wpa howto.htm

802.1x认证的认证服务器freeradius的howto文档

session {
    radutmp
}

post-auth {
}
</pre>
<p><br />
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=30" title="Edit section: The Access Point Database">edit</a>]</div><a name="The_Access_Point_Database"></a><h4>The Access Point Database</h4>
<p>Here you will need the shared secret mentioned in <a href="/WPA_HOWTO#Keys_and_Shared_Secrets" title="WPA HOWTO">&sect;&sect;4.1.2</a>. Also, try looking in the FreeRADIUS <span class="filename">README</span> file to see if there is a known NAS type for your AP. If it's not listed, try a NAS type of <tt>other</tt>, or keep trying different ones to see which works best (I find the USR 9106 seems to be OK with either <tt>other</tt> or <tt>tc</tt>).
</p><p>Listing 4.2 - /etc/raddb/clients.conf
</p>
<pre>
# clients.conf
# Network access points that authenticate through RADIUS specified here.
#
# IMPORTANT: THIS FILE CONTAINS SECRETS.
# This file should have -rw-r----- root:radiusd permissions.

# The wireless access point
client &quot;(the AP's IP address)&quot; {
    secret = (RADIUS shared secret)
    shortname = (a name for logging, etc.)
    nastype = (your AP's NAS type; if unknown, try &quot;other&quot;)
}
</pre>
<p><br />
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=31" title="Edit section: The Users&amp;rsquo; (Supplicant) Database">edit</a>]</div><a name="The_Users.E2.80.99_.28Supplicant.29_Database"></a><h4>The Users&rsquo; (Supplicant) Database</h4>
<p>In the following, you should have an entry of the form of the first active line for each client machine you wish to permit onto the wireless network. Note the <tt>DEFAULT</tt> entry makes RADIUS automatically drop client machines not listed here &mdash; a handy way to disable unauthorised clients without having to revoke and re-issue all the certificates!
</p><p>Listing 4.3 - /etc/raddb/users
</p>
<pre>
# users
# A list of users and their authentication types.

&quot;client-name&quot; Auth-Type&nbsp;:= EAP

# This is important: it makes RADIUS reject users not found above
DEFAULT Auth-Type&nbsp;:= Reject
        Reply-Message = &quot;(colourful note of rejection)&quot;
</pre>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=32" title="Edit section: Starting radiusd">edit</a>]</div><a name="Starting_radiusd"></a><h3>Starting radiusd</h3>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=33" title="Edit section: Starting as a Service">edit</a>]</div><a name="Starting_as_a_Service"></a><h4>Starting as a Service</h4>
<p>If you are confident in this configuration, you can start the <tt>radiusd</tt> service as normal:
</p><p><br />
</p>
<pre># <b>/sbin/service radiusd start</b>
</pre>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=34" title="Edit section: Directly with Debugging Options">edit</a>]</div><a name="Directly_with_Debugging_Options"></a><h4>Directly with Debugging Options</h4>
<p>If not, or this fails, invoke <tt>radiusd</tt> directly with the debugging options enabled to see what's going on:
</p>
<pre># <b>/usr/sbin/radiusd -X -A</b>
</pre>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=35" title="Edit section: Step 3: Configure the AP">edit</a>]</div><a name="Step_3:_Configure_the_AP"></a><h2>Step 3: Configure the AP</h2>
<p>This is perhaps the easiest step, but because APs vary in their configuration, the one I can talk on the least. However, most APs I've seen claim to have a web-based interface for configuration, and I assume you've accessed yours on a number of occasions when installing the device or bored. Here I'll try and describe things in terms as broad as possible.
</p>
<ul><li> Point your web-browser to the AP's configuration page.
</li><li> Choose the page that deals with &quot;Wireless Security&quot;, &quot;Network Authentication&quot;, or similar.
</li><li> If you are presented a list of authentication methods, select &quot;WPA&quot;.
</li><li> Enter the RADIUS settings:
<ul><li> <b>RADIUS Server IP Address:</b>&nbsp;&nbsp;&nbsp;Self-explanatory: the IP address of your RADIUS server.
</li><li> <b>RADIUS Port:</b>&nbsp;&nbsp;&nbsp;This is normally 1812.
</li><li> <b>RADIUS Key:</b>&nbsp;&nbsp;&nbsp;Enter the shared secret used in this AP's block in the FreeRADIUS clients.conf file.
</li></ul>
</li><li> Choose an encryption method (typically one of WEP, TKIP or AES).
<dl><dd> <i>I chose AES, although unlike TKIP this is not strictly part of the WPA specification. AES is expected to form part of WPA 2. I attribute having mutually compatible hardware strictly to serendipity, and you may not have AES available to you.</i>
</dd></dl>
</li><li> Tell the AP to accept the changes.
</li></ul>
<p>Note that any given AP will be wildly different from this. For instance, some place authentication methods and RADIUS configuration may be in separate pages in your AP's configurator application; there are also things like WPA rekeying intervals (I use 3600 seconds) and perhaps other options in APs I've not had a chance around with which to play.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=36" title="Edit section: Step 4: Configure the Client">edit</a>]</div><a name="Step_4:_Configure_the_Client"></a><h2>Step 4: Configure the Client</h2>
<p>This section assumes that you have:
</p>
<ul><li> installed and configured your 802.11 wireless hardware
</li><li> configured the wireless interface's TCP/IP settings to your liking (e.g. DHCP, firewalling, etc.)
</li><li> installed Windows XP SP1 and Hotfix Q815485 (available via <a href="http://download.microsoft.com" class="external free" title="http://download.microsoft.com" rel="nofollow">http://download.microsoft.com</a>) for WPA Authentication, plus any of the necessary tools provided by your wireless interface manufacturer.
</li></ul>
<blockquote><span class="label">Note</span>&nbsp;&nbsp;&nbsp;Hotfix Q815485 does <i>not</i> provide WPA support and wireless encryption through TKIP and AES. As far as I understand, this provides the mechanisms for Windows XP to <i>configure and manage</i> such features (as opposed to manufacturer-specific utilities). You'll still need WPA support from your wireless hardware drivers.</blockquote>
<p>As an example of this, I normally use a built-in Broadcom 54g MaxPerformance 802.11g with my notebook. The drivers for this provide WPA support with WEP, TKIP and AES encryption, and this can be configured either with the standard Windows XP property boxes, or through Broadcom's own utility.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=37" title="Edit section: Establishing the Connection">edit</a>]</div><a name="Establishing_the_Connection"></a><h3>Establishing the Connection</h3>
<p>The configuration of a WPA-authenticated connection can normally be carried out in in two ways. Firstly, many wireless adapter manufacturers provide utilities to manage wireless connections on their hardware. As this method depends on exactly what card one is using, it is not covered here; furthermore, I guess that those who plan on taking this route will probably not need to read this section!
</p><p>The second route is to let Windows XP manage the authentication. This I can describe.
</p>
<ol><li> Plug in and/or activate your wireless hardware.  A &quot;two monitors&quot; icon may appear in the Notification Area for the interface.
</li><li> Right-click on the wireless interface's &quot;two monitors&quot; icon in the Notification Area, and choose <i>View Available Wireless Networks</i>.  At this point, you will be presented with a list of available networks. If you configured your AP with &quot;Disable SSID Broadcast&quot; (or similar), you might not see any networks at all. In either case,
</li><li> Click <i>Advanced...</i> in the box that opens. The wireless interface's properties box will open.
</li><li> Check <i>Use Windows to configure my wireless network settings</i>.
</li><li> In the &quot;Preferred networks&quot; group, choose the network with WPA authentication and click <i>Properties</i>. If its not listed, click <i>Add...</i>.  At this point, the &quot;Wireless network properties&quot; box appears.
</li><li> If it is absent, enter the network's SSID (<i>Association</i> tab).
</li><li> Under the <i>Association</i> tab, in the &quot;Wireless network key&quot; group, set the following:
<ul><li> <b>Network Authentication</b>: <i>WPA</i>
</li><li> <b>Data Encryption</b>: choose one of either <i>AES</i> or <i>TKIP</i> to reflect the settings on your AP.
</li></ul>
</li><li> Under the <i>Authentication</i> tab, set:
<ul><li> Check <i>Authenticate as computer</i>...
</li><li> <b>Un</b>check <i>Authenticate as guest</i>...
</li><li> <b>EAP Type</b>: <i>Smart Card or Other Certificate</i>.
</li></ul>
</li><li> Click <i>Properties</i> (under the <i>Authentication</i> tab).
</li><li> In the &quot;Smart Card or other Certificate Properties&quot; box, set the following:
<ul><li> Choose <i>Use a certificate on this computer</i>
</li><li> Check <i>Use simple certificate selection</i>
</li><li> Check <i>Validate server certificate</i>
</li><li> <b>Un</b>check <i>Connect to these servers:</i>
</li><li> In the list of trusted root CAs, check <i>only the CA that corresponds to the certificate you have generated</i>
</li><li> <b>Un</b>check <i>Use a different user name for the connection</i>
</li></ul>
</li><li> Click <i>OK</i> in all three boxes to set the connection properties.
</li></ol>
<p>If all is well-configured, everything should be working in minutes. (The process could take a minute or longer from cold; I find that activating the connection on my notebook <i>before</i> logging in seems to work the quickest.) To check progress, open up the Network Connections pseudo-folder from Control Panel. The status of the wireless connection should go from &quot;Wireless connection unavailable&quot; to &quot;Attempting authentication&quot; and then &quot;Authentication succeeded&quot; (along with an informative speech bubble from the Notification Area). If you use DHCP, check that the interface has acquired an IP address.
</p><p>That's it!
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=38" title="Edit section: Troubleshooting">edit</a>]</div><a name="Troubleshooting"></a><h2>Troubleshooting</h2>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=39" title="Edit section: radiusd Won't Start">edit</a>]</div><a name="radiusd_Won.27t_Start"></a><h3>radiusd Won't Start</h3>
<p>Start <tt>radiusd</tt> directly with the debugging options, as per <a href="/WPA_HOWTO#Directly_with_Debugging_Options" title="WPA HOWTO">&sect;&sect;4.3.2</a>.
When setting up FreeRADIUS, I found I made the following common errors:
</p>
<ul><li> <b>Unmatched <tt>{</tt> or <tt>}</tt> in the configuration files.</b> - <tt>radiusd</tt> normally reports a message to the effect of &quot;file ended early&quot; in this case.
</li><li> <b>Can't access configuration/key files.</b> - If you're running <tt>radiusd</tt> as non suid-root, make sure that the files' permissions are correct. (<tt>radiusd</tt> will tell you &quot;permission denied&quot; and the filename.)
</li><li> <b>Files not found.</b> Check that all the null files (see <a href="/WPA_HOWTO#Configuration_Files" title="WPA HOWTO">&sect;4.2</a>) exist.
</li></ul>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=40" title="Edit section: Can't Authenticate">edit</a>]</div><a name="Can.27t_Authenticate"></a><h3>Can't Authenticate</h3>
<p>You've done all the steps above, and after about five minutes of waiting, Windows XP has popped up a little bubble (or put a flag in the "Network Connections" pseudo-folder) saying "Cannot log onto the network" (or "Authentication failed"). Maybe, if you're using DHCP, it's even gone ahead with that crazy "Zero Configuration" business.
</p><p>First, try setting up a &quot;dummy account&quot; to test authentication. Add the following group to /etc/raddb/clients.conf:
</p><p>Listing 7.1 - Added to /etc/raddb/users
</p>
<dl><dd> client "127.0.0.1" {
<dl><dd>  secret = test-secret
</dd><dd>  shortname = localhost
</dd></dl>
</dd><dd> }
</dd></dl>
<p>Add the following line to /etc/raddb/users <i>before</i> the <tt>DEFAULT</tt> entry:
</p><p>Listing 7.2 - Added to /etc/raddb/users
</p>
<dl><dd> "test" Auth-Type&nbsp;:= Local, User-Password == "test"
</dd></dl>
<p>Start <tt>radiusd</tt> directly (see <a href="/WPA_HOWTO#Directly_with_Debugging_Options" title="WPA HOWTO">&sect;&sect;4.3.2</a>), and test this configuration using:
</p>
<pre>$ <b>radtest test test localhost 0 test-secret</b>
</pre>
<p>Amongst the reams of RADIUSspeak produced, you should see a message informing you that an <tt>Accept-Accept</tt> message has been returned. If not, go through the configuration files again. Some things that could go wrong include:
</p>
<ul><li> <b>Unmatched passwords/keys</b> - This could be in the EAP/TLS configuration in /etc/raddb/radiusd.conf (when accessing the server's private key), or a mismatch between your /etc/raddb/clients.conf and AP's settings.
</li><li> <b>Typos in IP addresses</b>
</li><li> <b>User names spelt incorrectly</b>
</li></ul>
<p>You should, at this point, feel quite patronised. But if this solves the problem, the test lines of Listings 7.1 and 7.2 above should be removed.
</p><p>Still not working? Take a look at the client. Windows XP clearly wasn't designed with the dollar-prompt-and-dot-conf type in mind &mdash; things break, and you're lucky if you get an error message telling you even vaguely what has gone wrong. Try:
</p>
<ul><li> <b>Rebooting</b> and try activating your wireless hardware <i>before</i> you log in.
<dl><dd> <i>I don't know why this expedites the process on my machine; perhaps it prevents the XP supplicant from attempting to authenticate as the user, and authenticate as the machine instead.</i>
</dd></dl>
</li><li> <b>Checking the logs.</b>  These can be found in the <i>Event Viewer</i>:
<ol><li> Click <i>Start</i>, <i>Run...</i>.
</li><li> Enter <tt><b>eventvwr.msc /s</b></tt>.
</li><li> Click <i>OK</i>.
</li></ol>
<dl><dd> From here on in it's down to your own sysadmin's intuition. The "System" and "Application" logs will be of particular interest. In my experience, the messages given are very earnest, descriptive and long-winded, but more often than not seem to omit everything useful.
</dd></dl>
</li><li> <b>Reinstalling</b> all the software for your wireless adapter.
</li></ul>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=41" title="Edit section: Miscellaneaous">edit</a>]</div><a name="Miscellaneaous"></a><h2>Miscellaneaous</h2>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=42" title="Edit section: Questions, Answers and Cry-For-Helps">edit</a>]</div><a name="Questions.2C_Answers_and_Cry-For-Helps"></a><h3>Questions, Answers and Cry-For-Helps</h3>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=43" title="Edit section: How can I add more APs?">edit</a>]</div><a name="How_can_I_add_more_APs.3F"></a><h4>How can I add more APs?</h4>
<p>Easily. Simply configure the additional APs as described herein, and add corresponding blocks for their IP addresses in the FreeRADIUS <i>clients.conf</i> file. In the interest of security, I advise you use a different shared secret for each.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=44" title="Edit section: Can I use something other than WPA?">edit</a>]</div><a name="Can_I_use_something_other_than_WPA.3F"></a><h4>Can I use something other than WPA?</h4>
<p>Yes. In the properties box for a given wireless network in Windows XP, you can choose from Open, Shared, WPA and WPA Pre-Shared Key. Provided you choose some from of encryption, you will be able to use 802.1x authentication in conjunction with it. As far as I have played with this, no adjustments need to be made with RADIUS, but you might need to adjust your AP's encryption settings and tell it to use 802.1x.
</p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/index.php?title=WPA_HOWTO&amp;action=edit&amp;section=45" title="Edit section: I can't find any mention of WPA in the Windows XP property boxes!">edit</a>]</div><a name="I_can.27t_find_any_mention_of_WPA_in_the_Windows_XP_property_boxes.21"></a><h4>I can't find any mention of WPA in the Windows XP property boxes!</h4>
<p>Check the following:
</p>
<ul><li> Are you up to date with Windows XP Service Packs, Hotfixes and Patches?
</li><li> Have you tried the utilities that came with your wireless adapter?
</li><li> Are you using the latest drivers and configuration utilities? Perhaps your adapter doesn't support WPA <i>yet</i>.
</li></ul>
<p>I've found that XP doesn't present the WPA options for a network unless it has confirmed that the network requires WPA authentication. So you should also check that
</p>
<ul><li> the wireless interface is activated (i.e., radio on); and
</li><li> you've spelt the SSID correctly (if broadcast is