<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML ><HEAD ><TITLE >Supplicant: Setting up Xsupplicant</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="802.1X Port-Based Authentication HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="Authentication Server: Setting up FreeRADIUS" HREF="freeradius.html"><LINK REL="NEXT" TITLE="Authenticator: Setting up the Authenticator (Access Point)" HREF="authenticator.html"></HEAD ><BODY CLASS="sect1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >802.1X Port-Based Authentication HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="freeradius.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="authenticator.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="sect1" ><H1 CLASS="sect1" ><A NAME="xsupplicant" ></A >4. Supplicant: Setting up Xsupplicant</H1 ><P > The Supplicant is usually a laptop or other (wireless) device that requires authentication. <SPAN CLASS="application" >Xsupplicant</SPAN > does the bidding of being the <SPAN CLASS="QUOTE" >"Supplicant"</SPAN > part of the IEEE 802.1X-2001 standard. </P ><DIV CLASS="sect2" ><H2 CLASS="sect2" ><A NAME="instxsup" ></A >4.1. Installing Xsupplicant</H2 ><DIV CLASS="procedure" ><P ><B >Installing Xsupplicant</B ></P ><OL TYPE="1" ><LI ><P > Download the latest source from from <A HREF="http://www.open1x.org/" TARGET="_top" >http://www.open1x.org/</A > </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >cd </B >/usr/local/src</B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >wget </B >http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz</B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >tar </B >zxfv xsupplicant-1.0.tar.gz</B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >cd </B >xsupplicant</B ></TT > </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > Configure, make, and install: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >./configure</B ></B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >make</B ></B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >make install</B ></B ></TT > </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > If the configuration file wasn't installed (copied) into the "etc" folder, do it manually: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >mkdir </B >-p /usr/local/etc/1x</B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >cp </B >etc/tls-example.conf /usr/local/etc/1x</B ></TT > </PRE ></FONT ></TD ></TR ></TABLE ></LI ></OL ></DIV ><P > If installation fails, check the <TT CLASS="filename" >README</TT > and <TT CLASS="filename" >INSTALL</TT > files included with the source. You may also check out the <A HREF="http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236" TARGET="_top" >official documentation</A >. </P ></DIV ><DIV CLASS="sect2" ><H2 CLASS="sect2" ><A NAME="confxsup" ></A >4.2. Configuring Xsupplicant</H2 ><DIV CLASS="procedure" ><P ><B >Configuring Xsupplicant</B ></P ><OL TYPE="1" ><LI ><P > The Supplicant must have access to the root certificate. </P ><P > If the Supplicant needs to authenticate against the Authentication Server (authentication both ways), the Supplicant must have certificates as well. </P ><P > Create a certificate folder, and move the certificates into it: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="screen" > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >mkdir</B > -p /usr/local/etc/1x/certs</B ></TT > <TT CLASS="prompt" ># </TT ><TT CLASS="userinput" ><B ><B CLASS="command" >cp</B > root.pem /usr/local/etc/1x/certs/</B ></TT > <TT CLASS="prompt" ># </TT >(copy optional client certificate(s) into the same folder) </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > Open and edit the configuration file: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > # startup_command: the command to run when Xsupplicant is first started. # This command can do things such as configure the card to associate with # the network properly. startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND> </PRE ></FONT ></TD ></TR ></TABLE ><P > The <TT CLASS="filename" >startup.sh</TT > will be created shortly. </P ></LI ><LI ><P > When the client is authenticated, it will transmit a DHCP request or manually set an IP address. Here, the Supplicant sets its IP address manually in <TT CLASS="filename" >startup2.sh</TT >: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > # first_auth_command: the command to run when Xsupplicant authenticates to # a wireless network for the first time. This will usually be used to # start a DHCP client process. #first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND> first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup2.sh<END_COMMAND> </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > Since <SPAN CLASS="QUOTE" >"-i"</SPAN > is just for debugging purpose (and may go away according to the developers), <SPAN CLASS="QUOTE" >"allow_interfaces"</SPAN > must be set: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > allow_interfaces = eth0 deny_interfaces = eth1 </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > Next, under the <SPAN CLASS="QUOTE" >"NETWORK SECTION"</SPAN >, we'll configure PEAP: </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > # We'll be using PEAP allow_types = eap_peap # Don't want any eavesdropper to learn the username during the # first phase (which is unencrypted), so 'identity hiding' is # used (using a bogus username). identity = <BEGIN_ID>anonymous<END_ID> eap-peap { # As in tls, define either a root certificate or a directory # containing root certificates. root_cert = /usr/local/etc/1x/certs/root.pem #root_dir = /path/to/root/certificate/dir #crl_dir = /path/to/dir/with/crl chunk_size = 1398 random_file = /dev/urandom #cncheck = myradius.radius.com # Verify that the server certificate # has this value in its CN field. #cnexact = yes # Should it be an exact match? session_resume = yes # Currently 'all' is just mschapv2. # If no allow_types is defined, all is assumed. #allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM allow_types = eap_mschapv2 # Right now, you can do any of these methods in PEAP: eap-mschapv2 { username = <BEGIN_UNAME>testuser<END_UNAME> password = <BEGIN_PASS>Secret149<END_PASS> } } </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > The Supplicant must first associate with the access point. The script <TT CLASS="filename" >startup.sh</TT > does that job. It is also the first command <SPAN CLASS="application" >Xsupplicant</SPAN > executes. </P ><DIV CLASS="note" ><P ></P ><TABLE CLASS="note" WIDTH="100%" BORDER="0" ><TR ><TD WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG SRC="../images/note.gif" HSPACE="5" ALT="Note"></TD ><TD ALIGN="LEFT" VALIGN="TOP" ><P > Notice the bogus key we give to iwconfig (<EM >enc 000000000</EM >)! This key is used to tell the driver to run in encrypted mode. The key gets replaced after successful authentication. This can be set to <EM >enc off</EM > only if encryption is disabled in the AP (for testing purposes). </P ></TD ></TR ></TABLE ></DIV ><P > Both <TT CLASS="filename" >startup.sh</TT > and <TT CLASS="filename" >startup2.sh</TT > must be saved under <TT CLASS="filename" >/usr/local/etc/1x/</TT >. </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > #!/bin/bash echo "Starting startup.sh" # Take down interface (if it's up) /sbin/ifconfig eth0 down # To make sure the routes are flushed sleep 1 # Configuring the interface with a bogus key /sbin/iwconfig eth0 mode managed essid testnet enc 000000000 # Bring the interface up and make sure it listens to multicast packets /sbin/ifconfig eth0 allmulti up echo "Finished startup.sh" </PRE ></FONT ></TD ></TR ></TABLE ></LI ><LI ><P > This next file is used to set the IP address statically. This can be omitted if a DHCP server is present (as it typically is, in many access points). </P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > #!/bin/bash echo "Starting startup2.sh" # Assigning an IP address /sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0 echo "Finished startup2.sh" </PRE ></FONT ></TD ></TR ></TABLE ></LI ></OL ></DIV ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="freeradius.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="authenticator.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Authentication Server: Setting up FreeRADIUS</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Authenticator: Setting up the Authenticator (Access Point)</TD ></TR ></TABLE ></DIV ></BODY ></HTML >