Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
The ONE Campaign to make poverty history

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 56 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here



Current HOWTO: 8021X-HOWTO

Supplicant: Setting up Xsupplicant

4. Supplicant: Setting up Xsupplicant

The Supplicant is usually a laptop or other (wireless) device that requires authentication. Xsupplicant does the bidding of being the "Supplicant" part of the IEEE 802.1X-2001 standard.

4.1. Installing Xsupplicant

Installing Xsupplicant

  1. Download the latest source from from http://www.open1x.org/

    # cd /usr/local/src
        # wget http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz
        # tar zxfv xsupplicant-1.0.tar.gz
        # cd xsupplicant
  2. Configure, make, and install:

    # ./configure
        # make
        # make install
  3. If the configuration file wasn't installed (copied) into the "etc" folder, do it manually:

    # mkdir -p /usr/local/etc/1x
        # cp etc/tls-example.conf /usr/local/etc/1x

If installation fails, check the README and INSTALL files included with the source. You may also check out the official documentation.

4.2. Configuring Xsupplicant

Configuring Xsupplicant

  1. The Supplicant must have access to the root certificate.

    If the Supplicant needs to authenticate against the Authentication Server (authentication both ways), the Supplicant must have certificates as well.

    Create a certificate folder, and move the certificates into it:

    # mkdir -p /usr/local/etc/1x/certs
        # cp root.pem /usr/local/etc/1x/certs/
        # (copy optional client certificate(s) into the same folder)
  2. Open and edit the configuration file:

   # startup_command: the command to run when Xsupplicant is first started.
       #   This command can do things such as configure the card to associate with
       #   the network properly.
       startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND>

    The startup.sh will be created shortly.

  3. When the client is authenticated, it will transmit a DHCP request or manually set an IP address. Here, the Supplicant sets its IP address manually in startup2.sh:

   # first_auth_command: the command to run when Xsupplicant authenticates to
       #   a wireless network for the first time.  This will usually be used to
       #   start a DHCP client process.
       #first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND>
       first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup2.sh<END_COMMAND>
  4. Since "-i" is just for debugging purpose (and may go away according to the developers), "allow_interfaces" must be set:

   allow_interfaces = eth0
       deny_interfaces = eth1
  5. Next, under the "NETWORK SECTION", we'll configure PEAP:

   # We'll be using PEAP
       allow_types = eap_peap
       # Don't want any eavesdropper to learn the username during the
       # first phase (which is unencrypted), so 'identity hiding' is 
       # used (using a bogus username).
       identity = <BEGIN_ID>anonymous<END_ID>
       eap-peap {
          # As in tls, define either a root certificate or a directory
          # containing root certificates.
          root_cert = /usr/local/etc/1x/certs/root.pem
          #root_dir = /path/to/root/certificate/dir
          #crl_dir = /path/to/dir/with/crl
          chunk_size = 1398
          random_file = /dev/urandom
          #cncheck = myradius.radius.com   # Verify that the server certificate
                                           # has this value in its CN field.
          #cnexact = yes                   # Should it be an exact match?
          session_resume = yes
          # Currently 'all' is just mschapv2.
          # If no allow_types is defined, all is assumed.
          #allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
          allow_types = eap_mschapv2
          # Right now, you can do any of these methods in PEAP:
          eap-mschapv2 {
            username = <BEGIN_UNAME>testuser<END_UNAME>
            password = <BEGIN_PASS>Secret149<END_PASS>
  6. The Supplicant must first associate with the access point. The script startup.sh does that job. It is also the first command Xsupplicant executes.


    Notice the bogus key we give to iwconfig (enc 000000000)! This key is used to tell the driver to run in encrypted mode. The key gets replaced after successful authentication. This can be set to enc off only if encryption is disabled in the AP (for testing purposes).

    Both startup.sh and startup2.sh must be saved under /usr/local/etc/1x/.

       echo "Starting startup.sh"
       # Take down interface (if it's up)
       /sbin/ifconfig eth0 down
       # To make sure the routes are flushed
       sleep 1
       # Configuring the interface with a bogus key
       /sbin/iwconfig eth0 mode managed essid testnet enc 000000000
       # Bring the interface up and make sure it listens to multicast packets
       /sbin/ifconfig eth0 allmulti up
       echo "Finished startup.sh"
  7. This next file is used to set the IP address statically. This can be omitted if a DHCP server is present (as it typically is, in many access points).

       echo "Starting startup2.sh"
       # Assigning an IP address
       /sbin/ifconfig eth0 netmask
       echo "Finished startup2.sh"

The Linux Tutorial completely respects the rights of authors and artists to decide for themselves if and how their works can be used, independent of any existing licenses. This means if you are the author of any document presented on this site and do no wish it to be displayed as it is on this site or do not wish it to be displayed at all, please contact us and we will do our very best to accommodate you. If we are unable to accommodate you, we will, at your request, remove your document as quickly as possible.

If you are the author of any document presented on this site and would like a share of the advertising revenue, please contact us using the standard Feedback Form.




Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
The Linux Tutorial welcomes your suggestions and ideas.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.14 Seconds