<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>Supplicant: Setting up Xsupplicant</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="802.1X Port-Based Authentication HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Authentication Server: Setting up FreeRADIUS"
HREF="freeradius.html"><LINK
REL="NEXT"
TITLE="Authenticator: Setting up the Authenticator (Access
Point)"
HREF="authenticator.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>802.1X Port-Based Authentication HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="freeradius.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="authenticator.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="xsupplicant"
></A
>4. Supplicant: Setting up Xsupplicant</H1
><P
> The Supplicant is usually a laptop or other (wireless) device that
requires authentication. <SPAN
CLASS="application"
>Xsupplicant</SPAN
>
does the bidding of being the <SPAN
CLASS="QUOTE"
>"Supplicant"</SPAN
> part of the
IEEE 802.1X-2001 standard.
</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="instxsup"
></A
>4.1. Installing Xsupplicant</H2
><DIV
CLASS="procedure"
><P
><B
>Installing Xsupplicant</B
></P
><OL
TYPE="1"
><LI
><P
> Download the latest source from from <A
HREF="http://www.open1x.org/"
TARGET="_top"
>http://www.open1x.org/</A
>
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
> <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>/usr/local/src</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>wget </B
>http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>tar </B
>zxfv xsupplicant-1.0.tar.gz</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cd </B
>xsupplicant</B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> Configure, make, and install:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
> <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>./configure</B
></B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>make</B
></B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>make install</B
></B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> If the configuration file wasn't installed (copied) into the "etc"
folder, do it manually:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
> <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>mkdir </B
>-p /usr/local/etc/1x</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cp </B
>etc/tls-example.conf /usr/local/etc/1x</B
></TT
>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></DIV
><P
> If installation fails, check the <TT
CLASS="filename"
>README</TT
> and
<TT
CLASS="filename"
>INSTALL</TT
> files included with the source. You may
also check out the <A
HREF="http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236"
TARGET="_top"
>official
documentation</A
>.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="confxsup"
></A
>4.2. Configuring Xsupplicant</H2
><DIV
CLASS="procedure"
><P
><B
>Configuring Xsupplicant</B
></P
><OL
TYPE="1"
><LI
><P
> The Supplicant must have access to the root certificate.
</P
><P
> If the Supplicant needs to authenticate against the Authentication
Server (authentication both ways), the Supplicant must have
certificates as well.
</P
><P
> Create a certificate folder, and move the certificates into it:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
> <TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>mkdir</B
> -p /usr/local/etc/1x/certs</B
></TT
>
<TT
CLASS="prompt"
># </TT
><TT
CLASS="userinput"
><B
><B
CLASS="command"
>cp</B
> root.pem /usr/local/etc/1x/certs/</B
></TT
>
<TT
CLASS="prompt"
># </TT
>(copy optional client certificate(s) into the same folder)
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> Open and edit the configuration file:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> # startup_command: the command to run when Xsupplicant is first started.
# This command can do things such as configure the card to associate with
# the network properly.
startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND>
</PRE
></FONT
></TD
></TR
></TABLE
><P
> The <TT
CLASS="filename"
>startup.sh</TT
> will be created shortly.
</P
></LI
><LI
><P
> When the client is authenticated, it will transmit a DHCP request or
manually set an IP address. Here, the Supplicant sets its IP address
manually in <TT
CLASS="filename"
>startup2.sh</TT
>:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> # first_auth_command: the command to run when Xsupplicant authenticates to
# a wireless network for the first time. This will usually be used to
# start a DHCP client process.
#first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND>
first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup2.sh<END_COMMAND>
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> Since <SPAN
CLASS="QUOTE"
>"-i"</SPAN
> is just for debugging purpose (and may
go away according to the developers),
<SPAN
CLASS="QUOTE"
>"allow_interfaces"</SPAN
> must be set:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> allow_interfaces = eth0
deny_interfaces = eth1
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> Next, under the <SPAN
CLASS="QUOTE"
>"NETWORK SECTION"</SPAN
>, we'll configure
PEAP:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> # We'll be using PEAP
allow_types = eap_peap
# Don't want any eavesdropper to learn the username during the
# first phase (which is unencrypted), so 'identity hiding' is
# used (using a bogus username).
identity = <BEGIN_ID>anonymous<END_ID>
eap-peap {
# As in tls, define either a root certificate or a directory
# containing root certificates.
root_cert = /usr/local/etc/1x/certs/root.pem
#root_dir = /path/to/root/certificate/dir
#crl_dir = /path/to/dir/with/crl
chunk_size = 1398
random_file = /dev/urandom
#cncheck = myradius.radius.com # Verify that the server certificate
# has this value in its CN field.
#cnexact = yes # Should it be an exact match?
session_resume = yes
# Currently 'all' is just mschapv2.
# If no allow_types is defined, all is assumed.
#allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
allow_types = eap_mschapv2
# Right now, you can do any of these methods in PEAP:
eap-mschapv2 {
username = <BEGIN_UNAME>testuser<END_UNAME>
password = <BEGIN_PASS>Secret149<END_PASS>
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> The Supplicant must first associate with the access point. The
script <TT
CLASS="filename"
>startup.sh</TT
> does that job. It is also
the first command <SPAN
CLASS="application"
>Xsupplicant</SPAN
> executes.
</P
><DIV
CLASS="note"
><P
></P
><TABLE
CLASS="note"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/note.gif"
HSPACE="5"
ALT="Note"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
> Notice the bogus key we give to iwconfig (<EM
>enc
000000000</EM
>)! This key is used to tell the driver
to run in encrypted mode. The key gets replaced after successful
authentication. This can be set to <EM
>enc
off</EM
> only if encryption is disabled in the AP (for
testing purposes).
</P
></TD
></TR
></TABLE
></DIV
><P
> Both <TT
CLASS="filename"
>startup.sh</TT
> and
<TT
CLASS="filename"
>startup2.sh</TT
> must be saved under
<TT
CLASS="filename"
>/usr/local/etc/1x/</TT
>.
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> #!/bin/bash
echo "Starting startup.sh"
# Take down interface (if it's up)
/sbin/ifconfig eth0 down
# To make sure the routes are flushed
sleep 1
# Configuring the interface with a bogus key
/sbin/iwconfig eth0 mode managed essid testnet enc 000000000
# Bring the interface up and make sure it listens to multicast packets
/sbin/ifconfig eth0 allmulti up
echo "Finished startup.sh"
</PRE
></FONT
></TD
></TR
></TABLE
></LI
><LI
><P
> This next file is used to set the IP address statically. This can
be omitted if a DHCP server is present (as it typically is, in many
access points).
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> #!/bin/bash
echo "Starting startup2.sh"
# Assigning an IP address
/sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0
echo "Finished startup2.sh"
</PRE
></FONT
></TD
></TR
></TABLE
></LI
></OL
></DIV
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="freeradius.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="authenticator.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Authentication Server: Setting up FreeRADIUS</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
> </TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Authenticator: Setting up the Authenticator (Access
Point)</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
