📄 wpa howto.htm
字号:
</p><p>My client is a Hewlett-Packard Pavilion zx5000-series notebook running Windows XP SP1 with a Broadcom 54g MaxPerformance 802.11g wireless ethernet adapter. In contrast, this has a 2.8 GHz Pentium 4 CPU with 512 Mb RAM, and still doesn't even know it's born.</p><p><br /></p><div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&action=edit&section=13" title="Edit section: Wireless Access Point">edit</a>]</div><a name="Wireless_Access_Point"></a><h4>Wireless Access Point</h4><p>I use a <a href="http://www.usrobotics.com/" class="external text" title="http://www.usrobotics.com/" rel="nofollow">U.S. Robotics</a> SureConnect 9106 ADSL Wireless Gateway as a AP. It turns out that this is actually three separate devices rolled into one. Firstly, the DSL modem; secondly, an Ethernet switch. Finally, there is a computer in its own right in the unit running BusyBox Linux 0.60.4 (2.4 series kernel), complete with tools like IPTables for firewalling, etc. This computer has two physical network interfaces, <tt>eth0</tt>, hard-wired onto the switch, and <tt>wl0</tt>, the wireless interface. A bridge device <tt>br0</tt> sits across these two, facilitating wireless access.</p><div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&action=edit&section=14" title="Edit section: Network Topology">edit</a>]</div><a name="Network_Topology"></a><h4>Network Topology</h4><p>My RADIUS authentication server also acts as the local DNS server and DHCP server. It has two Ethernet cards in it: <tt>eth0</tt> is connected to the wired network, and <tt>eth1</tt> goes into the back of the AP, both on different Class C subnets. The machine has a number of IPTables rules configured to negotiate traffic between these two subnets.</p><div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&action=edit&section=15" title="Edit section: HOWTO Do It: An Outline">edit</a>]</div><a name="HOWTO_Do_It:_An_Outline"></a><h2>HOWTO Do It: An Outline</h2><p>OK, here's what we'll do get our WPA Authentication working:</p><ol><li> <b>Make certificates.</b> Certificates are a digital means of ensuring the identity of a machine or individual and providing keys for encryption. We'll need certificates for the client(s) and RADIUS server. These certificates also need to be certified by a root certification authority (CA), and we'll make one of these as well.</li><li> <b>Configure FreeRADIUS.</b> FreeRADIUS checks the certificate and tells the wireless access point whether or not to accept the connection request.</li><li> <b>Configure the AP.</b> Many modern APs can be configured as a NAS that refers to a RADIUS server for authentication.</li><li> <b>Configure the Client.</b></li></ol><div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&action=edit&section=16" title="Edit section: Step 1: Make Certificates">edit</a>]</div><a name="Step_1:_Make_Certificates"></a><h2>Step 1: Make Certificates</h2><p>Here, we create and install the digital certificates used to authenticate clients on the wireless network.</p><blockquote><span class="label">Reminder</span> You will need the OpenSSL script <span class="filename">CA.pl</span> in order to complete this step. This may have come when you built OpenSSL, or as part of your distribution. In Fedora Core 1, this means installing the <tt>openssl-perl</tt> package.</blockquote><div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&action=edit&section=17" title="Edit section: Certificate Generation Scripts">edit</a>]</div><a name="Certificate_Generation_Scripts"></a><h3>Certificate Generation Scripts</h3><p>The following shell scripts may be copied and pasted into the named files. Note that in all three, you will need to set some of the following parameters by hand. <i>These scripts are derived from those in Raymond McKay's HOWTO (see Acknowledgments) with slight modifications.</i></p><blockquote><span class="label">Note</span> These scripts are <i>not</i> in a ready-to-run state, and you will have to provide substitutions for the <span class="hl">highlighted</span> sections appropriate to your site. Also, please read the note on shell script variables in <a href="/WPA_HOWTO#Notes_on_the_Shell_Script_Variables" title="WPA HOWTO">§§3.1.2</a>, as some of the paths and program names may not be appropriate to your system.</blockquote><div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&action=edit&section=18" title="Edit section: Script Listings">edit</a>]</div><a name="Script_Listings"></a><h4>Script Listings</h4><p>First, the script to generate the root CA certificate.</p><div class="listing"><p>Listing 3.1 CA.root</p><pre class="listing">#!/bin/shOPENSSL=opensslCAPL=<span class="comment hl">(path to your <span class="filename">CA.pl</span>)</span>KEYGEN=<span class="comment hl">(your choice of key/password generator)</span>PASSDIR=passDERDIR=derP12DIR=p12PEMDIR=pemVALIDFOR=365PASSWD=$1mkdir -p $PEMDIR $P12DIR $DERDIR $PASSDIRif [ -z "${PASSWD}" ]; then echo "No root password specified, trying $PASSDIR/root.pass." if [ -a $PASSDIR/root.pass ]; then PASSWD=`cat $PASSDIR/root.pass` else echo "Not found. Generating password, see $PASSDIR/root.pass for contents." PASSWD=`$KEYGEN | head -c 32` cat /dev/null > $PASSDIR/root.pass echo $PASSWD >> $PASSDIR/root.pass fifirm -rf demoCA$OPENSSL req -new -x509 -days $VALIDFOR -keyout $PEMDIR/newreq.pem -out \ $PEMDIR/newreq.pem -passin pass:$PASSWD -passout pass:$PASSWDecho "${PEMDIR}/newreq.pem" | $CAPL -newca >/dev/null$OPENSSL pkcs12 -export -in demoCA/cacert.pem -inkey $PEMDIR/newreq.pem -out \ $P12DIR/root.p12 -cacerts -passin pass:$PASSWD -passout pass:$PASSWD$OPENSSL pkcs12 -in $P12DIR/root.p12 -out $PEMDIR/root.pem -passin \ pass:$PASSWD -passout pass:$PASSWD$OPENSSL x509 -inform PEM -outform DER -days $VALIDFOR -in $PEMDIR/root.pem \ -out $DERDIR/root.der -passin pass:$PASSWDrm -rf $PEMDIR/newreq.pem</pre><p><br />Next, the script to generate the server certificate.</p><div class="listing"><p>Listing 3.2 CA.server</p><pre class="listing">#!/bin/shOPENSSL=opensslKEYGEN=<span class="comment hl">(your choice of key/password generator)</span>PASSDIR=passDERDIR=derP12DIR=p12PEMDIR=pemVALIDFOR=365SNAME=$1PASSWD=$2ROOTPASSWD=$3mkdir -p $PEMDIR $P12DIR $DERDIR $PASSDIRif [ -z "${SNAME}" ]; then echo "WARNING: server name not specified. Using \"server\"." SNAME=serverfiif [ -z "${PASSWD}" ]; then echo "No password specified, trying $PASSDIR/$SNAME.pass." if [ -a $PASSDIR/$SNAME.pass ]; then PASSWD=`cat $PASSDIR/$SNAME.pass` else echo "Not found. Generating password, see $PASSDIR/$SNAME.pass for contents." PASSWD=`$KEYGEN | head -c 32` cat /dev/null > $PASSDIR/$SNAME.pass echo $PASSWD >> $PASSDIR/$SNAME.pass fifiif [ -z "${ROOTPASSWD}" ]; then echo "No root password specified, trying $PASSDIR/root.pass." if [ -a $PASSDIR/root.pass ]; then ROOTPASSWD=`cat $PASSDIR/root.pass` else echo "FATAL: No root certification password." exit fifi$OPENSSL req -new -keyout $PEMDIR/newreq.pem -out $PEMDIR/newreq.pem -passin \ pass:$PASSWD -passout pass:$PASSWD$OPENSSL ca -policy policy_anything -out $PEMDIR/newcert.pem -key $ROOTPASSWD \ -extensions xpserver_ext -extfile xpextensions -days $VALIDFOR -infiles $PEMDIR/newreq.pem$OPENSSL pkcs12 -export -in $PEMDIR/newcert.pem -inkey $PEMDIR/newreq.pem -out \ $P12DIR/$1.p12 -clcerts -passin pass:$PASSWD -passout pass:$PASSWD$OPENSSL pkcs12 -in $P12DIR/$SNAME.p12 -out $PEMDIR/$SNAME.pem -passin \ pass:$PASSWD -passout pass:$PASSWD$OPENSSL x509 -inform PEM -outform DER -in $PEMDIR/$SNAME.pem -out $DERDIR/$SNAME.derrm -rf $PEMDIR/newcert.pem $PEMDIR/newreq.pem</pre><p><br />Finally, the client certificate.</p><div class="listing"><p>Listing 3.3 CA.client</p><pre class="listing">#!/bin/shOPENSSL=opensslKEYGEN=<span class="comment hl">(your choice of key/password generator)</span>PASSDIR=passDERDIR=derP12DIR=p12PEMDIR=pemVALIDFOR=365CLNAME=$1PASSWD=$2ROOTPASSWD=$3mkdir -p $PEMDIR $P12DIR $DERDIR $PASSDIRif [ -z "${CLNAME}" ]; then echo "WARNING: client name not specified. Using \"client\"." CLNAME=clientfiif [ -z "${PASSWD}" ]; then echo "No password specified, trying $PASSDIR/$CLNAME.pass." if [ -a $PASSDIR/$CLNAME.pass ]; then PASSWD=`cat $PASSDIR/$CLNAME.pass` else echo "Not found. Generating password, see $PASSDIR/$CLNAME.pass for contents." PASSWD=`$KEYGEN | head -c 16` cat /dev/null > $PASSDIR/$CLNAME.pass echo $PASSWD >> $PASSDIR/$CLNAME.pass fifiif [ -z "${ROOTPASSWD}" ]; then echo "No root password specified, trying $PASSDIR/root.pass." if [ -a $PASSDIR/root.pass ]; then ROOTPASSWD=`cat $PASSDIR/root.pass` else echo "FATAL: No root certification password." exit fifi$OPENSSL req -new -keyout $PEMDIR/newreq.pem -out $PEMDIR/newreq.pem -passin \ pass:$PASSWD -passout pass:$PASSWD$OPENSSL ca -policy policy_anything -out $PEMDIR/newcert.pem -passin \ pass:$PASSWD -key $ROOTPASSWD -extensions xpclient_ext -days $VALIDFOR \⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -