><li> A Wireless Network Adapter connected to the Windows XP machine (at present, I have no experience with Linux clients and so cannot document this) with <a href="/WPA" title="WPA">WPA</a> ("Wi-Fi") capability.
</li></ul>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=10" title="Edit section: Software">edit</a>]</div><a name="Software"></a><h4>Software</h4>
<p>I assume that you have built and/or installed:
</p>
<ul><li> Windows XP SP1 with Hotfix Q815485 installed (for WPA management). Service Pack 2 has since been installed, and makes no difference to the procedures outlined herein;
</li><li> All the relevant drivers and firmware updates for WPA support on your wireless network adapter;
</li><li> OpenSSL 0.9.7a; and
</li><li> FreeRADIUS 0.9.1
</li></ul>
<p>or better. For help building and installation, see either the documentation that came with the package (&quot;Oh, really?!&quot;) or see Raymond McKay's HOWTO on this topic.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=11" title="Edit section: What I Use">edit</a>]</div><a name="What_I_Use"></a><h3>What I Use</h3>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=12" title="Edit section: Computers">edit</a>]</div><a name="Computers"></a><h4>Computers</h4>
<p>The machine on which the RADIUS server resides started out as a stock Fedora Core 1 install. The software on it that as listed above, obtained as RPMs from the FC1 CDs, Fedora Updates, etc. You won't need a monster to run FreeRADIUS: my machine dates from 1998 and uses an 233&nbsp;MHz AMD K6 CPU with 64&nbsp;Mb EDO RAM and a 3.2&nbsp;Gb HDD. It's no speed demon, but it manages to provide RADIUS, Samba, DNS, DHCP, IP routing/firewalling and printing services to a small bevy (of order 10) clients; you may need to scale specification in accordance with load.