Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
CARE

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Surveys

Features
HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 216 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  

HOWTO Home

Current HOWTO: 8021X-HOWTO


Testbed

6. Testbed

6.1. Testcase

figure testbed: A wireless node request authentication.

Our testbed consists of two nodes and one Access Point (AP). One node functions as the Supplicant (WN), the other as the back-end Authentication Server running RADIUS (AS). The Access Point is the Authenticator. See figure testbed for explanation.

Important

It is crucial that the Access Point be able to reach (ping) the Authentication Server, and vice versa!

6.2. Running some tests

Running some tests

  1. The RADIUS server is started in debug mode. This produces a lot of debug information. The important snippets are below:

    
  # radiusd -X
      Starting - reading configuration files ...
      reread_config:  reading radiusd.conf
      Config:   including file: /usr/local/etc/raddb/proxy.conf
      Config:   including file: /usr/local/etc/raddb/clients.conf
      Config:   including file: /usr/local/etc/raddb/snmp.conf
      Config:   including file: /usr/local/etc/raddb/eap.conf
      Config:   including file: /usr/local/etc/raddb/sql.conf
      ......
      Module: Loaded MS-CHAP 
       mschap: use_mppe = yes
       mschap: require_encryption = no
       mschap: require_strong = no
       mschap: with_ntdomain_hack = no
       mschap: passwd = "(null)"
       mschap: authtype = "MS-CHAP"
       mschap: ntlm_auth = "(null)"
      Module: Instantiated mschap (mschap)
      ......
      Module: Loaded eap 
       eap: default_eap_type = "peap" (1)
       eap: timer_expire = 60
       eap: ignore_unknown_eap_types = no
       eap: cisco_accounting_username_bug = no
      rlm_eap: Loaded and initialized type md5
       tls: rsa_key_exchange = no (2)
       tls: dh_key_exchange = yes
       tls: rsa_key_length = 512
       tls: dh_key_length = 512
       tls: verify_depth = 0
       tls: CA_path = "(null)"
       tls: pem_file_type = yes
       tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
       tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
       tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
       tls: private_key_password = "SecretKeyPass77"
       tls: dh_file = "/usr/local/etc/raddb/certs/dh"
       tls: random_file = "/usr/local/etc/raddb/certs/random"
       tls: fragment_size = 1024
       tls: include_length = yes
       tls: check_crl = no
       tls: check_cert_cn = "(null)"
      rlm_eap: Loaded and initialized type tls
       peap: default_eap_type = "mschapv2" (3)
       peap: copy_request_to_tunnel = no
       peap: use_tunneled_reply = no
       peap: proxy_tunneled_request_as_eap = yes
      rlm_eap: Loaded and initialized type peap
       mschapv2: with_ntdomain_hack = no
      rlm_eap: Loaded and initialized type mschapv2
      Module: Instantiated eap (eap) 
      ......
      Module: Loaded files 
       files: usersfile = "/usr/local/etc/raddb/users" (4)
      ...... 
      Module: Instantiated radutmp (radutmp) 
      Listening on authentication *:1812
      Listening on accounting *:1813
      Ready to process requests. (5)
      
    (1)
    Default EAP type is set to PEAP.
    (2)
    RADIUS's TLS settings are initiated here. The certificate type, location, and password are listet here.
    (3)
    Inside the PEAP tunnel, MS-CHAPv2 is used.
    (4)
    The username/password information is found in the users file.
    (5)
    RADIUS server started successfully. Waiting for incoming requests.

    The radius server is now ready to process requests!

    The most interesting output is included above. If you get any error message instead of the last line, go over the configuration (above) carefully.

  2. Now the Supplicant is ready to get authenticated. Start Xsupplicant in debug mode. Note that we'll see output produced by the two startup scripts: startup.sh and startup2.sh.

    
  # xsupplicant -c /usr/local/etc/1x/1x.conf -i eth0 -d 6
      Starting /etc/1x/startup.sh
      Finished /etc/1x/startup.sh
      Starting /etc/1x/startup2.sh
      Finished /etc/1x/startup2.sh
      
  3. At the same time, the RADIUS server is producing a lot of output. Key snippets are shown below:

    
  ......
      rlm_eap: Request found, released from the list
      rlm_eap: EAP/peap
      rlm_eap: processing type peap
      rlm_eap_peap: Authenticate
      rlm_eap_tls: processing TLS (1)
      eaptls_verify returned 7 
      rlm_eap_tls: Done initial handshake 
      eaptls_process returned 7 
      rlm_eap_peap: EAPTLS_OK (2)
      rlm_eap_peap: Session established.  Decoding tunneled attributes.
      rlm_eap_peap: Received EAP-TLV response.
      rlm_eap_peap: Tunneled data is valid.
      rlm_eap_peap: Success
      rlm_eap: Freeing handler
      modcall[authenticate]: module "eap" returns ok for request 8
    modcall: group authenticate returns ok for request 8
    Login OK: [testuser/<no User-Password attribute>] (from client testnet port 37 cli 0002a56fa08a)
    Sending Access-Accept of id 8 to 192.168.2.1:1032 (3)
    	MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206 (4)
    	MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18 
    	EAP-Message = 0x030a0004
    	Message-Authenticator = 0x00000000000000000000000000000000
    	User-Name = "testuser"
      
    (1)
    TLS session startup. Doing TLS-handshake.
    (2)
    The TLS session (PEAP-encrypted tunnel) is up.
    (3)
    The Supplicant has been authenticated successfully by the RADIUS server. An "Access-Accept" message is sent.
    (4)
    The MS-MPPE-Recv-Key [RFC2548 section 2.4.3] contains the Pairwise Master Key (PMK) destined to the Authenticator (access point), encrypted with the MPPE Protocol [RFC3078], using the shared secret between the Authenticator and Authentication Server as key. The Supplicant derives the same PMK from MK, as described in Key Management.
  4. The Authenticator (access point) may also show something like this in its log:

    
  00:02:16 (Info): Station 0002a56fa08a Associated
      00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated 
      

That's it! The Supplicant is now authenticated to use the Access Point!


The Linux Tutorial completely respects the rights of authors and artists to decide for themselves if and how their works can be used, independent of any existing licenses. This means if you are the author of any document presented on this site and do no wish it to be displayed as it is on this site or do not wish it to be displayed at all, please contact us and we will do our very best to accommodate you. If we are unable to accommodate you, we will, at your request, remove your document as quickly as possible.

If you are the author of any document presented on this site and would like a share of the advertising revenue, please contact us using the standard Feedback Form.


  




Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
You can get all the latest Site and Linux news by checking out our news page.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.13 Seconds