FreeRADIUSとOpenSSLで構築する802.1X認証サーバ

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にUNIXUSER 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次


======================================================================
 Part 3  FreeRADIUSOpenSSL802.1X
======================================================================


 SSIDMAC



http://www.soumu.go.jp/joho_tsusin/security/index.htm



	
		
	LAN

LAN
2004LAN


SSIDLANMAC



SSID
Windows
SSID
SSID()
LANSSID

MAC
SSID
LAN
LANMAC
 

---[ ]------------------------------------------------------------
 image: ethereal.png
 Ethernet Frame MAC
----------------------------------------------------------------------

MAC
MAC
LAN

WEPWEP



 802.1X


802.1X
 


---[ ]------------------------------------------------------------
(http://www.open1x.org/ )


  +--- Authentication --+
  |         Server      |  EAP(Extensible Authentication Protocol)
  |			|-------+
  +---------------------+       |
			     +--+-------------------+
			     |    Authenticator     |
			     |       (AP)	    |
			     |			    |
			     +-----||---------------+
				 / 
	+-------------+		  /
	| Supplicant  +----------/
	|	      |
	| 	      |
        +-------------+
	  PAE(Port Access Entity)
----------------------------------------------------------------------

802.1X3

  - Authentication Server
	RADIUS

  - Authenticator
	(Supplicant) Authentication Server
	
	

  - Supplicant
	
	Authenticator


802.1X
 Authentication Server 

LAN(AP)


802.1XAP
"Uncontrolled Port" Uncontrolled Port EAP
Authentication Server 
 "Controlled Port" 



 


Authentication Server  EAP(Extensible Authentication
Protocol) 



    EAP-MD5

	MD5 Challenge-Response /
	WEP
	)
	

    EAP-TLS

	TLS(Transport Layer Security)
	()

    EAP-PEAP
    EAP-TTLS

	TLSTLS
	PEAPTTLSPEAPEAPTTLS 
	PAPCHAP
	EAP-TLS
	

EAP-TLS


	         	
			


802.1X/
PC-Unix

 FreeRADIUSSupplicant XSupplicant 
EAP-TLS



 FreeRADIUS+XSupplicant802.1X


802.1X

EAP-TLS FreeRADIUS 802.1X





	
		|
		|
	+-------+---------------+
	| LAN-AP		|
	| (Authenticator)	|
	|			|
	+-------+---------------+
		|192.168.11.1
		|                      LAN(192.168.11.0/24)
  ----+---------+---------------+-------------------------------------
      |				|
      |				|192.168.11.50
      |			 +------+-----------------+
      |			 | (FreeRADIUS) |
      |			 | (Authentication Server)|
      |			 |			  |
      |192.168.11.22	 +------------------------+
   +------------------+
   |      |
   | LAN          |
   | 	      |
   | (Supplicant)     |
   +------------------+





	
		OS:		NetBSD 2.0E
		RADIUS:		FreeRADIUS-0.9.3 + OpenSSL-0.9.7d
	LAN-AP
		:	WBR-G54
		:	Ver. 2.06
	
		OS:		Vine Linux 2.6r4 (Kernel 2.4.22-0v12.10)
		LAN:	NEC WL54AG (Atheros)
		Supplicant:	XSupplicant 0.8b





 FreeRADIUS+OpenSSL


FreeRADIUS  EAP-TLS 
 OpenSSL 
PC-UnixOS
OpenSSL FreeRADIUS
OpenSSL 0.9.7OpenSSL
FreeRADIUS


	* openssl-0.9.7d.tar.gz
	* freeradius-0.9.3.tar.gz

(/usr/local/1x)



OpenSSL 0.9.7d 

   http://www.openssl.org/source/ 
   openssl 

		openssl-0.9.7d.tar.gz
		2798433
	MD5		1b49e90fc8a75c3a507c0a624529aca5

  prefix /usr/local/1x 

  % su
  # exec sh			(sh)
  # tar zxpf openssl-0.9.7d.tar.gz
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # cd openssl-0.9.7d
    ~~~~~~~~~~~~~~~~~
  # less INSTALL
    ~~~~~~~~~~~~
  INSTALL config 
  
    prefix

  # ./config shared --prefix=/usr/local/1x

  LD_RUN_PATH
  make

  # LD_RUN_PATH=/usr/local/1x/lib make all test install


FreeRADIUS 0.9.3 

  http://www.freeradius.org/ 

		freeradius-0.9.3.tar.gz
		1819922
	MD5		36f33d9dd305a2c9f1089c30a9fff0b8

  prefix /usr/local/1x 

  # tar zxpf freeradius-0.9.3.tar.gz
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # cd freeradius-0.9.3
    ~~~~~~~~~~~~~~~~~~~

   OpenSSL 0.9.7d 
  CFLAGSLDFLAGS configure 
  
  SSL
  

  # CFLAGS=-I/usr/local/1x \
    LDFLAGS='-L/usr/local/1x/lib -R/usr/local/1x/lib' \
    ./configure --prefix=/usr/local/1x

  # make all install

(certificate)

  FreeRADIUS
  http://www.freeradius.org/doc/EAPTLS.pdf
  http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm 
  Web
  
  
   "unixuser" 
  

--[]---------------------------------------------------------------



1. ()
2. 
3. 
4. 
5. 3
6. 4()
7. 6
   

SSL(TLS)

()


-------------------------------------------------------------------------
---[ ]--------------------------------------------------------
[[ CA.root ]]

#!/bin/sh
SSL=/usr/local/1x
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
# needed if you need to start from scratch otherwise the CA.pl -newca command doesn't copy the new
# private key into the CA directories
rm -rf demoCA
echo "*****************************************************************************"
echo "Creating self-signed private key and certificate"
echo "When prompted override the default value for the Common Name field"
echo "*****************************************************************************"
echo
# Generate a new self-signed certificate.
# After invocation, newreq.pem will contain a private key and certificate
# newreq.pem will be used in the next step
openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:unixuser -passout pass:unixuser
echo "*****************************************************************************"
echo "Creating a new CA hierarchy (used later by the "ca" command) with the certificate"
echo "and private key created in the last step"
echo "*****************************************************************************"
echo
echo "newreq.pem" | CA.pl -newca >/dev/null
echo "*****************************************************************************"
echo "Creating ROOT CA"
echo "*****************************************************************************"
echo
# Create a PKCS#12 file, using the previously created CA certificate/key
# The certificate in demoCA/cacert.pem is the same as in newreq.pem. Instead of
# using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and then omitted
# the "-inkey newreq.pem" because newreq.pem contains both the private key and certificate
openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:unixuser -passout pass:unixuser
# parse the PKCS#12 file just created and produce a PEM format certificate and key in root.pem
openssl pkcs12 -in root.p12 -out root.pem -passin pass:unixuser -passout pass:unixuser
# Convert root certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in root.pem -out root.der
#Clean Up
rm -rf newreq.pem
----------------------------------------------------------------------

---[ ]--------------------------------------------------------
[[ CA.svr ]]

#!/bin/sh
SSL=/usr/local/1x
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
echo "*****************************************************************************"
echo "Creating server private key and certificate"
echo "When prompted enter the server name in the Common Name field."
echo "*****************************************************************************"
echo
# Request a new PKCS#10 certificate.
# First, newreq.pem will be overwritten with the new certificate request
openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:unixuser -passout pass:unixuser
# Sign the certificate request. The policy is defined in the openssl.cnf file.
# The request generated in the previous step is specified with the -infiles option and
# the output is in newcert.pem
# The -extensions option is necessary to add the OID for the extended key for server authentication
openssl ca -policy policy_anything -out newcert.pem -passin pass:unixuser -key unixuser -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem
# Create a PKCS#12 file from the new certificate and its private key found in newreq.pem
# and place in file specified on the command line
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:unixuser -passout pass:unixuser
# parse the PKCS#12 file just created and produce a PEM format certificate and key in certsrv.pem
openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:unixuser -passout pass:unixuser
# Convert certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
# Clean Up
rm -rf newert.pem newreq.pem
----------------------------------------------------------------------

---[ ]--------------------------------------------------------
[[ CA.clt ]]

#!/bin/sh
SSL=/usr/local/1x
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
echo "*****************************************************************************"
echo "Creating client private key and certificate"
echo "When prompted enter the client name in the Common Name field. This is the same"
echo " used as the Username in FreeRADIUS"
echo "*****************************************************************************"
echo
# Request a new PKCS#10 certificate.
# First, newreq.pem will be overwritten with the new certificate request
openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:unixuser -passout pass:unixuser
# Sign the certificate request. The policy is defined in the openssl.cnf file.
# The request generated in the previous step is specified with the -infiles option and
# the output is in newcert.pem
# The -extensions option is necessary to add the OID for the extended key for client authentication
openssl ca -policy policy_anything -out newcert.pem -passin pass:unixuser -key unixuser -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem
# Create a PKCS#12 file from the new certificate and its private key found in newreq.pem
# and place in file specified on the command line
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:unixuser -passout pass:unixuser
# parse the PKCS#12 file just created and produce a PEM format certificate and key in certclt.pem
openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:unixuser -passout pass:unixuser
# Convert certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
# clean up
rm -rf newcert newreq.pem
----------------------------------------------------------------------

  3

  1. (2,3)
  2. 
  3. 

  (1)(2)(3)(1)
  (Common Name)

  1 = "UNIXUSER Authority"
  2 = "Server"
  3 = "Client"

  

  (0) 
  ------------------------
  3
  
  
  /usr/local/1x/ssl/openssl.cnf 
  (1)(3)

---[ ]--------------------------------------------------------
openssl.cnf (unified diff)

--- /usr/local/1x/ssl/openssl.cnf.dist	2004-04-29 18:01:04.000000000 +0900
+++ /usr/local/1x/ssl/openssl.cnf	2004-05-06 00:08:09.000000000 +0900
@@ -122,17 +122,18 @@
 
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
-countryName_default		= AU
+countryName_default		= JP
 countryName_min			= 2
 countryName_max			= 2
 
 stateOrProvinceName		= State or Province Name (full name)
-stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Yamagata
 
 localityName			= Locality Name (eg, city)
+localityName_default		= Sakata
 
 0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= Internet Widgits Pty Ltd
+0.organizationName_default	= UNIXUSER Readers
 
 # we can do this but it is not needed normally :-)
 #1.organizationName		= Second Organization Name (eg, company)
@@ -146,6 +147,7 @@
 
 emailAddress			= Email Address
 emailAddress_max		= 64
+emailAddress_default		= 
 
 # SET-ex3			= SET extension number 3
 
@@ -153,6 +155,7 @@
 challengePassword		= A challenge password
 challengePassword_min		= 4
 challengePassword_max		= 20
+challengePassword_default	= unixuser
 
 unstructuredName		= An optional company name
----------------------------------------------------------------------

  (1) 
  ------------------------------

  
  /usr/local/1x/etc/certs 
  

  # mkdir /usr/local/1x/etc/certs
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  # cp CA.root CA.svr CA.clt /usr/local/1x/etc/certs
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # cd /usr/local/1x/etc/certs
    ~~~~~~~~~~~~~~~~~~~~~~~~~~

  
  openssl.conf 
  Common Name (
   "UNIXUSER Authority")

---[ ]----------------------------------------------------------------
# ./CA.root
  ~~~~~~~~~
*****************************************************************************
Creating self-signed private key and certificate
When prompted override the default value for the Common Name field
*****************************************************************************

Generating a 1024 bit RSA private key
................++++++
.......++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Yamagata]:
Locality Name (eg, city) [Sakata]:
Organization Name (eg, company) [UNIXUSER Readers]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:UNIXUSER Authority
                               ~~~~~~~~~~~~~~~~~~
Email Address []:
*****************************************************************************
Creating a new CA hierarchy (used later by the ca command) with the certificate
and private key created in the last step
*****************************************************************************

*****************************************************************************
Creating ROOT CA
*****************************************************************************

MAC verified OK
------------------------------------------------------------------------------



  (2) 
  ----------------------------

   xpextensions 
  
---[ ]--------------------------------------------------------
[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
----------------------------------------------------------------------

  CA.svr 
  ( srvcert) Common Name 
  ( "Server")

---[ ]----------------------------------------------------------------
# ./CA.svr srvcert
 ~~~~~~~~~~~~~~~~~
*****************************************************************************
Creating server private key and certificate
When prompted enter the server name in the Common Name field.
*****************************************************************************

Generating a 1024 bit RSA private key
....++++++
.................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Yamagata]:
Locality Name (eg, city) [Sakata]:
Organization Name (eg, company) [UNIXUSER Readers]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Server
                               ~~~~~~
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [unixuser]:
An optional company name []:
Using configuration from /usr/local/1x/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity  
            Not Before: May  6 12:29:13 2004 GMT
            Not After : May  6 12:29:13 2005 GMT
        Subject:  
            countryName               = JP
            stateOrProvinceName       = Yamagata
            localityName              = Sakata
            organizationName          = UNIXUSER Readers
            commonName                = Server
            emailAddress              = 
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
Certificate is to be certified until May  6 12:29:13 2005 GMT (365 days)
Sign the certificate? [y/n]:y
                            ~

1 out of 1 certificate requests certified, commit? [y/n]y
                                                        ~
Write out database with 1 new entries
Data Base Updated 
MAC verified OK
------------------------------------------------------------------------------


  (3) 
  ---------------------------------

  CA.clt 
  ( clicert) Common Name 
  ( "Client")


---[ ]----------------------------------------------------------------
# ./CA.clt clicert
  ~~~~~~~~~~~~~~~~
*****************************************************************************
Creating client private key and certificate
When prompted enter the client name in the Common Name field. This is the same
 used as the Username in FreeRADIUS
*****************************************************************************

Generating a 1024 bit RSA private key
...++++++
.....++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Yamagata]:
Locality Name (eg, city) [Sakata]:
Organization Name (eg, company) [UNIXUSER Readers]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Client
                               ~~~~~~
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [unixuser]:
An optional company name []:
Using configuration from /usr/local/1x/ssl/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity  
            Not Before: May  6 13:55:14 2004 GMT
            Not After : May  6 13:55:14 2005 GMT
        Subject:  
            countryName               = JP
            stateOrProvinceName       = Yamagata
            localityName              = Sakata
            organizationName          = UNIXUSER Readers
            commonName                = Client
            emailAddress              = 
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
Certificate is to be certified until May  6 13:55:14 2005 GMT (365 days)
Sign the certificate? [y/n]:y
                            ~

1 out of 1 certificate requests certified, commit? [y/n]y
                                                        ~
Write out database with 1 new entries
Data Base Updated 
MAC verified OK
------------------------------------------------------------------------------

FreeRADIUS

  FreeRADIUS
  /usr/local/1x/etc/raddb/ EAP-TLS 
   radiusd.conf, clients.conf, users 

  (1)radiusd.conf 
  ----------------------
  600EAPTLS
------------------------------------------------------------------------------
@@ -606,7 +606,7 @@
                #
                #  For now, only one default EAP type may be used at a time.
                #
-               default_eap_type = md5
+               default_eap_type = tls
 
                #  Default expiry time to clean the EAP list, It is
                #  maintained to correlate the EAP-Response for each
------------------------------------------------------------------------------

  640 tls {} 
  
  
  

---[ ]----------------------------------------------------------------
                ## EAP-TLS is highly experimental EAP-Type at the moment.
                #       Please give feedback on the mailing list.
                tls {   
                        private_key_password = unixuser
                        private_key_file = /usr/local/1x/etc/certs/server.pem

                        #  If Private key & Certificate are located in
                        #  the same file, then private_key_file &
                        #  certificate_file must contain the same file
                        #  name.
                        certificate_file = /usr/local/1x/etc/certs/server.pem

                        #  Trusted Root CA list
                        CA_file = /usr/local/1x/etc/certs/root.pem

                        dh_file = /usr/local/1x/etc/DH
                        random_file = /usr/local/1x/etc/random

                        #
                        #  This can never exceed the size of a RADIUS
                        #  packet (4096 bytes), and is preferably half
                        #  that, to accomodate other attributes in
                        #  RADIUS packet.  On most APs the MAX packet
                        #  length is configured between 1500 - 1600
                        #  In these cases, fragment size should be
                        #  1024 or less.
                        #
                                fragment_size = 1024

                                #  include_length is a flag which is
                                #  by default set to yes If set to
                                #  yes, Total Length of the message is
                                #  included in EVERY packet we send.
                                #  If set to no, Total Length of the
                                #  message is included ONLY in the
                                #  First packet of a fragment series.
                                #
                                include_length = yes
                }
------------------------------------------------------------------------------

  
  

  # md5 /var/log/messages > /usr/local/1x/etc/DH
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # md5 /var/log/maillog > /usr/local/1x/etc/random
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  (2)clients.conf 
  ----------------------
  802.1XIP
  LANIP192.168.11.1
  
---[ ]----------------------------------------------------------------
client 192.168.11.1 {
        secret          = henohenomoheji
        shortname       = AP1
}
------------------------------------------------------------------------------

  secretFreeRADIUS
  LAN-AP802.1X
  

FreeRADIUS

  FreeRADIUS /usr/local/1x/ 
  

  radiusd /etc/services 
  

	radius          1812/tcp
	radius          1812/udp
	radius-acct     1813/tcp                radacct
	radius-acct     1813/udp                radacct

   /etc/services 


  /usr/local/1x/sbin/rc.radiusd 
  

  		/usr/local/1x/sbin/rc.radiusd start
  	/usr/local/1x/sbin/rc.radiusd reload
  		/usr/local/1x/sbin/rc.radiusd restart
  		/usr/local/1x/sbin/rc.radiusd start

  rc.radiusd 

	#
	#  See 'man radiusd' for details on command-line options.
	#
	ARGS=""

  ARGSradiusd 
  

	ARGS='-A -X'

  
   -A -X 
   radiusd 

  % MANPATH=/usr/local/1x/man man 8 radiusd

   radiusd(8) 


 (XSupplicant)


802.1X(Supplicant)Linux
XSupplicant 

http://open1x.sourceforge.net/

 
 0.8b 0.8b
(: 1.0pre2

0.8b )

xsupplicant-0.8b 

	autoconf 2.54 
	libpcap
	libdnet

 xsupplicant-0.8b 

autoconf-2.54

   autoconf 
  
  % autoconf --version
    ~~~~~~~~~~~~~~~~~~
  Autoconf version 2.13

  2.54
  
  FreeRADIUS   /usr/local/1x/ 
  ring.gr.jp:/pub/GNU/autoconf/ 
   autoconf-2.59 

		autoconf-2.59.tar.gz
		1236359
	MD5		d4d45eaa1769d45e59dcb131a4af17a0

  # tar zxpf autoconf-2.59.tar.gz
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # cd autoconf-2.59
    ~~~~~~~~~~~~~~~~
  # ./configure --prefix=/usr/local/1x && make all install
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   autoconf 
   /usr/local/1x/bin 

  # PATH=/usr/local/1x/bin:"$PATH"
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

libpcap-0.8.3

  http://www.tcpdump.org/ libpcap 0.8.3 
  

		libpcap-0.8.3.tar.gz
		302551
	MD5		56a9d4615d8354fcfe8cff8c8443c77b

  # tar zxpf libpcap-0.8.3.tar.gz
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # cd libpcap-0.8.3
    ~~~~~~~~~~~~~~~~
  # ./configure --prefix=/usr/local/1x && make all install
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

libdnet-1.7

  http://libdnet.sourceforge.net/  libdnet 1.7 
  

		libdnet-1.7.tar.gz
		160062
	MD5		e0680e7375dd733f50466fcd4ac5e203

  # tar zxpf libdnet-1.7.tar.gz
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # cd libdnet-1.7
    ~~~~~~~~~~~~~~
  # ./configure --prefix=/usr/local/1x && make all install
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

xsupplicant-0.8b

  http://prdownloads.sourceforge.net/open1x/xsupplicant-0.8b.tar.gz?download
  xsupplicant-0.8b 

		xsupplicant-0.8b.tar.gz
		345492
	MD5		ac40850192071017d2f04e7f7c180c1d

  
  configure

  # tar zxpf xsupplicant-0.8b.tar.gz
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # cd xsupplicant
    ~~~~~~~~~~~~~~
  # ./configure --prefix=/usr/local/1x \
		--with-pcap-root=/usr/local/1x \
		--with-dnet-root=/usr/local/1x \
		--with-ossl-root=/usr/local/1x

  &
  radiusd
  LD_RUN_PATH make

  # LD_RUN_PATH=/usr/local/1x/lib make all install
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


xsupplicant 

  (1)

  FreeRADIUSCA
   xsupplicant 
  root.pem  clicert.pem 
  (2) /etc/1x/ 
  

  # ls -l /etc/1x
    ~~~~~~~~~~~~~
  -rw-------    1 root    root        2353 May  6 22:55 clicert.pem
  -rw-------    1 root    root        2669 May  6 22:35 root.pem


  (2)
  xsupplicant-0.8b /etc/1x/1x.conf 
   ./etc/ 
  xsupplicant-0.8b 
  

  # mkdir /etc/1x
    ~~~~~~~~~~~~~
  # cp etc/1x.conf /etc/1x
    ~~~~~~~~~~~~~~~~~~~~~~

  EAP-TLS /etc/1x/1x.conf 
  

---[ ]------------------------------------------------------------
default : type = wireless 
default : pref = tls
default : id = Client
default : key = /etc/1x/clicert.pem
default : root = /etc/1x/root.pem
default : auth = EAP 
default : type = wireless 
--------------------------------------------------------------------------


 LAN-AP


 BUFFALO WBR-G54(Ver2.06)802.1X
802.1X(EAP-TLS)


WBR-G54802.1X

  1. WebAPWeb
  2. LANLAN
     ( )
	  (*) WEP   WEP [ xxxxx ]
						[       ]
						[       ]
						[       ]
        IEEE802.1x/   	[ 192.168.11.50 ]
	EAP(WPA)  	[ 1812 ]
		      Shared Secret	[ henohenomoheji ]

       
---[: ]-----------------------------------------------------------
 image: wbr.png
----------------------------------------------------------------------      


---[: ]-----------------------------------------------------------
WBR-G54, XSupplicant, NEC-WL54AG WEP
ON802.1X
WEP

----------------------------------------------------------------------


 xsupplicant 


radiusdLAN-AP802.1X
xsupplicant Linux LAN ath0 


  # iwconfig ath0 essid SSID
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # iwconfig key s:xxxxx			(LAN-AP)
    ~~~~~~~~~~~~~~~~~~~~
  # ifconfig ath0 192.168.11.22 netmask 255.255.255.0 up
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # /usr/loca/1x/bin/radiusd -i ath0
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Calling do_eapol, with device ath0
  Setup on device ath0 complete
  Done with init.
  Sending EAPOL-Start #1
  Connection Established, authenticating...
  Please Enter Your Password : unixuser
			       ~~~~~~~~ ()

  WEP

EAPOL Key processed: broadcast [1] (13 bytes) 
Successfully set WEP key  [1]
EAPOL Key processed: unicast [4] (13 bytes) 
Successfully set WEP key  [4]
Successfully set the WEP transmit key  [4]

  LAN
   ping 



 Windows XP supplicant 


Windows XP 802.1X supplicant 
Windows XP Home Edition(Service Pack 1)  
Wireless zero Configuration 
LAN

xsupplicant 
Supplicant 



  XPWindows
  DER
  /usr/local/1x/etc/certs/ 
   root.der  clicert.der 
  Windows XPExplorer 
  

  
  ============================

  (1)root.der 
     (I)
  (2)
  (3)(P)
     
     --------------------------
     : image 04-iw-store.png
     --------------------------
  (4)
     --------------------------
     : image 05-iw-store2.png
     --------------------------

  ()
  ===========================================
  (1)clicert.der 
     (I)
  (2)
  (3)
     (U)
     
     -----------------------------
     : image 11-iw-autostore.png
     -----------------------------

Wireless Zero Configuration 

  (1)
  (2)
     Wireless Zero Configuration(802.11)
     
  (3)
     ------------------------------------
     : image xp-wlan-zeroconf.png
     ------------------------------------

802.1X 

  Wireless Zero Configuration LAN
  802.1X
  

  (1)
      LAN
      
  (2)LAN(R)
     
     
     ------------------------------------
     : image xp-wlan-prop.png
     ------------------------------------
  (3)802.1XLAN-APSSID
      (P)
      (A)
  (4)
	(SSID)
     

	(A)	[  ]
			[ WEP ]
	[] (H)

     
     ------------------------------------
     : image xp-wlan-prop-assoc.png
     ------------------------------------

  (5)
     [  ] IEEE 802.1X (E)
     EAP
     
     ------------------------------------
     : image xp-wlan-prop-auth.png
     ------------------------------------

  (6)EAP(R)

	[] (S)
	   [] ()(M)

	[](V)

     
     root.derCA( UNIXUSER Authority)
     ------------------------------------
     : image xp-wlan-prop-key.png
     ------------------------------------


  [OK]



 


802.1XEAP-TLS






 


802.1XFreeRADIUS, XSupplicant 


RFC 2284 PPP Extensible Authentication Protocol (EAP)
RFC 2865 Remote Authentication Dial In User Service (RADIUS)
RFC 2869 RADIUS Extensions

SSL Certificates HOWTO
http://www.linux.or.jp/JF/JFdocs/SSL-Certificates-HOWTO/index.html

HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant
http://www.missl.cs.umd.edu/wireless/eaptls/

White Paper 802.1X
http://www.foundrynet.com/solutions/appNotes/PDFs/802.1xWhite_Paper.pdf

802.1x
http://wireless.utk.edu/documentation/papers/802.1x-chris.pdf

 LAN 
http://www.soumu.go.jp/s-news/2004/pdf/040426_3_03.pdf


yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]