<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Open1x User's Guide</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD
><BODY
CLASS="book"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="BOOK"
><A
NAME="AEN1"
></A
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="title"
><A
NAME="AEN1"
>Open1x User's Guide</A
></H1
><H3
CLASS="author"
><A
NAME="AEN5"
></A
>Chris Hessing</H3
><H3
CLASS="author"
><A
NAME="AEN8"
></A
>Nick Petroni</H3
><H3
CLASS="author"
><A
NAME="AEN11"
></A
>Bryan Payne</H3
><H3
CLASS="author"
><A
NAME="AEN14"
></A
>Terry Simons</H3
><HR></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="#ch1"
>About Open1x And This Guide</A
></DT
><DD
><DL
><DT
>1.1. <A
HREF="#AEN19"
>General Overview</A
></DT
><DT
>1.2. <A
HREF="#AEN25"
>Do I Need Open1x?</A
></DT
><DT
>1.3. <A
HREF="#AEN28"
>Supplicant versus Authenticator</A
></DT
><DT
>1.4. <A
HREF="#AEN31"
>Purpose Of This Guide</A
></DT
></DL
></DD
><DT
>2. <A
HREF="#ch2"
>Supported Platforms</A
></DT
><DD
><DL
><DT
>2.1. <A
HREF="#AEN36"
>About Xsupplicant</A
></DT
><DT
>2.2. <A
HREF="#AEN42"
>EAP Support</A
></DT
><DT
>2.3. <A
HREF="#AEN82"
>Authentication Server Compatibility Matrix</A
></DT
><DT
>2.4. <A
HREF="#AEN242"
>Supplicants</A
></DT
></DL
></DD
><DT
>3. <A
HREF="#ch3"
>Getting The Software</A
></DT
><DD
><DL
><DT
>3.1. <A
HREF="#AEN354"
>Download Stable Releases</A
></DT
><DT
>3.2. <A
HREF="#AEN358"
>Pre-Packaged Releases for Some Distibutions</A
></DT
><DT
>3.3. <A
HREF="#AEN361"
>CVS</A
></DT
></DL
></DD
><DT
>4. <A
HREF="#ch4"
>Installation</A
></DT
><DD
><DL
><DT
>4.1. <A
HREF="#AEN369"
>Prerequisites</A
></DT
><DT
>4.2. <A
HREF="#AEN379"
>Quick Start Guide</A
></DT
><DT
>4.3. <A
HREF="#AEN385"
>Running the Configure Script</A
></DT
><DT
>4.4. <A
HREF="#AEN398"
>When Things go Wrong.</A
></DT
></DL
></DD
><DT
>5. <A
HREF="#ch5"
>Configuration</A
></DT
><DD
><DL
><DT
>5.1. <A
HREF="#AEN410"
>Overview</A
></DT
><DT
>5.2. <A
HREF="#AEN413"
>Commandline Options</A
></DT
><DT
>5.3. <A
HREF="#AEN448"
>System Wide Config File</A
></DT
><DT
>5.4. <A
HREF="#AEN451"
>Global Configuration Options</A
></DT
></DL
></DD
><DT
>6. <A
HREF="#ch6"
>Advanced Usage</A
></DT
><DT
>7. <A
HREF="#ch7"
>Troubleshooting</A
></DT
><DD
><DL
><DT
>7.1. <A
HREF="#AEN968"
>A Guide to Troubleshooting</A
></DT
><DT
>7.2. <A
HREF="#AEN989"
>Known Problems</A
></DT
></DL
></DD
><DT
>A. <A
HREF="#ap1"
>Setup for Authenticators and RADIUS Servers</A
></DT
><DD
><DL
><DT
>A.1. <A
HREF="#AEN1000"
>Authenticators</A
></DT
><DT
>A.2. <A
HREF="#AEN1019"
>Authentication Servers</A
></DT
></DL
></DD
><DT
>B. <A
HREF="#ap2"
>Links to Related Resources</A
></DT
><DD
><DL
><DT
>B.1. <A
HREF="#AEN1047"
>Companies that Support Open1x</A
></DT
><DT
>B.2. <A
HREF="#AEN1112"
>802.1X Related Open Source Projects</A
></DT
><DT
>B.3. <A
HREF="#AEN1118"
>802.1X related proprietary projects</A
></DT
><DT
>B.4. <A
HREF="#AEN1121"
>Standards</A
></DT
><DT
>B.5. <A
HREF="#AEN1137"
>Other Resources</A
></DT
></DL
></DD
></DL
></DIV
><DIV
CLASS="LOT"
><DL
CLASS="LOT"
><DT
><B
>List of Tables</B
></DT
><DT
>2-1. <A
HREF="#AEN87"
>Supported Authentication Servers</A
></DT
><DT
>2-2. <A
HREF="#AEN245"
>Supplicant Support Matrix</A
></DT
></DL
></DIV
><DIV
CLASS="LOT"
><DL
CLASS="LOT"
><DT
><B
>List of Examples</B
></DT
><DT
>5-1. <A
HREF="#AEN464"
>Global Option "default_netname"</A
></DT
><DT
>5-2. <A
HREF="#AEN473"
>Global Option "logfile"</A
></DT
><DT
>5-3. <A
HREF="#AEN482"
>Global Option "log_facility"</A
></DT
><DT
>5-4. <A
HREF="#AEN491"
>Global Option "allmulti"</A
></DT
><DT
>5-5. <A
HREF="#AEN500"
>Global Option "destination"</A
></DT
><DT
>5-6. <A
HREF="#AEN509"
>Global Option "network_list"</A
></DT
><DT
>5-7. <A
HREF="#AEN535"
>Profile Option "allow_types"</A
></DT
><DT
>5-8. <A
HREF="#AEN544"
>Profile Option "dest_mac"</A
></DT
><DT
>5-9. <A
HREF="#AEN553"
>Profile Option "identity"</A
></DT
><DT
>5-10. <A
HREF="#AEN562"
>Profile Option "type"</A
></DT
><DT
>5-11. <A
HREF="#AEN571"
>Profile Option "wireless_control"</A
></DT
><DT
>5-12. <A
HREF="#AEN590"
>Common EAP Option "chunk_size"</A
></DT
><DT
>5-13. <A
HREF="#AEN601"
>Common EAP Option cncheck</A
></DT
><DT
>5-14. <A
HREF="#AEN612"
>Common EAP Option "cnexact"</A
></DT
><DT
>5-15. <A
HREF="#AEN622"
>Common EAP Option "crl_dir"</A
></DT
><DT
>5-16. <A
HREF="#AEN632"
>Common EAP Option "password"</A
></DT
><DT
>5-17. <A
HREF="#AEN643"
>Common EAP Option "random_file"</A
></DT
><DT
>5-18. <A
HREF="#AEN655"
>Common EAP Option "root_cert"</A
></DT
><DT
>5-19. <A
HREF="#AEN665"
>Common EAP Option "root_dir"</A
></DT
><DT
>5-20. <A
HREF="#AEN675"
>Common EAP Option "session_resume"</A
></DT
><DT
>5-21. <A
HREF="#AEN685"
>Common EAP Option "username"</A
></DT
><DT
>5-22. <A
HREF="#AEN696"
>Common EAP Option "user_cert"</A
></DT
><DT
>5-23. <A
HREF="#AEN707"
>Common EAP Option "user_key"</A
></DT
><DT
>5-24. <A
HREF="#AEN717"
>Common EAP Option "user_key_pass"</A
></DT
><DT
>5-25. <A
HREF="#AEN727"
>Common EAP Option "proper_peap_v1_keying"</A
></DT
><DT
>5-26. <A
HREF="#AEN737"
>Common EAP Option "inner_id"</A
></DT
><DT
>5-27. <A
HREF="#AEN748"
>Example EAP-AKA Configuration</A
></DT
><DT
>5-28. <A
HREF="#AEN754"
>Example EAP-GTC Configuration</A
></DT
><DT
>5-29. <A
HREF="#AEN763"
>Example EAP-MD5 Configuration</A
></DT
><DT
>5-30. <A
HREF="#AEN775"
>Example EAP-MSCHAPv2 Configuration</A
></DT
><DT
>5-31. <A
HREF="#AEN782"
>Example EAP-OTP Configuration</A
></DT
><DT
>5-32. <A
HREF="#AEN792"
>Example EAP-SIM Configuration</A
></DT
><DT
>5-33. <A
HREF="#AEN806"
>EAP-SIM Option "auto_realm"</A
></DT
><DT
>5-34. <A
HREF="#AEN829"
>Example PEAP Configuration</A
></DT
><DT
>5-35. <A
HREF="#AEN845"
>Example EAP-TLS Configuration</A
></DT
><DT
>5-36. <A
HREF="#AEN869"
>Example EAP-TTLS Configuration</A
></DT
><DT
>5-37. <A
HREF="#AEN887"
>EAP-TTLS Option "phase2_type"</A
></DT
><DT
>5-38. <A
HREF="#AEN901"
>EAP-TTLS Option "chap"</A
></DT
><DT
>5-39. <A
HREF="#AEN915"
>EAP-TTLS Option "mschap"</A
></DT
><DT
>5-40. <A
HREF="#AEN930"
>EAP-TTLS Option "mschapv2"</A
></DT
><DT
>5-41. <A
HREF="#AEN944"
>EAP-TTLS Option "pap"</A
></DT
><DT
>5-42. <A
HREF="#AEN953"
>Example LEAP Configuration</A
></DT
><DT
>7-1. <A
HREF="#AEN984"
>Getting a GDB Backtrace</A
></DT
></DL
></DIV
><DIV
CLASS="chapter"
><HR><H1
><A
NAME="ch1"
></A
>Chapter 1. About Open1x And This Guide</H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN19"
>1.1. General Overview</A
></H2
><P
> This work funded by a grant from National Institute of Standards and
Technology Critical Infrastructure Grants Program.
</P
><P
> This software allows a GNU/Linux or BSD workstation to authenticate with
a RADIUS server using 802.1X and various EAP protocols. The intended
use is for computers with wireless LAN connections to complete a strong
authentication before joining the network.
</P
><P
> Note: BSD support is not yet complete.
</P
><P
> This provides a good complement to WEP, which provides confidentiality.
Even though it is well documented that WEP has technical flaws, it is still
better than simply sending data in the clear. Therefore, we recommend using
this software (802.1x) for authentication *and* WEP, WPA, or WPA2/802.11i
for confidentiality. And, as always, be prepared to update your network(s) as
better security solutions become available.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN25"
>1.2. Do I Need Open1x?</A
></H2
><P
> The short answer is that if you need to authenticate to an 802.1X-enabled
network using Linux, then Open1x is probably for you. The Open1x project
provides 802.1X functionality for the Linux operating system. 802.1X is an
IEEE standard (ratified in 2001) that provides port-based authentication
at layer 2 of the OSI model. 802.1X prevents unauthorized network access
until appropriate credentials are supplied to access the network.
The Open1x project provides the necessary software to connect to an
802.1X-enabled network.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN28"
>1.3. Supplicant versus Authenticator</A
></H2
><P
> The Open1x project contains source code for both the "Supplicant"
and "Authenticator" pieces of the 802.1X standard. This document will
only focus on the Open1x Supplicant (xsupplicant), as the Authenticator
isn't being actively worked on at this point in time.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN31"
>1.4. Purpose Of This Guide</A
></H2
><P
> This guide is aimed towards both the general user, and the
system administrator with the intent of explaining how to install
and configure xsupplicant.
</P
></DIV
></DIV
><DIV
CLASS="chapter"
><HR><H1
><A
NAME="ch2"
></A
>Chapter 2. Supported Platforms</H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN36"
>2.1. About Xsupplicant</A
></H2
><P
> Xsupplicant is designed to work with Linux. Early versions of
xsupplicant also supported *BSD and Mac OS X, but this support was pulled
out when xsupplicant was rewritten.
</P
><P
> Mac OS X support was pulled because Apple is now providing a built-in
supplicant as of Mac OS X 10.3 (Panther). *BSD support was initially
removed largely due to a lack of active *BSD development. Some *BSD code does
remain, however, and we encourage any *BSD developers out there to test
xsupplicant and submit patches or file bug reports to improve *BSD support.
There has been talk of adding Mac OS X support back into xsupplicant, because
Apple's client only works with their own Airport cards. Xsupplicant could
potentially fill the gap left by Apple for those users that wish to use 3rd
party cards, or wireless standards not supported by Apple, such as 802.11a,
but such support would require 3rd party APIs to properly handle encryption.
</P
><P
> The Open1x team would like to reprovide support for *BSD platforms, but doing
so will require some additional hacking on the codebase. This project is
maintained in our spare time, and we already feel stretched, so we hope you
understand our current dilemma in providing *BSD support. If you are
interested in helping us with *BSD support, please let us know.
</P
><P
> Xsupplicant releases are primarily tested and developed on Slackware Linux.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN42"
>2.2. EAP Support</A
></H2
><P
>
Xsupplicant 1.2 supports the following EAP types:
<P
></P
><UL
><LI
><P
><A
HREF="#eap-aka"
> EAP-AKA
</A
></P
></LI
><LI
><P
><A
HREF="#eap-gtc"
> EAP-GTC
</A
></P
></LI
><LI
><P
><A
HREF="#eap-md5"
> EAP-MD5
</A
></P
></LI
><LI
><P
><A
HREF="#eap-mschapv2"
> EAP-MSCHAPv2
</A
></P
></LI
><LI
><P
><A
HREF="#eap-otp"
> EAP-OTP
</A
></P
></LI
><LI
><P
><A
HREF="#eap-sim"
> EAP-SIM
</A
></P
></LI
><LI
><P
><A
HREF="#leap"
> LEAP
</A
></P
></LI
><LI
><P
><A
HREF="#peap"
> PEAP (MSCHAPv2)
</A
></P
></LI
><LI
><P
><A
HREF="#eap-tls"
> EAP-TLS
</A
></P
></LI
><LI
><P
><A
HREF="#eap-ttls"
> EAP-TTLS (CHAP, MSCHAP, MSCHAPv2, PAP)
</A
></P
></LI
></UL
>
Future versions of Xsupplicant may include support for:
<P
></P
><UL
><LI
><P
>EAP-FAST</P
></LI
><LI
><P
>PEAP-GTC</P
></LI
></UL
>
</P
><P
> See Chapter 5: EAP Options for details on configuring a specific EAP type with Xsupplicant.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN82"
>2.3. Authentication Server Compatibility Matrix</A
></H2
><P
> The following is a compatibility matrix that lists tested EAP/Authentication
Server combinations. Servers listed with a "+" mean that a particular EAP
type is supported by that server. A Server/EAP combination listed with a "*"
indicates xsupplicant compatibility. A Server/EAP combination listed with a "!" indicates an incompatibility with Xsupplicant.
</P
><P
> Lack of a "*" in an entry does not indicate that a particular combination will
not work, only that it has not been tested. This list is not meant to be a
complete list of tested combinations, as we do not have the resources to
keep the list up to date.
</P
><P
>
<DIV
CLASS="table"
><A
NAME="AEN87"
></A
><P
><B
>Table 2-1. Supported Authentication Servers</B
></P
><TABLE
BORDER="1"
FRAME="vsides"
RULES="cols"
CLASS="CALSTABLE"
><COL><COL><COL><COL><COL><COL><COL><COL><COL><THEAD
><TR
><TH
> </TH
><TH
>Cisco ACS</TH
><TH
>FreeRADIUS</TH
><TH
>Funk SBR</TH
><TH
>Infoblox</TH
><TH
>Meetinghouse AEGIS</TH
><TH
>Microsoft IAS</TH
><TH
>Radiator</TH
><TH
>Roving Planet CSD</TH
></TR
></THEAD
><TBODY
><TR
><TD
ALIGN="left"
>EAP-AKA</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>*</TD
><TD
>-</TD
></TR
><TR
><TD
ALIGN="left"
>EAP-FAST</TD
><TD
>+</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
></TR
><TR
><TD
ALIGN="left"
>EAP-GTC</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>*</TD
><TD
>-</TD
></TR
><TR
><TD
ALIGN="left"
>EAP-MD5</TD
><TD
>*</TD
><TD
>*</TD
><TD
>*</TD
><TD
>*</TD
><TD
>*</TD
><TD
>-</TD
><TD
>*</TD
><TD
>*</TD
></TR
><TR
><TD
ALIGN="left"
>EAP-OTP</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>*</TD
><TD
>-</TD
></TR
><TR
><TD
ALIGN="left"
>EAP-SIM</TD
><TD
>-</TD
><TD
>*</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>*</TD
><TD
>-</TD
></TR
><TR
><TD
ALIGN="left"
>EAP-TLS</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>*</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
>LEAP</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>-</TD
><TD
>+</TD
><TD
>-</TD
><TD
>*</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
>PEAP-GTC</TD
><TD
>+</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>+</TD
><TD
>-</TD
><TD
>+</TD
><TD
>-</TD
></TR
><TR
><TD
ALIGN="left"
>PEAP-MSCHAPv2</TD
><TD
>*</TD
><TD
>*</TD
><TD
>*</TD
><TD
>!</TD
><TD
>*</TD
><TD
>*</TD
><TD
>*</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
>TTLS-CHAP</TD
><TD
>-</TD
><TD
>*</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>-</TD
><TD
>*</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
>TTLS-MSCHAP</TD
><TD
>-</TD
><TD
>*</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>-</TD
><TD
>*</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
>TTLS-MSCHAPv2</TD
><TD
>-</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>-</TD
><TD
>*</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
>TTLS-PAP</TD
><TD
>-</TD
><TD
>+</TD
><TD
>*</TD
><TD
>!</TD
><TD
>*</TD
><TD
>-</TD
><TD
>*</TD
><TD
>+</TD
></TR
></TBODY
></TABLE
></DIV
>
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN242"
>2.4. Supplicants</A
></H2
><P
>
The goal of this section is to help inform the reader of general 802.1X
compatibility. The following list is probably not complete, but should
provide a fairly comprehensive supplicant/operating system list.
<DIV
CLASS="table"
><A
NAME="AEN245"
></A
><P
><B
>Table 2-2. Supplicant Support Matrix</B
></P
><TABLE
BORDER="1"
FRAME="vsides"
RULES="cols"
CLASS="CALSTABLE"
><COL><COL><COL><COL><COL><COL><COL><COL><COL><COL><THEAD
><TR
><TH
> </TH
><TH
>*BSD</TH
><TH
>Linux</TH
><TH
>Mac OS X 10.2.x</TH
><TH
>Mac OS X 10.3.x</TH
><TH
>Pocket PC 2002</TH
><TH
>Pocket PC 2003</TH
><TH
>Windows 98</TH
><TH
>Windows Me</TH
><TH
>Windows 2k</TH
><TH
>Windows XP</TH
></TR
></THEAD
><TBODY
><TR
><TD
ALIGN="left"
><A
HREF="http://www.securew2.com/"
TARGET="_top"
> Alfa+Ariss SecureW2
</A
></TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>+</TD
><TD
>-</TD
><TD
>-</TD
><TD
>+</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
><A
HREF="http://www.funk.com/"
TARGET="_top"
> Funk Odyssey
</A
></TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
><A
HREF="http://www.mtghouse.com/"
TARGET="_top"
> Meetinghouse Aegis
</A
></TD
><TD
>-</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
>Native</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>+</TD
><TD
>-</TD
><TD
>+</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
><A
HREF="http://www.open1x.org"
TARGET="_top"
> Open1x
</A
></TD
><TD
>-</TD
><TD
>+</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
></TR
><TR
><TD
ALIGN="left"
><A
HREF="http://weap.sourceforge.net/"
TARGET="_top"
> wEAP
</A
></TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>+</TD
><TD
>+</TD
></TR
><TR
><TD
ALIGN="left"
><A
HREF="http://wire.cs.nthu.edu.tw/wire1x"
TARGET="_top"
> Wire1x
</A
></TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>-</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
><TD
>+</TD
></TR
></TBODY
></TABLE
></DIV
>
</P
></DIV
></DIV
><DIV
CLASS="chapter"
><HR><H1
><A
NAME="ch3"
></A
>Chapter 3. Getting The Software</H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN354"
>3.1. Download Stable Releases</A
></H2
><P
>Users should normally download a stable release from
<A
HREF="http://sourceforge.net/project/showfiles.php?group_id=60236"
TARGET="_top"
>http://sourceforge.net/project/showfiles.php?group_id=60236</A
>
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN358"
>3.2. Pre-Packaged Releases for Some Distibutions</A
></H2
><P
>At some point we plan on releasing pre-packaged versions of xsupplicant
for distributions such as Debian, RedHat, SuSe, Slackware, etc...
If you would like to see your favorite distribution supported, please
let us know (Or better yet, send us the package)!</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN361"
>3.3. CVS</A
></H2
><P
> We do not recommend CVS downloads for people unfamiliar with it.
CVS often contains new features that have not yet made it into a
stable release, but it can also be extremely unstable. We also do not
have the time to explain how CVS works (there is good documentation on the web
regarding CVS and its many features/options). We encourage users to submit
patches against CVS, but patches may not necessarily be commited immediately.
</P
><P
> To download xsupplicant via CVS
you can use the following command:
</P
><P
> <KBD
CLASS="userinput"
> cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/open1x co xsupplicant
</KBD
>
</P
></DIV
></DIV
><DIV
CLASS="chapter"
><HR><H1
><A
NAME="ch4"
></A
>Chapter 4. Installation</H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN369"
>4.1. Prerequisites</A
></H2
><P
> You will need to have the following installed on your system before
installing xsupplicant:
</P
><P
>
OpenSSL - <A
HREF="http://www.openssl.org/"
TARGET="_top"
>http://www.openssl.org/</A
>
</P
><P
> libpcsclite (For EAP-SIM/EAP-AKA support) -
<A
HREF="http://www.linuxnet.com/"
TARGET="_top"
>http://www.linuxnet.com/</A
>
</P
><P
> Pthreads Support (For EAP-SIM/EAP-AKA support)
</P
><P
> libiw from the Linux Wireless Tools - <A
HREF="http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html"
TARGET="_top"
>http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html</A
>
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN379"
>4.2. Quick Start Guide</A
></H2
><P
> Generally speaking you should be able to type:
<KBD
CLASS="userinput"
>./configure; make; make install</KBD
>
to configure and install the Open1x supplicant.
</P
><P
> The only exception would be if you intend to use the WPA support for MADwifi.
In that case you need to add the --with-madwifi-path option when you run configure. This should point to the directory where your MADwifi source is located.
</P
><P
> If you run into problems, please read the rest of this chapter.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN385"
>4.3. Running the Configure Script</A
></H2
><P
> The following configuration options are available for xsupplicant:
</P
><P
> <KBD
CLASS="userinput"
>--enable-eap-sim </KBD
>
- Enables EAP SIM/AKA authentication. (Requires libpcsclite)
</P
><P
> <KBD
CLASS="userinput"
>--enable-experimental </KBD
>
- Enable the use of experimental features/code.
</P
><P
> <KBD
CLASS="userinput"
>--enable-radiator-test </KBD
>
- Enable use of the AKA test vectors from Radiator. (Doesn't require a SIM card).
</P
><P
> <KBD
CLASS="userinput"
>--enable-static-openssl </KBD
>
- Statically link OpenSSL into the xsupplicant binary.
</P
><P
> <KBD
CLASS="userinput"
>--with-madwifi-path </KBD
>
- Provide the path to the MADwifi source, and enable support for WPA on cards that use the MADwifi driver.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN398"
>4.4. When Things go Wrong.</A
></H2
><P
>If you experience a problem building xsupplicant, you should:
<P
></P
><UL
><LI
><P
>Check config.log for any interesting error messages.</P
></LI
><LI
><P
>Double check the xsupplicant prerequisites.</P
></LI
><LI
><P
>E-mail the xsupplicant mailing list with a detailed explanation of the
problem you are experiencing, including any error messages you got and
please include a copy of your configuration file and any command line
options you used to run xsupplicant. The more information you provide to us,
the easier it will be for us to help you fix your problem.</P
></LI
></UL
>
</P
></DIV
></DIV
><DIV
CLASS="chapter"
><HR><H1
><A
NAME="ch5"
></A
>Chapter 5. Configuration</H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN410"
>5.1. Overview</A
></H2
><P
>
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN413"
>5.2. Commandline Options</A
></H2
><P
> <KBD
CLASS="userinput"
>-W</KBD
>
</P
><P
> Allow Xsupplicant to work with wpa_supplicant.
</P
><P
> <KBD
CLASS="userinput"
>-c /path/to/config_file</KBD
>
</P
><P
> You can specify a configuration file to be used with the "-c" option.
Xsupplicant will automatically look for and use "/etc/xsupplicant.conf" if
it exists.
</P
><P
> <KBD
CLASS="userinput"
>-i device</KBD
>
</P
><P
> Provide the interface on which to listen for EAPoL packets. Please note that
xsupplicant will currently look for any valid interfaces and fork to handle
each valid interface it finds. You do not need to run multiple instances
of xsupplicant yourself.
</P
><P
> <KBD
CLASS="userinput"
>-d debug_level</KBD
>
</P
><P
> <debug_level> can be any of:
<P
></P
><UL
><LI
><P
>0 - 7 Old style debug flags.</P
></LI
><LI
><P
>A - Enable ALL debug flags.</P
></LI
><LI
><P
>c - Enable CONFIG debug flag.</P
></LI
><LI
><P
>s - Enable STATE debug flag.</P
></LI
><LI
><P
>a - Enable AUTHTYPES debug flag.</P
></LI
><LI
><P
>i - Enable INT debug flag.</P
></LI
><LI
><P
>n - Enable SNMP debug flag.</P
></LI
><LI
><P
>e - Enable EVERYTHING debug flag.</P
></LI
><LI
><P
>x - Enable EXCESSIVE debug flag.</P
></LI
></UL
>
</P
><P
> Debug flags can be stacked such as: <KBD
CLASS="userinput"
>xsupplicant -d csai</KBD
>. This would provide CONFIG, STATE, AUTHTYPES, and INT debug output.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN448"
>5.3. System Wide Config File</A
></H2
><P
> Xsupplicant will look for a file in /etc/xsupplicant.conf by default, unless
the -c option is used at runtime.
The xsupplicant configuration file consists of several global variables and a
set of network-specific configurations.
Each network profile definition contains one or more EAP sections, which
contain specific configuration information for the network in question.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN451"
>5.4. Global Configuration Options</A
></H2
><P
> The following is a complete list of the global options available in
xsupplicant 1.2. These options should be defined outside of any xsupplicant
network profiles contained in your configuration file.
</P
><DIV
CLASS="section"
><HR><H3
CLASS="section"
><A
NAME="AEN454"
>5.4.1. Global Options</A
></H3
><P
> The following list is a complete list of the global configuration options for
the xsupplicant configuration file.
</P
><P
></P
><DIV
CLASS="variablelist"
><P
><B
>Xsupplicant Config - Global Options</B
></P
><DL
><DT
><A
NAME="default_netname"
></A
><CODE
CLASS="varname"
>default_netname</CODE
></DT
><DD
><P
> If this option is not used, xsupplicant will attempt to read the profile
"default" from the configuration file. Some users may actually have a network
named "default", so this option can be used to redefine which profile is
used as the default profile.
<DIV
CLASS="example"
><A
NAME="AEN464"
></A
><P
><B
>Example 5-1. Global Option "default_netname"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> default_netname = default
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="logfile"
></A
><CODE
CLASS="varname"
>logfile</CODE
></DT
><DD
><P
> When running in daemon, or non-foreground mode, you may want to have the
output of the program. So, define a log file here. Each time XSupplicant
is started, this file will be replaced. So, there is no need to roll the
log file. If the logfile name is set to "syslog", then all messages will be
sent to the syslog. If syslog is defined, you should also define
"log_facility" to specify which logging facility will be used.
<DIV
CLASS="example"
><A
NAME="AEN473"
></A
><P
><B
>Example 5-2. Global Option "logfile"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="log_facility"
></A
><CODE
CLASS="varname"
>log_facility</CODE
></DT
><DD
><P
> If you have set the logfile option to "syslog", then you should define
log_facility in order to tell Xsupplicant where to send log messages. Valid
settings are cron, daemon, ftp, kern, local0, local1, local2, local3, local4,
local5, local6, local7, lpr, news, user, and uucp.
<DIV
CLASS="example"
><A
NAME="AEN482"
></A
><P
><B
>Example 5-3. Global Option "log_facility"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> log_facility = local0
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="allmulti"
></A
><CODE
CLASS="varname"
>allmulti</CODE
></DT
><DD
><P
> For most people, the default setting for "allmulti" will work just fine. In
some cases, wireless cards have been known to not work when ALLMULTI is
enabled. (Such as certain Orinoco cards, with older drivers.) If "allmulti"
is set to "no", XSupplicant will not attempt to change the state of the
setting in the driver. So, you should make sure to do an "ifconfig ethX
-allmulti".
<DIV
CLASS="example"
><A
NAME="AEN491"
></A
><P
><B
>Example 5-4. Global Option "allmulti"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> allmulti = no
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="destination"
></A
><CODE
CLASS="varname"
>destination</CODE
></DT
><DD
><P
> destination: defines how Xsupplicant should determine the destination address
that should be used for the 802.1X conversation.
Valid Options are :
Auto - respond to source address from the last packet we saw.
Source - same as Auto
BSSID - Always answer to the BSSID of the AP we are associated to.
Multicast - always use the multicast address defined in 802.1X-2001.
<DIV
CLASS="example"
><A
NAME="AEN500"
></A
><P
><B
>Example 5-5. Global Option "destination"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> destination = auto
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="network_list"
></A
><CODE
CLASS="varname"
>network_list</CODE
></DT
><DD
><P
> This directive defines all of the network profiles which should be kept
in memory and used.Comma delimited list or "all" for keeping all defined
configurations in memory. For efficiency, keep only the networks you might
roam to in memory. To avoid errors, make sure your default network is always
in the network_list. In general, you will want to leave this set to "all".
<DIV
CLASS="example"
><A
NAME="AEN509"
></A
><P
><B
>Example 5-6. Global Option "network_list"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> network_list = all
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
></DL
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="AEN513"
>5.4.1.1. State Machine Variables</A
></H4
><P
> <P
></P
><UL
><LI
><P
>auth_period</P
></LI
><LI
><P
>max_starts</P
></LI
><LI
><P
>held_period</P
></LI
></UL
>
</P
><P
> The auth_period, held_period, and max_starts modify the timers in the state
machine. (Please reference the 802.1X spec for info on how they are used.)
For most people, there is no reason to define these values, as the defaults
should work.
</P
></DIV
></DIV
><DIV
CLASS="section"
><HR><H3
CLASS="section"
><A
NAME="AEN524"
>5.4.2. Network Profile Configuration Options</A
></H3
><P
> A network profile consists of a declaration, such as "default".
A complete profile definition is defined by a beginning and ending brace,
"{" and "}" respectively. The profile defines network specific attributes
for 802.1X operation, such as allowed EAP-types, the username for a given
EAP-type, and any EAP-type specific options.
</P
><P
> Each network profile section may include one or more valid EAP-types.
When the Authentication Server requests a given EAP type, xsupplicant will
use that EAP type if a valid configuration exists. Otherwise, xsupplicant
will NAK the Authentication Server, and request the first EAP type defined
by the "allow_types" configuration option. If xsupplicant and the
Authentication server cannot agree on an EAP type, the authentication will
not take place, so be sure to define an appropriate EAP-type for your network!
</P
><P
></P
><DIV
CLASS="variablelist"
><P
><B
>Xsupplicant Config - Network Profile Options</B
></P
><DL
><DT
><A
NAME="allow_types"
></A
><CODE
CLASS="varname"
>allow_types</CODE
></DT
><DD
><P
> This option describes which EAP types this network will allow. The
first type listed will be requested if the server tries to use something
not in this list. Individual EAP types can be specified, or the keyword
"all" can be used to specify all EAP types. Additionally, it is legal
to use either an underscore (_) or dash (-) for the separator character
between "eap" and the type. For instance, "eap-tls" and "eap_tls" are
both valid.
<DIV
CLASS="example"
><A
NAME="AEN535"
></A
><P
><B
>Example 5-7. Profile Option "allow_types"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> allow_types = eap-tls, eap-md5, eap-gtc, eap-otp
allow_types = all
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="dest_mac"
></A
><CODE
CLASS="varname"
>dest_mac</CODE
></DT
><DD
><P
> This option forces xsupplicant to send its packets to this destination
MAC address. In most cases, this isn't needed, and shouldn't be defined.
<DIV
CLASS="example"
><A
NAME="AEN544"
></A
><P
><B
>Example 5-8. Profile Option "dest_mac"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> dest_mac = 00:aA:bB:cC:dD:eE
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="identity"
></A
><CODE
CLASS="varname"
>identity</CODE
></DT
><DD
><P
> This defines the EAP Response Identity, also known as the "outer identity"
, or, what xsupplicant will respond with when presented with an EAP
Identity Request. This is typically the username for this network. If the
identity contains any characters other than A through Z and 0 through 9, then
it should be defined in quotes.
<DIV
CLASS="example"
><A
NAME="AEN553"
></A
><P
><B
>Example 5-9. Profile Option "identity"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> identity = myid@mynet.net
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="type"
></A
><CODE
CLASS="varname"
>type</CODE
></DT
><DD
><P
> Xsupplicant will attempt to determine if a given interface is wired
or wireless, but some drivers misbehave. This option forces xsupplicant
to recognize interfaces in a certain way. Use this option if your
interface is detected incorrectly by xsupplicant. Valid options are
"wired" and "wireless".
<DIV
CLASS="example"
><A
NAME="AEN562"
></A
><P
><B
>Example 5-10. Profile Option "type"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> type = wireless
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="wireless_control"
></A
><CODE
CLASS="varname"
>wireless_control</CODE
></DT
><DD
><P
> If the profile is forced to wired, this will not do anything.
However, if the interface is forced, or detected to be wireless
XSupplicant will take control of re/setting WEP keys when the machine
first starts, and when it jumps to a different AP. In general, you
won't need to define, or set this value. Valid options are "yes" and
"no".
<DIV
CLASS="example"
><A
NAME="AEN571"
></A
><P
><B
>Example 5-11. Profile Option "wireless_control"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> wireless_control = yes
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="section"
><HR><H3
CLASS="section"
><A
NAME="AEN575"
>5.4.3. EAP Options</A
></H3
><P
> Each network profile in the xsupplicant configuration file may have one or
more EAP sections defined. Each EAP section must be associated to a network
profile. Each EAP section may also have one or more subsections associated
with it.
</P
><P
> For instance, a configuration for EAP-TTLS may have any of CHAP, MSCHAP,
MSCHAPv2, or PAP subsections defined. Some EAP types do not contain any
subsections.
</P
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="AEN579"
>5.4.3.1. Reused EAP Options</A
></H4
><P
> The following options are re-used in many of the EAP types listed below.
<P
></P
><DIV
CLASS="variablelist"
><P
><B
>Common EAP Options</B
></P
><DL
><DT
><A
NAME="chunk_size"
></A
><CODE
CLASS="varname"
>chunk_size</CODE
></DT
><DD
><P
> The chunk_size directive specifies the maximum size that a certificate
chunk can be. Use this option in EAP types that use either one or both of
client or server certificates (TLS, PEAP, TTLS).
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN590"
></A
><P
><B
>Example 5-12. Common EAP Option "chunk_size"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> chunk_size = 1398
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="cncheck"
></A
><CODE
CLASS="varname"
>cncheck</CODE
></DT
><DD
><P
> The cncheck directive provides the ability to verify the CN field
of an authentication server certificate for EAP types that use
server-side certificates (TTLS, PEAP).
</P
><P
> Use this directive in conjunction with cnexact to control how granular
the server certificate check should be.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN601"
></A
><P
><B
>Example 5-13. Common EAP Option cncheck</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> cncheck = someradius.mynet.net
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="cnexact"
></A
><CODE
CLASS="varname"
>cnexact</CODE
></DT
><DD
><P
> The cnexact directive forces a failure on authentication if the CN
field of the server's certificate does not exactly match the cncheck
option in the specified Network/EAP configuration. Set this to "no"
to only match the end of the string, which is useful in a situation
where there might be mulitple authentication servers for your organization.
</P
><P
> For example, a "cncheck = utah.edu" with a "cnexact = no" would match on
"foo.utah.edu" and "bar.utah.edu", which might be separate servers on
a campus utilizing 802.1X.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN612"
></A
><P
><B
>Example 5-14. Common EAP Option "cnexact"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> cnexact = yes
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="crl_dir"
></A
><CODE
CLASS="varname"
>crl_dir</CODE
></DT
><DD
><P
> The crl_dir option is used to specify a directory containing
certificate revocation lists. This option can be used in EAP types that use
either one or both of client or server certificates (TLS, PEAP, TTLS).
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN622"
></A
><P
><B
>Example 5-15. Common EAP Option "crl_dir"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> crl_dir = /home/user/certificates/revoked
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="password"
></A
><CODE
CLASS="varname"
>password</CODE
></DT
><DD
><P
> The password directive is used in EAP types that require a password
for authentication.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN632"
></A
><P
><B
>Example 5-16. Common EAP Option "password"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> password = password
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="random_file"
></A
><CODE
CLASS="varname"
>random_file</CODE
></DT
><DD
><P
> This option is used to specify the random file used to grab random
data used during certificate based authentication methods..
Use this option in EAP types that use either one or both of
client or server certificates (TLS, PEAP, TTLS).
</P
><P
> This option is typically /dev/urandom, but may be different depending on
the operating system you are using. You should probably not use /dev/random,
since it blocks and can slow authentication down. In most cases, leaving this
blank is the best choice.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN643"
></A
><P
><B
>Example 5-17. Common EAP Option "random_file"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> random_file = /dev/urandom
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="root_cert"
></A
><CODE
CLASS="varname"
>root_cert</CODE
></DT
><DD
><P
> The root_cert option is used to specify the path to the CA public certificate
which signed one or both of your server and client certificates.
The root_cert option is used in EAP types that use either one or both of
client or server certificates (TLS, PEAP, TTLS).
</P
><P
> This certificate is used to verify, on the client side, that the server's
certificate was signed by the appropriate certificate authority, and on the
server side, to verify that the user certificate was signed by the proper
certificate authority. This certificate should be the same for both client
and server, since it is simply the public key for the certificate authority
that signed the client and server certificates.
</P
><P
> You can specify a value of "NONE" to prevent xsupplicant from verifying the
server certificate, but this is *HIGHLY* frowned upon. If you use this
option, you are opening yourself up to a very easy to execute
man-in-the-middle attack that could compromise your username and password.
Consider yourself warned!
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN655"
></A
><P
><B
>Example 5-18. Common EAP Option "root_cert"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> root_cert = /home/user/certificates/root_cert.pem
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="root_dir"
></A
><CODE
CLASS="varname"
>root_dir</CODE
></DT
><DD
><P
> The root_dir option is used to specify a path to a directory containing root
certificates. This can be used to force Xsupplicant to allow any combination
of root certificates in a given directory to help simplify configuration.
This option can be used instead of the root_cert directive in EAP types that
use either one or both of client or server certificates (TLS, PEAP, TTLS).
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN665"
></A
><P
><B
>Example 5-19. Common EAP Option "root_dir"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> root_dir = /home/user/certificates
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="session_resume"
></A
><CODE
CLASS="varname"
>session_resume</CODE
></DT
><DD
><P
> The session_resume directive is used to specify whether or not
to attempt to initiate "TLS Session Resumption" (Also called "Fast Reconnect")
when re-authenticating with a server.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN675"
></A
><P
><B
>Example 5-20. Common EAP Option "session_resume"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> session_resume = yes
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="username"
></A
><CODE
CLASS="varname"
>username</CODE
></DT
><DD
><P
> The username option is used in EAP types that require a username for
authentication. If your username contains any characters other than A through
Z and 0 through 9, you should enclose it in quotes.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN685"
></A
><P
><B
>Example 5-21. Common EAP Option "username"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> username = myid@mynet.net
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="user_cert"
></A
><CODE
CLASS="varname"
>user_cert</CODE
></DT
><DD
><P
> This option, which is required for TLS, specifies the path to the user
certificate used for TLS authentication. A user certificate in TLS
is similar to a username in password-based authentication mechanisms.
</P
><P
> User certificates can also be used with PEAP and TTLS, but are not
required, and most people will not need this functionality.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN696"
></A
><P
><B
>Example 5-22. Common EAP Option "user_cert"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> user_cert = /home/user/certificates/user-cert.pem
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="user_key"
></A
><CODE
CLASS="varname"
>user_key</CODE
></DT
><DD
><P
> This option is the key for the user_cert file.
</P
><P
> As with user_cert, this option is required for TLS and can be
used with TTLS or PEAP if using a user certificate for authentication.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN707"
></A
><P
><B
>Example 5-23. Common EAP Option "user_key"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> user_key = /home/user/certificates/user-key.pem
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="user_key_pass"
></A
><CODE
CLASS="varname"
>user_key_pass</CODE
></DT
><DD
><P
> This is the password for the user_key. If it contains any characters other
than A through Z and 0 through 9, it should be enclosed in quotes.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN717"
></A
><P
><B
>Example 5-24. Common EAP Option "user_key_pass"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> user_key_pass = password
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="proper_peap_v1_keying"
></A
><CODE
CLASS="varname"
>proper_peap_v1_keying</CODE
></DT
><DD
><P
> This option will force Xsupplicant to use the proper string constant for
PEAPv1 authentication. Most authentication servers use the string constant
from PEAPv0.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN727"
></A
><P
><B
>Example 5-25. Common EAP Option "proper_peap_v1_keying"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> proper_peap_v1_keying = no
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="inner_id"
></A
><CODE
CLASS="varname"
>inner_id</CODE
></DT
><DD
><P
> This is the identity value that will be sent to the server inside of the PEAP
phase 1 tunnel.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN737"
></A
><P
><B
>Example 5-26. Common EAP Option "inner_id"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> inner_id = no
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
></DL
></DIV
>
</P
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="eap-aka"
>5.4.3.2. EAP-AKA</A
></H4
><P
> EAP-AKA allows the following options:
<A
HREF="#username"
>username</A
>,
<A
HREF="#password"
>password</A
>,
<A
HREF="#auto_realm"
>auto_realm</A
>.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN748"
></A
><P
><B
>Example 5-27. Example EAP-AKA Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
default {
allow_types = eap-aka
identity = "myid@mynet.net"
eap-aka {
username = akauser
password = "akauserpass!"
auto_realm = yes
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="eap-gtc"
>5.4.3.3. EAP-GTC</A
></H4
><P
> <DIV
CLASS="example"
><A
NAME="AEN754"
></A
><P
><B
>Example 5-28. Example EAP-GTC Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
default {
allow_types = eap-gtc
identity = "myid@mynet.net"
eap-gtc {
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="eap-md5"
>5.4.3.4. EAP-MD5</A
></H4
><P
> EAP-MD5 allows the following option(s):
<A
HREF="#password"
>password</A
>.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN763"
></A
><P
><B
>Example 5-29. Example EAP-MD5 Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
default {
allow_types = eap-md5
identity = "myid@mynet.net"
eap-md5 {
password = password
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="eap-mschapv2"
>5.4.3.5. EAP-MSCHAPv2</A
></H4
><P
> Valid eap-mschapv2 options are:
<A
HREF="#username"
>username</A
> (only needed when using mshcapv2 as a phase 2 type),
<A
HREF="#password"
>password</A
>.
</P
><P
> eap-mschapv2 can also be defined as a sub-option inside of a PEAP profile.
See the <A
HREF="#peap"
>PEAP</A
> section for an example.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN775"
></A
><P
><B
>Example 5-30. Example EAP-MSCHAPv2 Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile=/var/log/xsupplicant.log
default {
allow_types = eap-mschapv2
identity = "myid@mynet.net"
eap-mschapv2 {
password = password
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="eap-otp"
>5.4.3.6. EAP-OTP</A
></H4
><P
> <DIV
CLASS="example"
><A
NAME="AEN782"
></A
><P
><B
>Example 5-31. Example EAP-OTP Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
default {
allow_types = eap-otp
identity = "myid@mynet.net"
eap-otp {
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="eap-sim"
>5.4.3.7. EAP-SIM</A
></H4
><P
> EAP-SIM allows the following options:
<A
HREF="#username"
>username</A
>,
<A
HREF="#password"
>password</A
>,
<A
HREF="#auto_realm"
>auto_realm</A
>.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN792"
></A
><P
><B
>Example 5-32. Example EAP-SIM Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
default {
allow_types = eap-sim
identity = "myid@mynet.net"
eap-sim {
username = simuser
password = "simuserpass!"
auto_realm = yes
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><DIV
CLASS="section"
><HR><H5
CLASS="section"
><A
NAME="AEN795"
>5.4.3.7.1. EAP-SIM Specific Options</A
></H5
><P
> The following list defines options specific to "eap-sim":
</P
><P
></P
><DIV
CLASS="variablelist"
><DL
><DT
><A
NAME="auto_realm"
></A
><CODE
CLASS="varname"
>auto_realm</CODE
></DT
><DD
><P
> The auto_realm option determines whether or not your realm will be
automatically appended to your username on authentication, or whether the
user will do this manually in the xsupplicant configuration. This option
is fairly dependent on how your service is set up, so check with your provider
to see if this option should be enabled.
</P
><P
> Valid auto_realm options are: yes, no.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN806"
></A
><P
><B
>Example 5-33. EAP-SIM Option "auto_realm"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> auto_realm = yes
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
></DD
></DL
></DIV
></DIV
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="peap"
>5.4.3.8. PEAP</A
></H4
><P
> Valid options for PEAP are:
<A
HREF="#chunk_size"
>chunk_size</A
>,
<A
HREF="#cncheck"
>cncheck</A
>,
<A
HREF="#cnexact"
>cnexact</A
>.
<A
HREF="#crl_dir"
>crl_dir</A
>,
<A
HREF="#random_file"
>random_file</A
>,
<A
HREF="#root_cert"
>root_cert</A
>,
<A
HREF="#root_dir"
>root_dir</A
>,
<A
HREF="#session_resume"
>session_resume</A
>,
<A
HREF="#user_cert"
>user_cert</A
>,
<A
HREF="#user_key"
>user_key</A
>,
<A
HREF="#user_key_pass"
>user_key_pass</A
>,
<A
HREF="#proper_peap_v1_keying"
>proper_peap_v1_keying</A
>,
<A
HREF="#inner_id"
>inner_id</A
>
</P
><P
> PEAP currently requires <A
HREF="#eap-mschapv2"
>eap-mschapv2</A
> as a
sub-option. Future versions of xsupplicant may include support for other
embedded EAP-types such as eap-gtc. In addition, the
"<A
HREF="#inner_id"
>inner_id</A
>" directive is
required for inner-eap types used with PEAP.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN829"
></A
><P
><B
>Example 5-34. Example PEAP Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
default {
allow_types = all
identity = "myid@mynet.net"
eap-peap {
inner_id = "myid@mynet.net"
root_cert = /home/user/certificates/root.pem
chunk_size = 1398
random_file = /dev/urandom
cncheck = radiusserver.mynet.net
cnexact = yes
session_resume = no
proper_peap_v1_keying = no
eap-mschapv2 {
password = password
}
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="eap-tls"
>5.4.3.9. EAP-TLS</A
></H4
><P
> Valid options for EAP-TLS are:
<A
HREF="#chunk_size"
>chunk_size</A
>,
<A
HREF="#crl_dir"
>crl_dir</A
>,
<A
HREF="#random_file"
>random_file</A
>,
<A
HREF="#root_cert"
>root_cert</A
>,
<A
HREF="#root_dir"
>root_dir</A
>,
<A
HREF="#session_resume"
>session_resume</A
>,
<A
HREF="#user_cert"
>user_cert</A
>,
<A
HREF="#user_key"
>user_key</A
>,
<A
HREF="#user_key_pass"
>user_key_pass</A
>,
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN845"
></A
><P
><B
>Example 5-35. Example EAP-TLS Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
default {
allow_types = all
identity = "myid@mynet.net"
eap_tls {
user_cert = /home/user/certificates/user-cert.pem
user_key = /home/user/certificates/user-key.pem
user_key_pass = password
root_cert = /home/user/certificates/root.pem
crl_dir = /home/user/certificates/revoked
chunk_size = 1398
random_file = /dev/urandom
session_resume = no
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="eap-ttls"
>5.4.3.10. EAP-TTLS</A
></H4
><P
> Valid options for EAP-TTLS are:
<A
HREF="#chunk_size"
>chunk_size</A
>,
<A
HREF="#cncheck"
>cncheck</A
>,
<A
HREF="#cnexact"
>cnexact</A
>.
<A
HREF="#crl_dir"
>crl_dir</A
>,
<A
HREF="#random_file"
>random_file</A
>,
<A
HREF="#root_cert"
>root_cert</A
>,
<A
HREF="#root_dir"
>root_dir</A
>,
<A
HREF="#session_resume"
>session_resume</A
>,
<A
HREF="#user_cert"
>user_cert</A
>,
<A
HREF="#user_key"
>user_key</A
>,
<A
HREF="#user_key_pass"
>user_key_pass</A
>,
<A
HREF="#phase2_type"
>phase2_type</A
>
</P
><P
> EAP-TTLS may also have one or more sub-options:
<A
HREF="#chap"
>chap</A
>,
<A
HREF="#mschap"
>mschap</A
>,
<A
HREF="#mschapv2"
>mschapv2</A
>,
<A
HREF="#pap"
>pap</A
>.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN869"
></A
><P
><B
>Example 5-36. Example EAP-TTLS Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
default {
allow_types = eap-ttls
identity = "myid@mynet.net"
eap-ttls {
root_cert = /home/user/certificates/root.pem
chunk_size = 1398
random_file = /dev/urandom
cncheck = myradius.radius.com
cnexact = no
session_resume = no
phase2_type = pap
pap {
username = "myid@mynet.net"
password = password
}
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><DIV
CLASS="section"
><HR><H5
CLASS="section"
><A
NAME="AEN872"
>5.4.3.10.1. EAP-TTLS Specific Option(s)</A
></H5
><P
> The following list defines options specifc to "eap-ttls":
</P
><P
></P
><DIV
CLASS="variablelist"
><DL
><DT
><A
NAME="phase2_type"
></A
><CODE
CLASS="varname"
>phase2_type</CODE
></DT
><DD
><P
> The phase2_type directive specifies which phase2 type to use when
authenticating with TTLS.
</P
><P
> Valid phase 2 types are:
<A
HREF="#chap"
>chap</A
>,
<A
HREF="#mschap"
>mschap</A
>,
<A
HREF="#mschapv2"
>mschapv2</A
>,
<A
HREF="#pap"
>pap</A
>.
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN887"
></A
><P
><B
>Example 5-37. EAP-TTLS Option "phase2_type"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> phase2_type = pap
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="chap"
></A
><CODE
CLASS="varname"
>chap</CODE
></DT
><DD
><P
> Use this option in TTLS to specify a username and password for
a CHAP authentication.
</P
><P
> Most people will probably want to use PAP with TTLS, however.
</P
><P
> Valid chap options are:
<A
HREF="#username"
>username</A
>,
<A
HREF="#password"
>password</A
>,
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN901"
></A
><P
><B
>Example 5-38. EAP-TTLS Option "chap"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> chap {
username = "myid@mynet.net"
password = password
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="mschap"
></A
><CODE
CLASS="varname"
>mschap</CODE
></DT
><DD
><P
> Use this option in TTLS to specify a username and password for
an MSCHAP authentication.
</P
><P
> Most people will probably want to use PAP with TTLS, however.
</P
><P
> Valid mschap options are:
<A
HREF="#username"
>username</A
>,
<A
HREF="#password"
>password</A
>,
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN915"
></A
><P
><B
>Example 5-39. EAP-TTLS Option "mschap"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> mschap {
username = "myid@mynet.net"
password = password
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="mschapv2"
></A
><CODE
CLASS="varname"
>mschapv2</CODE
></DT
><DD
><P
> Use this option in TTLS to specify a username and password for
an MSCHAPv2 authentication. This option is different than <A
HREF="#eap-mschapv2"
>eap-mschapv2</A
>.
</P
><P
> Most people will probably want to use PAP with TTLS, however.
</P
><P
> Valid mschapv2 options are:
<A
HREF="#username"
>username</A
>,
<A
HREF="#password"
>password</A
>,
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN930"
></A
><P
><B
>Example 5-40. EAP-TTLS Option "mschapv2"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> mschapv2 {
username = "myid@mynet.net"
password = password
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
><DT
><A
NAME="pap"
></A
><CODE
CLASS="varname"
>pap</CODE
></DT
><DD
><P
> Use this option in TTLS to specify a username and password for
a PAP authentication.
</P
><P
> Most people will probably want to use this option when authenticating
with TTLS.
</P
><P
> Valid pap options are:
<A
HREF="#username"
>username</A
>,
<A
HREF="#password"
>password</A
>,
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN944"
></A
><P
><B
>Example 5-41. EAP-TTLS Option "pap"</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> pap {
username = "myid@mynet.net"
password = password
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
></P
></DD
></DL
></DIV
></DIV
></DIV
><DIV
CLASS="section"
><HR><H4
CLASS="section"
><A
NAME="leap"
>5.4.3.11. LEAP</A
></H4
><P
> Valid options for LEAP are:
<A
HREF="#password"
>password</A
>
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN953"
></A
><P
><B
>Example 5-42. Example LEAP Configuration</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> logfile = /var/log/xsupplicant.log
default {
allow_types = leap
identity = "myid@mynet.net"
leap {
password = password
}
}
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
></DIV
></DIV
><DIV
CLASS="section"
><HR><H3
CLASS="section"
><A
NAME="AEN956"
>5.4.4. User Config File</A
></H3
><P
> We hope to provide the ability to specify both a global configuration file
and a more specific user configuration file capability in a future release of
xsupplicant.
</P
></DIV
><DIV
CLASS="section"
><HR><H3
CLASS="section"
><A
NAME="AEN959"
>5.4.5. Using a GUI for Configuration</A
></H3
><P
> The current version of Xsupplicant does not provide a mechanism to configure
itself from a Graphical User Interface, except for providing a password.
We hope to provide such tools in the future. Fortunately, the 1.0 config
file format is much easier to read
than older versions.
</P
><P
> If you have the QT development tools installed, you can compile and use the
qt-gremlin, or xsup_monitor programs, to provided with Xsupplicant for
real-time password prompting in X11. We hope to extend this tool so it can
also display EAP-Notifications as well.
</P
></DIV
></DIV
></DIV
><DIV
CLASS="chapter"
><HR><H1
><A
NAME="ch6"
></A
>Chapter 6. Advanced Usage</H1
><P
> This chapter is intended to provide examples for making xsupplicant easier to
use.
</P
></DIV
><DIV
CLASS="chapter"
><HR><H1
><A
NAME="ch7"
></A
>Chapter 7. Troubleshooting</H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN968"
>7.1. A Guide to Troubleshooting</A
></H2
><P
> If you experience any problems with xsupplicant, please use the following
guide to troubleshoot your issues:
<P
></P
><UL
><LI
><P
> Send us a debug output of xsupplicant, and any relevant xsupplicant options.
</P
></LI
><LI
><P
> Tell us what card driver you are using, including revision (which can usually
be found with dmesg)!
</P
></LI
><LI
><P
> Send us a gdb backtrace, if possible.
</P
></LI
><LI
><P
> Send us a copy of your configuration file.
</P
></LI
><LI
><P
> Please make sure you *DO NOT* include passwords in your configuration file, or
in your -d 7 output.
</P
></LI
></UL
>
</P
><P
> Run xsupplicant in debug mode by using the "-d 7" and "-f" switches and gather
the output. If you are segfaulting, run xsupplicant in gdb, if possible and
provide a backtrace:
</P
><P
> <DIV
CLASS="example"
><A
NAME="AEN984"
></A
><P
><B
>Example 7-1. Getting a GDB Backtrace</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
> gdb xsupplicant
(gdb) set args (any args you normally use)
(gdb) run
(gdb) backtrace (after segfault)
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
>
</P
><P
> This will help us find the problem easier.
</P
><P
> Send us a copy of your configuration (but remove the passwords please).
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN989"
>7.2. Known Problems</A
></H2
><P
> The following is a summary of the known issues with this version of
xsupplicant.
<P
></P
><UL
><LI
><P
> The supplicant may get confused on wired ports that are set up to allow
more than one client per port.
</P
></LI
><LI
><P
> Cisco 340/350 cards do not work correctly with Xsupplicant 1.0. This appears
to be due to the driver (or firmware?) hijacking the 0x888e frames, which
prevents 802.1X authentication from being possible.
</P
><P
> UPDATE: We have been successful getting a Cisco 350 card to work with the
built-in Linux 2.6.7 Aironet driver.
</P
></LI
></UL
>
</P
></DIV
></DIV
><DIV
CLASS="appendix"
><HR><H1
><A
NAME="ap1"
></A
>Appendix A. Setup for Authenticators and RADIUS Servers</H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN1000"
>A.1. Authenticators</A
></H2
><DIV
CLASS="section"
><H3
CLASS="section"
><A
NAME="AEN1002"
>A.1.1. Open Source Authenticator Projects</A
></H3
><P
>
<P
></P
><UL
><LI
><P
> HostAP (<A
HREF="http://hostap.epitest.fi/"
TARGET="_top"
>http://hostap.epitest.fi/</A
>)
</P
></LI
><LI
><P
> Rose (<A
HREF="http://www.rosewlan.com/"
TARGET="_top"
>http://www.rosewlan.com/</A
>)
</P
></LI
></UL
>
</P
></DIV
><DIV
CLASS="section"
><HR><H3
CLASS="section"
><A
NAME="AEN1012"
>A.1.2. Commercial Authenticators</A
></H3
><P
> <P
></P
><UL
><LI
><P
></P
></LI
></UL
>
</P
><P
>not a complete setup guide for all APs on the market, instead some
comments on how to setup the more common APs to work with open1x. also
provide pointers to more complete setup & config guides</P
></DIV
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN1019"
>A.2. Authentication Servers</A
></H2
><DIV
CLASS="section"
><H3
CLASS="section"
><A
NAME="AEN1021"
>A.2.1. Open Source Authentication Servers</A
></H3
><P
> See the Authentication Server Compatibility Matrix for a complete list of
supported EAP types.
</P
><P
></P
><UL
><LI
><P
>FreeRADIUS</P
></LI
></UL
></DIV
><DIV
CLASS="section"
><HR><H3
CLASS="section"
><A
NAME="AEN1027"
>A.2.2. Commercial Authentication Servers</A
></H3
><P
> See the Authentication Server Compatibility Matrix for a complete list of
supported EAP types.
</P
><P
></P
><UL
><LI
><P
>Cisco ACS</P
></LI
><LI
><P
>Funk SBR</P
></LI
><LI
><P
>Infoblox</P
></LI
><LI
><P
>Meetinghouse AEGIS</P
></LI
><LI
><P
>Microsoft IAS</P
></LI
><LI
><P
>Radiator (Source Code Included with Purchase)</P
></LI
><LI
><P
>Roving Planet CSD (Based on FreeRADIUS)</P
></LI
></UL
></DIV
></DIV
></DIV
><DIV
CLASS="appendix"
><HR><H1
><A
NAME="ap2"
></A
>Appendix B. Links to Related Resources</H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN1047"
>B.1. Companies that Support Open1x</A
></H2
><P
> The following entities have donated hardware/software to the Open1x project:
</P
><P
> Contributions are listed in the order they were received.
</P
><P
> The companies listed below do not endorse Open1x.
<P
></P
><UL
><LI
><P
>Proactive Network Management & Proxim
<P
></P
><UL
><LI
><P
> ORiNOCO AP-600 (802.11b/g)
</P
></LI
><LI
><P
> <A
HREF="http://www.pnmc.com/"
TARGET="_top"
>http://www.pnmc.com/</A
>
</P
></LI
><LI
><P
> <A
HREF="http://www.proxim.com/"
TARGET="_top"
>http://www.proxim.com/</A
>
</P
></LI
></UL
></P
></LI
><LI
><P
>Radiator
<P
></P
><UL
><LI
><P
> Many bug fixes, and added features in a very timely manner.
</P
></LI
><LI
><P
> <A
HREF="http://www.open.com.au/"
TARGET="_top"
>http://www.open.com.au/</A
>
</P
></LI
></UL
></P
></LI
><LI
><P
>Hewlett-Packard
<P
></P
><UL
><LI
><P
> HP Procurve 420 AP (802.11b/g)
</P
></LI
><LI
><P
> <A
HREF="http://www.hp.com/"
TARGET="_top"
>http://www.hp.com/</A
>
</P
></LI
></UL
></P
></LI
><LI
><P
>3Com
<P
></P
><UL
><LI
><P
> 3Com 8200 AP & 802.11a/b/g Wireless Card (3CRPAG175)
</P
></LI
><LI
><P
> <A
HREF="http://www.3com.com/"
TARGET="_top"
>http://www.3com.com/</A
>
</P
></LI
></UL
></P
></LI
><LI
><P
>University of Utah Center for High Performance Computing
<P
></P
><UL
><LI
><P
> Funding for the Networld + Interop HotStage 2004
</P
></LI
><LI
><P
> <A
HREF="http://www.chpc.utah.edu/"
TARGET="_top"
>http://www.chpc.utah.edu/</A
>
</P
></LI
></UL
></P
></LI
><LI
><P
>Cisco Systems
<P
></P
><UL
><LI
><P
> Cisco 1200 AP (802.11b/g)
</P
></LI
><LI
><P
> <A
HREF="http://www.cisco.com/"
TARGET="_top"
>http://www.cisco.com/</A
>
</P
></LI
></UL
></P
></LI
><LI
><P
>Brad Midgley
<P
></P
><UL
><LI
><P
> Many different types of Mini-PCI wireless cards.
</P
></LI
><LI
><P
> <A
HREF=""
TARGET="_top"
></A
>
</P
></LI
></UL
></P
></LI
></UL
>
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN1112"
>B.2. 802.1X Related Open Source Projects</A
></H2
><P
> <A
HREF="http://wire.cs.nthu.edu.tw/wire1x/"
TARGET="_top"
>Wire1x</A
> -
An Open Source xsupplicant port for Windows.
</P
><P
> <A
HREF="http://weap.sourceforge.net/"
TARGET="_top"
>wEAP</A
> -
An Open Source project for Windows EAP Plugins.
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN1118"
>B.3. 802.1X related proprietary projects</A
></H2
><P
> </P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN1121"
>B.4. Standards</A
></H2
><P
> <A
HREF="http://grouper.ieee.org/groups/802/11/"
TARGET="_top"
> The 802.11 Specification
</A
> [ieee.org]
</P
><P
> <A
HREF="http://www.wirelessethernet.com/"
TARGET="_top"
> Wireless Ethernet
</A
> [wirelessethernet.com]
</P
><P
> <A
HREF="http://grouper.ieee.org/groups/802/dots.html"
TARGET="_top"
> IEEE Working Groups
</A
> [ieee.org]
</P
><P
> <A
HREF="http://grouper.ieee.org/groups/802/11/index.html"
TARGET="_top"
> IEEE 802.11b Specification
</A
> [ieee.org]
</P
><P
> <A
HREF="http://www.ieee802.org/1/pages/802.1x.html"
TARGET="_top"
> IEEE 802.1X
</A
> [ieee.org]
</P
><P
> <A
HREF="http://www.open1x.org/papers/draft-congdon-radius-8021x-10.txt"
TARGET="_top"
> RADIUS with IEEE 802.1X
</A
> [local]
</P
><P
> <A
HREF="http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/"
TARGET="_top"
> Wireless LAN Resources for Linux
</A
> [hpl.hp.com]
</P
></DIV
><DIV
CLASS="section"
><HR><H2
CLASS="section"
><A
NAME="AEN1137"
>B.5. Other Resources</A
></H2
><DIV
CLASS="section"
><H3
CLASS="section"
><A
NAME="AEN1139"
>B.5.1. Howtos</A
></H3
><P
> <A
HREF="http://www.cs.umd.edu/~npetroni/airo.html"
TARGET="_top"
> Sniffing a wireless network with a Cisco WLAN card.
</A
> [umd.edu]
</P
><P
> <A
HREF="http://www.cs.umd.edu/~mvanopst/8021x/howto/"
TARGET="_top"
> Setting up 802.1X using a WinXP client and a Win2K Radius server.
</A
> [umd.edu]
</P
><P
> <A
HREF="http://www.missl.cs.umd.edu/wireless/eaptls/"
TARGET="_top"
> Setting up 802.1X using Xsupplicant and FreeRADIUS
</A
> [umd.edu]
</P
><P
> <A
HREF="http://www.oreillynet.com/pub/wlg/4602"
TARGET="_top"
> Using the Orinoco (Hermes) card with Xsupplicant.
</A
> [oreillynet.com]
</P
></DIV
><DIV
CLASS="section"
><HR><H3
CLASS="section"
><A
NAME="AEN1149"
>B.5.2. Related Links</A
></H3
><P
> <A
HREF="http://www.missl.cs.umd.edu/wireless/ethereal/"
TARGET="_top"
> Ethereal Patches for 802.1X Decoding
</A
> [umd.edu]
</P
><P
> <A
HREF="http://www.microsoft.com/presspass/press/2001/Mar01/03-26XPWirelessPR.asp"
TARGET="_top"
> Support for 802.1X in WinXP
</A
> [microsoft.com]
</P
><P
> <A
HREF="http://wireless.utah.edu/"
TARGET="_top"
> The University of Utah 802.1X Wireless Website
</A
> [utah.edu]
</P
></DIV
></DIV
></DIV
></DIV
></BODY
></HTML
>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
190870c6122c0a0eed3cc49633ab3f22
>
files
>
5
