<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML ><HEAD ><TITLE >Open1x User's Guide</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD ><BODY CLASS="book" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="BOOK" ><A NAME="AEN1" ></A ><DIV CLASS="TITLEPAGE" ><H1 CLASS="title" ><A NAME="AEN1" >Open1x User's Guide</A ></H1 ><H3 CLASS="author" ><A NAME="AEN5" ></A >Chris Hessing</H3 ><H3 CLASS="author" ><A NAME="AEN8" ></A >Nick Petroni</H3 ><H3 CLASS="author" ><A NAME="AEN11" ></A >Bryan Payne</H3 ><H3 CLASS="author" ><A NAME="AEN14" ></A >Terry Simons</H3 ><HR></DIV ><DIV CLASS="TOC" ><DL ><DT ><B >Table of Contents</B ></DT ><DT >1. <A HREF="#ch1" >About Open1x And This Guide</A ></DT ><DD ><DL ><DT >1.1. <A HREF="#AEN19" >General Overview</A ></DT ><DT >1.2. <A HREF="#AEN25" >Do I Need Open1x?</A ></DT ><DT >1.3. <A HREF="#AEN28" >Supplicant versus Authenticator</A ></DT ><DT >1.4. <A HREF="#AEN31" >Purpose Of This Guide</A ></DT ></DL ></DD ><DT >2. <A HREF="#ch2" >Supported Platforms</A ></DT ><DD ><DL ><DT >2.1. <A HREF="#AEN36" >About Xsupplicant</A ></DT ><DT >2.2. <A HREF="#AEN42" >EAP Support</A ></DT ><DT >2.3. <A HREF="#AEN82" >Authentication Server Compatibility Matrix</A ></DT ><DT >2.4. <A HREF="#AEN242" >Supplicants</A ></DT ></DL ></DD ><DT >3. <A HREF="#ch3" >Getting The Software</A ></DT ><DD ><DL ><DT >3.1. <A HREF="#AEN354" >Download Stable Releases</A ></DT ><DT >3.2. <A HREF="#AEN358" >Pre-Packaged Releases for Some Distibutions</A ></DT ><DT >3.3. <A HREF="#AEN361" >CVS</A ></DT ></DL ></DD ><DT >4. <A HREF="#ch4" >Installation</A ></DT ><DD ><DL ><DT >4.1. <A HREF="#AEN369" >Prerequisites</A ></DT ><DT >4.2. <A HREF="#AEN379" >Quick Start Guide</A ></DT ><DT >4.3. <A HREF="#AEN385" >Running the Configure Script</A ></DT ><DT >4.4. <A HREF="#AEN398" >When Things go Wrong.</A ></DT ></DL ></DD ><DT >5. <A HREF="#ch5" >Configuration</A ></DT ><DD ><DL ><DT >5.1. <A HREF="#AEN410" >Overview</A ></DT ><DT >5.2. <A HREF="#AEN413" >Commandline Options</A ></DT ><DT >5.3. <A HREF="#AEN448" >System Wide Config File</A ></DT ><DT >5.4. <A HREF="#AEN451" >Global Configuration Options</A ></DT ></DL ></DD ><DT >6. <A HREF="#ch6" >Advanced Usage</A ></DT ><DT >7. <A HREF="#ch7" >Troubleshooting</A ></DT ><DD ><DL ><DT >7.1. <A HREF="#AEN968" >A Guide to Troubleshooting</A ></DT ><DT >7.2. <A HREF="#AEN989" >Known Problems</A ></DT ></DL ></DD ><DT >A. <A HREF="#ap1" >Setup for Authenticators and RADIUS Servers</A ></DT ><DD ><DL ><DT >A.1. <A HREF="#AEN1000" >Authenticators</A ></DT ><DT >A.2. <A HREF="#AEN1019" >Authentication Servers</A ></DT ></DL ></DD ><DT >B. <A HREF="#ap2" >Links to Related Resources</A ></DT ><DD ><DL ><DT >B.1. <A HREF="#AEN1047" >Companies that Support Open1x</A ></DT ><DT >B.2. <A HREF="#AEN1112" >802.1X Related Open Source Projects</A ></DT ><DT >B.3. <A HREF="#AEN1118" >802.1X related proprietary projects</A ></DT ><DT >B.4. <A HREF="#AEN1121" >Standards</A ></DT ><DT >B.5. <A HREF="#AEN1137" >Other Resources</A ></DT ></DL ></DD ></DL ></DIV ><DIV CLASS="LOT" ><DL CLASS="LOT" ><DT ><B >List of Tables</B ></DT ><DT >2-1. <A HREF="#AEN87" >Supported Authentication Servers</A ></DT ><DT >2-2. <A HREF="#AEN245" >Supplicant Support Matrix</A ></DT ></DL ></DIV ><DIV CLASS="LOT" ><DL CLASS="LOT" ><DT ><B >List of Examples</B ></DT ><DT >5-1. <A HREF="#AEN464" >Global Option "default_netname"</A ></DT ><DT >5-2. <A HREF="#AEN473" >Global Option "logfile"</A ></DT ><DT >5-3. <A HREF="#AEN482" >Global Option "log_facility"</A ></DT ><DT >5-4. <A HREF="#AEN491" >Global Option "allmulti"</A ></DT ><DT >5-5. <A HREF="#AEN500" >Global Option "destination"</A ></DT ><DT >5-6. <A HREF="#AEN509" >Global Option "network_list"</A ></DT ><DT >5-7. <A HREF="#AEN535" >Profile Option "allow_types"</A ></DT ><DT >5-8. <A HREF="#AEN544" >Profile Option "dest_mac"</A ></DT ><DT >5-9. <A HREF="#AEN553" >Profile Option "identity"</A ></DT ><DT >5-10. <A HREF="#AEN562" >Profile Option "type"</A ></DT ><DT >5-11. <A HREF="#AEN571" >Profile Option "wireless_control"</A ></DT ><DT >5-12. <A HREF="#AEN590" >Common EAP Option "chunk_size"</A ></DT ><DT >5-13. <A HREF="#AEN601" >Common EAP Option cncheck</A ></DT ><DT >5-14. <A HREF="#AEN612" >Common EAP Option "cnexact"</A ></DT ><DT >5-15. <A HREF="#AEN622" >Common EAP Option "crl_dir"</A ></DT ><DT >5-16. <A HREF="#AEN632" >Common EAP Option "password"</A ></DT ><DT >5-17. <A HREF="#AEN643" >Common EAP Option "random_file"</A ></DT ><DT >5-18. <A HREF="#AEN655" >Common EAP Option "root_cert"</A ></DT ><DT >5-19. <A HREF="#AEN665" >Common EAP Option "root_dir"</A ></DT ><DT >5-20. <A HREF="#AEN675" >Common EAP Option "session_resume"</A ></DT ><DT >5-21. <A HREF="#AEN685" >Common EAP Option "username"</A ></DT ><DT >5-22. <A HREF="#AEN696" >Common EAP Option "user_cert"</A ></DT ><DT >5-23. <A HREF="#AEN707" >Common EAP Option "user_key"</A ></DT ><DT >5-24. <A HREF="#AEN717" >Common EAP Option "user_key_pass"</A ></DT ><DT >5-25. <A HREF="#AEN727" >Common EAP Option "proper_peap_v1_keying"</A ></DT ><DT >5-26. <A HREF="#AEN737" >Common EAP Option "inner_id"</A ></DT ><DT >5-27. <A HREF="#AEN748" >Example EAP-AKA Configuration</A ></DT ><DT >5-28. <A HREF="#AEN754" >Example EAP-GTC Configuration</A ></DT ><DT >5-29. <A HREF="#AEN763" >Example EAP-MD5 Configuration</A ></DT ><DT >5-30. <A HREF="#AEN775" >Example EAP-MSCHAPv2 Configuration</A ></DT ><DT >5-31. <A HREF="#AEN782" >Example EAP-OTP Configuration</A ></DT ><DT >5-32. <A HREF="#AEN792" >Example EAP-SIM Configuration</A ></DT ><DT >5-33. <A HREF="#AEN806" >EAP-SIM Option "auto_realm"</A ></DT ><DT >5-34. <A HREF="#AEN829" >Example PEAP Configuration</A ></DT ><DT >5-35. <A HREF="#AEN845" >Example EAP-TLS Configuration</A ></DT ><DT >5-36. <A HREF="#AEN869" >Example EAP-TTLS Configuration</A ></DT ><DT >5-37. <A HREF="#AEN887" >EAP-TTLS Option "phase2_type"</A ></DT ><DT >5-38. <A HREF="#AEN901" >EAP-TTLS Option "chap"</A ></DT ><DT >5-39. <A HREF="#AEN915" >EAP-TTLS Option "mschap"</A ></DT ><DT >5-40. <A HREF="#AEN930" >EAP-TTLS Option "mschapv2"</A ></DT ><DT >5-41. <A HREF="#AEN944" >EAP-TTLS Option "pap"</A ></DT ><DT >5-42. <A HREF="#AEN953" >Example LEAP Configuration</A ></DT ><DT >7-1. <A HREF="#AEN984" >Getting a GDB Backtrace</A ></DT ></DL ></DIV ><DIV CLASS="chapter" ><HR><H1 ><A NAME="ch1" ></A >Chapter 1. About Open1x And This Guide</H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="AEN19" >1.1. General Overview</A ></H2 ><P > This work funded by a grant from National Institute of Standards and Technology Critical Infrastructure Grants Program. </P ><P > This software allows a GNU/Linux or BSD workstation to authenticate with a RADIUS server using 802.1X and various EAP protocols. The intended use is for computers with wireless LAN connections to complete a strong authentication before joining the network. </P ><P > Note: BSD support is not yet complete. </P ><P > This provides a good complement to WEP, which provides confidentiality. Even though it is well documented that WEP has technical flaws, it is still better than simply sending data in the clear. Therefore, we recommend using this software (802.1x) for authentication *and* WEP, WPA, or WPA2/802.11i for confidentiality. And, as always, be prepared to update your network(s) as better security solutions become available. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN25" >1.2. Do I Need Open1x?</A ></H2 ><P > The short answer is that if you need to authenticate to an 802.1X-enabled network using Linux, then Open1x is probably for you. The Open1x project provides 802.1X functionality for the Linux operating system. 802.1X is an IEEE standard (ratified in 2001) that provides port-based authentication at layer 2 of the OSI model. 802.1X prevents unauthorized network access until appropriate credentials are supplied to access the network. The Open1x project provides the necessary software to connect to an 802.1X-enabled network. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN28" >1.3. Supplicant versus Authenticator</A ></H2 ><P > The Open1x project contains source code for both the "Supplicant" and "Authenticator" pieces of the 802.1X standard. This document will only focus on the Open1x Supplicant (xsupplicant), as the Authenticator isn't being actively worked on at this point in time. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN31" >1.4. Purpose Of This Guide</A ></H2 ><P > This guide is aimed towards both the general user, and the system administrator with the intent of explaining how to install and configure xsupplicant. </P ></DIV ></DIV ><DIV CLASS="chapter" ><HR><H1 ><A NAME="ch2" ></A >Chapter 2. Supported Platforms</H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="AEN36" >2.1. About Xsupplicant</A ></H2 ><P > Xsupplicant is designed to work with Linux. Early versions of xsupplicant also supported *BSD and Mac OS X, but this support was pulled out when xsupplicant was rewritten. </P ><P > Mac OS X support was pulled because Apple is now providing a built-in supplicant as of Mac OS X 10.3 (Panther). *BSD support was initially removed largely due to a lack of active *BSD development. Some *BSD code does remain, however, and we encourage any *BSD developers out there to test xsupplicant and submit patches or file bug reports to improve *BSD support. There has been talk of adding Mac OS X support back into xsupplicant, because Apple's client only works with their own Airport cards. Xsupplicant could potentially fill the gap left by Apple for those users that wish to use 3rd party cards, or wireless standards not supported by Apple, such as 802.11a, but such support would require 3rd party APIs to properly handle encryption. </P ><P > The Open1x team would like to reprovide support for *BSD platforms, but doing so will require some additional hacking on the codebase. This project is maintained in our spare time, and we already feel stretched, so we hope you understand our current dilemma in providing *BSD support. If you are interested in helping us with *BSD support, please let us know. </P ><P > Xsupplicant releases are primarily tested and developed on Slackware Linux. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN42" >2.2. EAP Support</A ></H2 ><P > Xsupplicant 1.2 supports the following EAP types: <P ></P ><UL ><LI ><P ><A HREF="#eap-aka" > EAP-AKA </A ></P ></LI ><LI ><P ><A HREF="#eap-gtc" > EAP-GTC </A ></P ></LI ><LI ><P ><A HREF="#eap-md5" > EAP-MD5 </A ></P ></LI ><LI ><P ><A HREF="#eap-mschapv2" > EAP-MSCHAPv2 </A ></P ></LI ><LI ><P ><A HREF="#eap-otp" > EAP-OTP </A ></P ></LI ><LI ><P ><A HREF="#eap-sim" > EAP-SIM </A ></P ></LI ><LI ><P ><A HREF="#leap" > LEAP </A ></P ></LI ><LI ><P ><A HREF="#peap" > PEAP (MSCHAPv2) </A ></P ></LI ><LI ><P ><A HREF="#eap-tls" > EAP-TLS </A ></P ></LI ><LI ><P ><A HREF="#eap-ttls" > EAP-TTLS (CHAP, MSCHAP, MSCHAPv2, PAP) </A ></P ></LI ></UL > Future versions of Xsupplicant may include support for: <P ></P ><UL ><LI ><P >EAP-FAST</P ></LI ><LI ><P >PEAP-GTC</P ></LI ></UL > </P ><P > See Chapter 5: EAP Options for details on configuring a specific EAP type with Xsupplicant. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN82" >2.3. Authentication Server Compatibility Matrix</A ></H2 ><P > The following is a compatibility matrix that lists tested EAP/Authentication Server combinations. Servers listed with a "+" mean that a particular EAP type is supported by that server. A Server/EAP combination listed with a "*" indicates xsupplicant compatibility. A Server/EAP combination listed with a "!" indicates an incompatibility with Xsupplicant. </P ><P > Lack of a "*" in an entry does not indicate that a particular combination will not work, only that it has not been tested. This list is not meant to be a complete list of tested combinations, as we do not have the resources to keep the list up to date. </P ><P > <DIV CLASS="table" ><A NAME="AEN87" ></A ><P ><B >Table 2-1. Supported Authentication Servers</B ></P ><TABLE BORDER="1" FRAME="vsides" RULES="cols" CLASS="CALSTABLE" ><COL><COL><COL><COL><COL><COL><COL><COL><COL><THEAD ><TR ><TH > </TH ><TH >Cisco ACS</TH ><TH >FreeRADIUS</TH ><TH >Funk SBR</TH ><TH >Infoblox</TH ><TH >Meetinghouse AEGIS</TH ><TH >Microsoft IAS</TH ><TH >Radiator</TH ><TH >Roving Planet CSD</TH ></TR ></THEAD ><TBODY ><TR ><TD ALIGN="left" >EAP-AKA</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >*</TD ><TD >-</TD ></TR ><TR ><TD ALIGN="left" >EAP-FAST</TD ><TD >+</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ></TR ><TR ><TD ALIGN="left" >EAP-GTC</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >*</TD ><TD >-</TD ></TR ><TR ><TD ALIGN="left" >EAP-MD5</TD ><TD >*</TD ><TD >*</TD ><TD >*</TD ><TD >*</TD ><TD >*</TD ><TD >-</TD ><TD >*</TD ><TD >*</TD ></TR ><TR ><TD ALIGN="left" >EAP-OTP</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >*</TD ><TD >-</TD ></TR ><TR ><TD ALIGN="left" >EAP-SIM</TD ><TD >-</TD ><TD >*</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >*</TD ><TD >-</TD ></TR ><TR ><TD ALIGN="left" >EAP-TLS</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >*</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" >LEAP</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >-</TD ><TD >+</TD ><TD >-</TD ><TD >*</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" >PEAP-GTC</TD ><TD >+</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >+</TD ><TD >-</TD ><TD >+</TD ><TD >-</TD ></TR ><TR ><TD ALIGN="left" >PEAP-MSCHAPv2</TD ><TD >*</TD ><TD >*</TD ><TD >*</TD ><TD >!</TD ><TD >*</TD ><TD >*</TD ><TD >*</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" >TTLS-CHAP</TD ><TD >-</TD ><TD >*</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >-</TD ><TD >*</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" >TTLS-MSCHAP</TD ><TD >-</TD ><TD >*</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >-</TD ><TD >*</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" >TTLS-MSCHAPv2</TD ><TD >-</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >-</TD ><TD >*</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" >TTLS-PAP</TD ><TD >-</TD ><TD >+</TD ><TD >*</TD ><TD >!</TD ><TD >*</TD ><TD >-</TD ><TD >*</TD ><TD >+</TD ></TR ></TBODY ></TABLE ></DIV > </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN242" >2.4. Supplicants</A ></H2 ><P > The goal of this section is to help inform the reader of general 802.1X compatibility. The following list is probably not complete, but should provide a fairly comprehensive supplicant/operating system list. <DIV CLASS="table" ><A NAME="AEN245" ></A ><P ><B >Table 2-2. Supplicant Support Matrix</B ></P ><TABLE BORDER="1" FRAME="vsides" RULES="cols" CLASS="CALSTABLE" ><COL><COL><COL><COL><COL><COL><COL><COL><COL><COL><THEAD ><TR ><TH > </TH ><TH >*BSD</TH ><TH >Linux</TH ><TH >Mac OS X 10.2.x</TH ><TH >Mac OS X 10.3.x</TH ><TH >Pocket PC 2002</TH ><TH >Pocket PC 2003</TH ><TH >Windows 98</TH ><TH >Windows Me</TH ><TH >Windows 2k</TH ><TH >Windows XP</TH ></TR ></THEAD ><TBODY ><TR ><TD ALIGN="left" ><A HREF="http://www.securew2.com/" TARGET="_top" > Alfa+Ariss SecureW2 </A ></TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >+</TD ><TD >-</TD ><TD >-</TD ><TD >+</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" ><A HREF="http://www.funk.com/" TARGET="_top" > Funk Odyssey </A ></TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" ><A HREF="http://www.mtghouse.com/" TARGET="_top" > Meetinghouse Aegis </A ></TD ><TD >-</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" >Native</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >+</TD ><TD >-</TD ><TD >+</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" ><A HREF="http://www.open1x.org" TARGET="_top" > Open1x </A ></TD ><TD >-</TD ><TD >+</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ></TR ><TR ><TD ALIGN="left" ><A HREF="http://weap.sourceforge.net/" TARGET="_top" > wEAP </A ></TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >+</TD ><TD >+</TD ></TR ><TR ><TD ALIGN="left" ><A HREF="http://wire.cs.nthu.edu.tw/wire1x" TARGET="_top" > Wire1x </A ></TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >-</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ><TD >+</TD ></TR ></TBODY ></TABLE ></DIV > </P ></DIV ></DIV ><DIV CLASS="chapter" ><HR><H1 ><A NAME="ch3" ></A >Chapter 3. Getting The Software</H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="AEN354" >3.1. Download Stable Releases</A ></H2 ><P >Users should normally download a stable release from <A HREF="http://sourceforge.net/project/showfiles.php?group_id=60236" TARGET="_top" >http://sourceforge.net/project/showfiles.php?group_id=60236</A > </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN358" >3.2. Pre-Packaged Releases for Some Distibutions</A ></H2 ><P >At some point we plan on releasing pre-packaged versions of xsupplicant for distributions such as Debian, RedHat, SuSe, Slackware, etc... If you would like to see your favorite distribution supported, please let us know (Or better yet, send us the package)!</P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN361" >3.3. CVS</A ></H2 ><P > We do not recommend CVS downloads for people unfamiliar with it. CVS often contains new features that have not yet made it into a stable release, but it can also be extremely unstable. We also do not have the time to explain how CVS works (there is good documentation on the web regarding CVS and its many features/options). We encourage users to submit patches against CVS, but patches may not necessarily be commited immediately. </P ><P > To download xsupplicant via CVS you can use the following command: </P ><P > <KBD CLASS="userinput" > cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/open1x co xsupplicant </KBD > </P ></DIV ></DIV ><DIV CLASS="chapter" ><HR><H1 ><A NAME="ch4" ></A >Chapter 4. Installation</H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="AEN369" >4.1. Prerequisites</A ></H2 ><P > You will need to have the following installed on your system before installing xsupplicant: </P ><P > OpenSSL - <A HREF="http://www.openssl.org/" TARGET="_top" >http://www.openssl.org/</A > </P ><P > libpcsclite (For EAP-SIM/EAP-AKA support) - <A HREF="http://www.linuxnet.com/" TARGET="_top" >http://www.linuxnet.com/</A > </P ><P > Pthreads Support (For EAP-SIM/EAP-AKA support) </P ><P > libiw from the Linux Wireless Tools - <A HREF="http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html" TARGET="_top" >http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html</A > </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN379" >4.2. Quick Start Guide</A ></H2 ><P > Generally speaking you should be able to type: <KBD CLASS="userinput" >./configure; make; make install</KBD > to configure and install the Open1x supplicant. </P ><P > The only exception would be if you intend to use the WPA support for MADwifi. In that case you need to add the --with-madwifi-path option when you run configure. This should point to the directory where your MADwifi source is located. </P ><P > If you run into problems, please read the rest of this chapter. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN385" >4.3. Running the Configure Script</A ></H2 ><P > The following configuration options are available for xsupplicant: </P ><P > <KBD CLASS="userinput" >--enable-eap-sim </KBD > - Enables EAP SIM/AKA authentication. (Requires libpcsclite) </P ><P > <KBD CLASS="userinput" >--enable-experimental </KBD > - Enable the use of experimental features/code. </P ><P > <KBD CLASS="userinput" >--enable-radiator-test </KBD > - Enable use of the AKA test vectors from Radiator. (Doesn't require a SIM card). </P ><P > <KBD CLASS="userinput" >--enable-static-openssl </KBD > - Statically link OpenSSL into the xsupplicant binary. </P ><P > <KBD CLASS="userinput" >--with-madwifi-path </KBD > - Provide the path to the MADwifi source, and enable support for WPA on cards that use the MADwifi driver. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN398" >4.4. When Things go Wrong.</A ></H2 ><P >If you experience a problem building xsupplicant, you should: <P ></P ><UL ><LI ><P >Check config.log for any interesting error messages.</P ></LI ><LI ><P >Double check the xsupplicant prerequisites.</P ></LI ><LI ><P >E-mail the xsupplicant mailing list with a detailed explanation of the problem you are experiencing, including any error messages you got and please include a copy of your configuration file and any command line options you used to run xsupplicant. The more information you provide to us, the easier it will be for us to help you fix your problem.</P ></LI ></UL > </P ></DIV ></DIV ><DIV CLASS="chapter" ><HR><H1 ><A NAME="ch5" ></A >Chapter 5. Configuration</H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="AEN410" >5.1. Overview</A ></H2 ><P > </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN413" >5.2. Commandline Options</A ></H2 ><P > <KBD CLASS="userinput" >-W</KBD > </P ><P > Allow Xsupplicant to work with wpa_supplicant. </P ><P > <KBD CLASS="userinput" >-c /path/to/config_file</KBD > </P ><P > You can specify a configuration file to be used with the "-c" option. Xsupplicant will automatically look for and use "/etc/xsupplicant.conf" if it exists. </P ><P > <KBD CLASS="userinput" >-i device</KBD > </P ><P > Provide the interface on which to listen for EAPoL packets. Please note that xsupplicant will currently look for any valid interfaces and fork to handle each valid interface it finds. You do not need to run multiple instances of xsupplicant yourself. </P ><P > <KBD CLASS="userinput" >-d debug_level</KBD > </P ><P > <debug_level> can be any of: <P ></P ><UL ><LI ><P >0 - 7 Old style debug flags.</P ></LI ><LI ><P >A - Enable ALL debug flags.</P ></LI ><LI ><P >c - Enable CONFIG debug flag.</P ></LI ><LI ><P >s - Enable STATE debug flag.</P ></LI ><LI ><P >a - Enable AUTHTYPES debug flag.</P ></LI ><LI ><P >i - Enable INT debug flag.</P ></LI ><LI ><P >n - Enable SNMP debug flag.</P ></LI ><LI ><P >e - Enable EVERYTHING debug flag.</P ></LI ><LI ><P >x - Enable EXCESSIVE debug flag.</P ></LI ></UL > </P ><P > Debug flags can be stacked such as: <KBD CLASS="userinput" >xsupplicant -d csai</KBD >. This would provide CONFIG, STATE, AUTHTYPES, and INT debug output. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN448" >5.3. System Wide Config File</A ></H2 ><P > Xsupplicant will look for a file in /etc/xsupplicant.conf by default, unless the -c option is used at runtime. The xsupplicant configuration file consists of several global variables and a set of network-specific configurations. Each network profile definition contains one or more EAP sections, which contain specific configuration information for the network in question. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN451" >5.4. Global Configuration Options</A ></H2 ><P > The following is a complete list of the global options available in xsupplicant 1.2. These options should be defined outside of any xsupplicant network profiles contained in your configuration file. </P ><DIV CLASS="section" ><HR><H3 CLASS="section" ><A NAME="AEN454" >5.4.1. Global Options</A ></H3 ><P > The following list is a complete list of the global configuration options for the xsupplicant configuration file. </P ><P ></P ><DIV CLASS="variablelist" ><P ><B >Xsupplicant Config - Global Options</B ></P ><DL ><DT ><A NAME="default_netname" ></A ><CODE CLASS="varname" >default_netname</CODE ></DT ><DD ><P > If this option is not used, xsupplicant will attempt to read the profile "default" from the configuration file. Some users may actually have a network named "default", so this option can be used to redefine which profile is used as the default profile. <DIV CLASS="example" ><A NAME="AEN464" ></A ><P ><B >Example 5-1. Global Option "default_netname"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > default_netname = default </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="logfile" ></A ><CODE CLASS="varname" >logfile</CODE ></DT ><DD ><P > When running in daemon, or non-foreground mode, you may want to have the output of the program. So, define a log file here. Each time XSupplicant is started, this file will be replaced. So, there is no need to roll the log file. If the logfile name is set to "syslog", then all messages will be sent to the syslog. If syslog is defined, you should also define "log_facility" to specify which logging facility will be used. <DIV CLASS="example" ><A NAME="AEN473" ></A ><P ><B >Example 5-2. Global Option "logfile"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="log_facility" ></A ><CODE CLASS="varname" >log_facility</CODE ></DT ><DD ><P > If you have set the logfile option to "syslog", then you should define log_facility in order to tell Xsupplicant where to send log messages. Valid settings are cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, news, user, and uucp. <DIV CLASS="example" ><A NAME="AEN482" ></A ><P ><B >Example 5-3. Global Option "log_facility"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > log_facility = local0 </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="allmulti" ></A ><CODE CLASS="varname" >allmulti</CODE ></DT ><DD ><P > For most people, the default setting for "allmulti" will work just fine. In some cases, wireless cards have been known to not work when ALLMULTI is enabled. (Such as certain Orinoco cards, with older drivers.) If "allmulti" is set to "no", XSupplicant will not attempt to change the state of the setting in the driver. So, you should make sure to do an "ifconfig ethX -allmulti". <DIV CLASS="example" ><A NAME="AEN491" ></A ><P ><B >Example 5-4. Global Option "allmulti"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > allmulti = no </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="destination" ></A ><CODE CLASS="varname" >destination</CODE ></DT ><DD ><P > destination: defines how Xsupplicant should determine the destination address that should be used for the 802.1X conversation. Valid Options are : Auto - respond to source address from the last packet we saw. Source - same as Auto BSSID - Always answer to the BSSID of the AP we are associated to. Multicast - always use the multicast address defined in 802.1X-2001. <DIV CLASS="example" ><A NAME="AEN500" ></A ><P ><B >Example 5-5. Global Option "destination"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > destination = auto </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="network_list" ></A ><CODE CLASS="varname" >network_list</CODE ></DT ><DD ><P > This directive defines all of the network profiles which should be kept in memory and used.Comma delimited list or "all" for keeping all defined configurations in memory. For efficiency, keep only the networks you might roam to in memory. To avoid errors, make sure your default network is always in the network_list. In general, you will want to leave this set to "all". <DIV CLASS="example" ><A NAME="AEN509" ></A ><P ><B >Example 5-6. Global Option "network_list"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > network_list = all </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ></DL ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="AEN513" >5.4.1.1. State Machine Variables</A ></H4 ><P > <P ></P ><UL ><LI ><P >auth_period</P ></LI ><LI ><P >max_starts</P ></LI ><LI ><P >held_period</P ></LI ></UL > </P ><P > The auth_period, held_period, and max_starts modify the timers in the state machine. (Please reference the 802.1X spec for info on how they are used.) For most people, there is no reason to define these values, as the defaults should work. </P ></DIV ></DIV ><DIV CLASS="section" ><HR><H3 CLASS="section" ><A NAME="AEN524" >5.4.2. Network Profile Configuration Options</A ></H3 ><P > A network profile consists of a declaration, such as "default". A complete profile definition is defined by a beginning and ending brace, "{" and "}" respectively. The profile defines network specific attributes for 802.1X operation, such as allowed EAP-types, the username for a given EAP-type, and any EAP-type specific options. </P ><P > Each network profile section may include one or more valid EAP-types. When the Authentication Server requests a given EAP type, xsupplicant will use that EAP type if a valid configuration exists. Otherwise, xsupplicant will NAK the Authentication Server, and request the first EAP type defined by the "allow_types" configuration option. If xsupplicant and the Authentication server cannot agree on an EAP type, the authentication will not take place, so be sure to define an appropriate EAP-type for your network! </P ><P ></P ><DIV CLASS="variablelist" ><P ><B >Xsupplicant Config - Network Profile Options</B ></P ><DL ><DT ><A NAME="allow_types" ></A ><CODE CLASS="varname" >allow_types</CODE ></DT ><DD ><P > This option describes which EAP types this network will allow. The first type listed will be requested if the server tries to use something not in this list. Individual EAP types can be specified, or the keyword "all" can be used to specify all EAP types. Additionally, it is legal to use either an underscore (_) or dash (-) for the separator character between "eap" and the type. For instance, "eap-tls" and "eap_tls" are both valid. <DIV CLASS="example" ><A NAME="AEN535" ></A ><P ><B >Example 5-7. Profile Option "allow_types"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > allow_types = eap-tls, eap-md5, eap-gtc, eap-otp allow_types = all </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="dest_mac" ></A ><CODE CLASS="varname" >dest_mac</CODE ></DT ><DD ><P > This option forces xsupplicant to send its packets to this destination MAC address. In most cases, this isn't needed, and shouldn't be defined. <DIV CLASS="example" ><A NAME="AEN544" ></A ><P ><B >Example 5-8. Profile Option "dest_mac"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > dest_mac = 00:aA:bB:cC:dD:eE </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="identity" ></A ><CODE CLASS="varname" >identity</CODE ></DT ><DD ><P > This defines the EAP Response Identity, also known as the "outer identity" , or, what xsupplicant will respond with when presented with an EAP Identity Request. This is typically the username for this network. If the identity contains any characters other than A through Z and 0 through 9, then it should be defined in quotes. <DIV CLASS="example" ><A NAME="AEN553" ></A ><P ><B >Example 5-9. Profile Option "identity"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > identity = myid@mynet.net </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="type" ></A ><CODE CLASS="varname" >type</CODE ></DT ><DD ><P > Xsupplicant will attempt to determine if a given interface is wired or wireless, but some drivers misbehave. This option forces xsupplicant to recognize interfaces in a certain way. Use this option if your interface is detected incorrectly by xsupplicant. Valid options are "wired" and "wireless". <DIV CLASS="example" ><A NAME="AEN562" ></A ><P ><B >Example 5-10. Profile Option "type"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > type = wireless </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="wireless_control" ></A ><CODE CLASS="varname" >wireless_control</CODE ></DT ><DD ><P > If the profile is forced to wired, this will not do anything. However, if the interface is forced, or detected to be wireless XSupplicant will take control of re/setting WEP keys when the machine first starts, and when it jumps to a different AP. In general, you won't need to define, or set this value. Valid options are "yes" and "no". <DIV CLASS="example" ><A NAME="AEN571" ></A ><P ><B >Example 5-11. Profile Option "wireless_control"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > wireless_control = yes </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ></DL ></DIV ></DIV ><DIV CLASS="section" ><HR><H3 CLASS="section" ><A NAME="AEN575" >5.4.3. EAP Options</A ></H3 ><P > Each network profile in the xsupplicant configuration file may have one or more EAP sections defined. Each EAP section must be associated to a network profile. Each EAP section may also have one or more subsections associated with it. </P ><P > For instance, a configuration for EAP-TTLS may have any of CHAP, MSCHAP, MSCHAPv2, or PAP subsections defined. Some EAP types do not contain any subsections. </P ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="AEN579" >5.4.3.1. Reused EAP Options</A ></H4 ><P > The following options are re-used in many of the EAP types listed below. <P ></P ><DIV CLASS="variablelist" ><P ><B >Common EAP Options</B ></P ><DL ><DT ><A NAME="chunk_size" ></A ><CODE CLASS="varname" >chunk_size</CODE ></DT ><DD ><P > The chunk_size directive specifies the maximum size that a certificate chunk can be. Use this option in EAP types that use either one or both of client or server certificates (TLS, PEAP, TTLS). </P ><P > <DIV CLASS="example" ><A NAME="AEN590" ></A ><P ><B >Example 5-12. Common EAP Option "chunk_size"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > chunk_size = 1398 </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="cncheck" ></A ><CODE CLASS="varname" >cncheck</CODE ></DT ><DD ><P > The cncheck directive provides the ability to verify the CN field of an authentication server certificate for EAP types that use server-side certificates (TTLS, PEAP). </P ><P > Use this directive in conjunction with cnexact to control how granular the server certificate check should be. </P ><P > <DIV CLASS="example" ><A NAME="AEN601" ></A ><P ><B >Example 5-13. Common EAP Option cncheck</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > cncheck = someradius.mynet.net </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="cnexact" ></A ><CODE CLASS="varname" >cnexact</CODE ></DT ><DD ><P > The cnexact directive forces a failure on authentication if the CN field of the server's certificate does not exactly match the cncheck option in the specified Network/EAP configuration. Set this to "no" to only match the end of the string, which is useful in a situation where there might be mulitple authentication servers for your organization. </P ><P > For example, a "cncheck = utah.edu" with a "cnexact = no" would match on "foo.utah.edu" and "bar.utah.edu", which might be separate servers on a campus utilizing 802.1X. </P ><P > <DIV CLASS="example" ><A NAME="AEN612" ></A ><P ><B >Example 5-14. Common EAP Option "cnexact"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > cnexact = yes </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="crl_dir" ></A ><CODE CLASS="varname" >crl_dir</CODE ></DT ><DD ><P > The crl_dir option is used to specify a directory containing certificate revocation lists. This option can be used in EAP types that use either one or both of client or server certificates (TLS, PEAP, TTLS). </P ><P > <DIV CLASS="example" ><A NAME="AEN622" ></A ><P ><B >Example 5-15. Common EAP Option "crl_dir"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > crl_dir = /home/user/certificates/revoked </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="password" ></A ><CODE CLASS="varname" >password</CODE ></DT ><DD ><P > The password directive is used in EAP types that require a password for authentication. </P ><P > <DIV CLASS="example" ><A NAME="AEN632" ></A ><P ><B >Example 5-16. Common EAP Option "password"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > password = password </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="random_file" ></A ><CODE CLASS="varname" >random_file</CODE ></DT ><DD ><P > This option is used to specify the random file used to grab random data used during certificate based authentication methods.. Use this option in EAP types that use either one or both of client or server certificates (TLS, PEAP, TTLS). </P ><P > This option is typically /dev/urandom, but may be different depending on the operating system you are using. You should probably not use /dev/random, since it blocks and can slow authentication down. In most cases, leaving this blank is the best choice. </P ><P > <DIV CLASS="example" ><A NAME="AEN643" ></A ><P ><B >Example 5-17. Common EAP Option "random_file"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > random_file = /dev/urandom </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="root_cert" ></A ><CODE CLASS="varname" >root_cert</CODE ></DT ><DD ><P > The root_cert option is used to specify the path to the CA public certificate which signed one or both of your server and client certificates. The root_cert option is used in EAP types that use either one or both of client or server certificates (TLS, PEAP, TTLS). </P ><P > This certificate is used to verify, on the client side, that the server's certificate was signed by the appropriate certificate authority, and on the server side, to verify that the user certificate was signed by the proper certificate authority. This certificate should be the same for both client and server, since it is simply the public key for the certificate authority that signed the client and server certificates. </P ><P > You can specify a value of "NONE" to prevent xsupplicant from verifying the server certificate, but this is *HIGHLY* frowned upon. If you use this option, you are opening yourself up to a very easy to execute man-in-the-middle attack that could compromise your username and password. Consider yourself warned! </P ><P > <DIV CLASS="example" ><A NAME="AEN655" ></A ><P ><B >Example 5-18. Common EAP Option "root_cert"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > root_cert = /home/user/certificates/root_cert.pem </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="root_dir" ></A ><CODE CLASS="varname" >root_dir</CODE ></DT ><DD ><P > The root_dir option is used to specify a path to a directory containing root certificates. This can be used to force Xsupplicant to allow any combination of root certificates in a given directory to help simplify configuration. This option can be used instead of the root_cert directive in EAP types that use either one or both of client or server certificates (TLS, PEAP, TTLS). </P ><P > <DIV CLASS="example" ><A NAME="AEN665" ></A ><P ><B >Example 5-19. Common EAP Option "root_dir"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > root_dir = /home/user/certificates </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="session_resume" ></A ><CODE CLASS="varname" >session_resume</CODE ></DT ><DD ><P > The session_resume directive is used to specify whether or not to attempt to initiate "TLS Session Resumption" (Also called "Fast Reconnect") when re-authenticating with a server. </P ><P > <DIV CLASS="example" ><A NAME="AEN675" ></A ><P ><B >Example 5-20. Common EAP Option "session_resume"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > session_resume = yes </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="username" ></A ><CODE CLASS="varname" >username</CODE ></DT ><DD ><P > The username option is used in EAP types that require a username for authentication. If your username contains any characters other than A through Z and 0 through 9, you should enclose it in quotes. </P ><P > <DIV CLASS="example" ><A NAME="AEN685" ></A ><P ><B >Example 5-21. Common EAP Option "username"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > username = myid@mynet.net </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="user_cert" ></A ><CODE CLASS="varname" >user_cert</CODE ></DT ><DD ><P > This option, which is required for TLS, specifies the path to the user certificate used for TLS authentication. A user certificate in TLS is similar to a username in password-based authentication mechanisms. </P ><P > User certificates can also be used with PEAP and TTLS, but are not required, and most people will not need this functionality. </P ><P > <DIV CLASS="example" ><A NAME="AEN696" ></A ><P ><B >Example 5-22. Common EAP Option "user_cert"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > user_cert = /home/user/certificates/user-cert.pem </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="user_key" ></A ><CODE CLASS="varname" >user_key</CODE ></DT ><DD ><P > This option is the key for the user_cert file. </P ><P > As with user_cert, this option is required for TLS and can be used with TTLS or PEAP if using a user certificate for authentication. </P ><P > <DIV CLASS="example" ><A NAME="AEN707" ></A ><P ><B >Example 5-23. Common EAP Option "user_key"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > user_key = /home/user/certificates/user-key.pem </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="user_key_pass" ></A ><CODE CLASS="varname" >user_key_pass</CODE ></DT ><DD ><P > This is the password for the user_key. If it contains any characters other than A through Z and 0 through 9, it should be enclosed in quotes. </P ><P > <DIV CLASS="example" ><A NAME="AEN717" ></A ><P ><B >Example 5-24. Common EAP Option "user_key_pass"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > user_key_pass = password </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="proper_peap_v1_keying" ></A ><CODE CLASS="varname" >proper_peap_v1_keying</CODE ></DT ><DD ><P > This option will force Xsupplicant to use the proper string constant for PEAPv1 authentication. Most authentication servers use the string constant from PEAPv0. </P ><P > <DIV CLASS="example" ><A NAME="AEN727" ></A ><P ><B >Example 5-25. Common EAP Option "proper_peap_v1_keying"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > proper_peap_v1_keying = no </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="inner_id" ></A ><CODE CLASS="varname" >inner_id</CODE ></DT ><DD ><P > This is the identity value that will be sent to the server inside of the PEAP phase 1 tunnel. </P ><P > <DIV CLASS="example" ><A NAME="AEN737" ></A ><P ><B >Example 5-26. Common EAP Option "inner_id"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > inner_id = no </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ></DL ></DIV > </P ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="eap-aka" >5.4.3.2. EAP-AKA</A ></H4 ><P > EAP-AKA allows the following options: <A HREF="#username" >username</A >, <A HREF="#password" >password</A >, <A HREF="#auto_realm" >auto_realm</A >. </P ><P > <DIV CLASS="example" ><A NAME="AEN748" ></A ><P ><B >Example 5-27. Example EAP-AKA Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log default { allow_types = eap-aka identity = "myid@mynet.net" eap-aka { username = akauser password = "akauserpass!" auto_realm = yes } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="eap-gtc" >5.4.3.3. EAP-GTC</A ></H4 ><P > <DIV CLASS="example" ><A NAME="AEN754" ></A ><P ><B >Example 5-28. Example EAP-GTC Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log default { allow_types = eap-gtc identity = "myid@mynet.net" eap-gtc { } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="eap-md5" >5.4.3.4. EAP-MD5</A ></H4 ><P > EAP-MD5 allows the following option(s): <A HREF="#password" >password</A >. </P ><P > <DIV CLASS="example" ><A NAME="AEN763" ></A ><P ><B >Example 5-29. Example EAP-MD5 Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log default { allow_types = eap-md5 identity = "myid@mynet.net" eap-md5 { password = password } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="eap-mschapv2" >5.4.3.5. EAP-MSCHAPv2</A ></H4 ><P > Valid eap-mschapv2 options are: <A HREF="#username" >username</A > (only needed when using mshcapv2 as a phase 2 type), <A HREF="#password" >password</A >. </P ><P > eap-mschapv2 can also be defined as a sub-option inside of a PEAP profile. See the <A HREF="#peap" >PEAP</A > section for an example. </P ><P > <DIV CLASS="example" ><A NAME="AEN775" ></A ><P ><B >Example 5-30. Example EAP-MSCHAPv2 Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile=/var/log/xsupplicant.log default { allow_types = eap-mschapv2 identity = "myid@mynet.net" eap-mschapv2 { password = password } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="eap-otp" >5.4.3.6. EAP-OTP</A ></H4 ><P > <DIV CLASS="example" ><A NAME="AEN782" ></A ><P ><B >Example 5-31. Example EAP-OTP Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log default { allow_types = eap-otp identity = "myid@mynet.net" eap-otp { } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="eap-sim" >5.4.3.7. EAP-SIM</A ></H4 ><P > EAP-SIM allows the following options: <A HREF="#username" >username</A >, <A HREF="#password" >password</A >, <A HREF="#auto_realm" >auto_realm</A >. </P ><P > <DIV CLASS="example" ><A NAME="AEN792" ></A ><P ><B >Example 5-32. Example EAP-SIM Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log default { allow_types = eap-sim identity = "myid@mynet.net" eap-sim { username = simuser password = "simuserpass!" auto_realm = yes } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><DIV CLASS="section" ><HR><H5 CLASS="section" ><A NAME="AEN795" >5.4.3.7.1. EAP-SIM Specific Options</A ></H5 ><P > The following list defines options specific to "eap-sim": </P ><P ></P ><DIV CLASS="variablelist" ><DL ><DT ><A NAME="auto_realm" ></A ><CODE CLASS="varname" >auto_realm</CODE ></DT ><DD ><P > The auto_realm option determines whether or not your realm will be automatically appended to your username on authentication, or whether the user will do this manually in the xsupplicant configuration. This option is fairly dependent on how your service is set up, so check with your provider to see if this option should be enabled. </P ><P > Valid auto_realm options are: yes, no. </P ><P > <DIV CLASS="example" ><A NAME="AEN806" ></A ><P ><B >Example 5-33. EAP-SIM Option "auto_realm"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > auto_realm = yes </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ></DD ></DL ></DIV ></DIV ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="peap" >5.4.3.8. PEAP</A ></H4 ><P > Valid options for PEAP are: <A HREF="#chunk_size" >chunk_size</A >, <A HREF="#cncheck" >cncheck</A >, <A HREF="#cnexact" >cnexact</A >. <A HREF="#crl_dir" >crl_dir</A >, <A HREF="#random_file" >random_file</A >, <A HREF="#root_cert" >root_cert</A >, <A HREF="#root_dir" >root_dir</A >, <A HREF="#session_resume" >session_resume</A >, <A HREF="#user_cert" >user_cert</A >, <A HREF="#user_key" >user_key</A >, <A HREF="#user_key_pass" >user_key_pass</A >, <A HREF="#proper_peap_v1_keying" >proper_peap_v1_keying</A >, <A HREF="#inner_id" >inner_id</A > </P ><P > PEAP currently requires <A HREF="#eap-mschapv2" >eap-mschapv2</A > as a sub-option. Future versions of xsupplicant may include support for other embedded EAP-types such as eap-gtc. In addition, the "<A HREF="#inner_id" >inner_id</A >" directive is required for inner-eap types used with PEAP. </P ><P > <DIV CLASS="example" ><A NAME="AEN829" ></A ><P ><B >Example 5-34. Example PEAP Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log default { allow_types = all identity = "myid@mynet.net" eap-peap { inner_id = "myid@mynet.net" root_cert = /home/user/certificates/root.pem chunk_size = 1398 random_file = /dev/urandom cncheck = radiusserver.mynet.net cnexact = yes session_resume = no proper_peap_v1_keying = no eap-mschapv2 { password = password } } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="eap-tls" >5.4.3.9. EAP-TLS</A ></H4 ><P > Valid options for EAP-TLS are: <A HREF="#chunk_size" >chunk_size</A >, <A HREF="#crl_dir" >crl_dir</A >, <A HREF="#random_file" >random_file</A >, <A HREF="#root_cert" >root_cert</A >, <A HREF="#root_dir" >root_dir</A >, <A HREF="#session_resume" >session_resume</A >, <A HREF="#user_cert" >user_cert</A >, <A HREF="#user_key" >user_key</A >, <A HREF="#user_key_pass" >user_key_pass</A >, </P ><P > <DIV CLASS="example" ><A NAME="AEN845" ></A ><P ><B >Example 5-35. Example EAP-TLS Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log default { allow_types = all identity = "myid@mynet.net" eap_tls { user_cert = /home/user/certificates/user-cert.pem user_key = /home/user/certificates/user-key.pem user_key_pass = password root_cert = /home/user/certificates/root.pem crl_dir = /home/user/certificates/revoked chunk_size = 1398 random_file = /dev/urandom session_resume = no } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="eap-ttls" >5.4.3.10. EAP-TTLS</A ></H4 ><P > Valid options for EAP-TTLS are: <A HREF="#chunk_size" >chunk_size</A >, <A HREF="#cncheck" >cncheck</A >, <A HREF="#cnexact" >cnexact</A >. <A HREF="#crl_dir" >crl_dir</A >, <A HREF="#random_file" >random_file</A >, <A HREF="#root_cert" >root_cert</A >, <A HREF="#root_dir" >root_dir</A >, <A HREF="#session_resume" >session_resume</A >, <A HREF="#user_cert" >user_cert</A >, <A HREF="#user_key" >user_key</A >, <A HREF="#user_key_pass" >user_key_pass</A >, <A HREF="#phase2_type" >phase2_type</A > </P ><P > EAP-TTLS may also have one or more sub-options: <A HREF="#chap" >chap</A >, <A HREF="#mschap" >mschap</A >, <A HREF="#mschapv2" >mschapv2</A >, <A HREF="#pap" >pap</A >. </P ><P > <DIV CLASS="example" ><A NAME="AEN869" ></A ><P ><B >Example 5-36. Example EAP-TTLS Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log default { allow_types = eap-ttls identity = "myid@mynet.net" eap-ttls { root_cert = /home/user/certificates/root.pem chunk_size = 1398 random_file = /dev/urandom cncheck = myradius.radius.com cnexact = no session_resume = no phase2_type = pap pap { username = "myid@mynet.net" password = password } } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><DIV CLASS="section" ><HR><H5 CLASS="section" ><A NAME="AEN872" >5.4.3.10.1. EAP-TTLS Specific Option(s)</A ></H5 ><P > The following list defines options specifc to "eap-ttls": </P ><P ></P ><DIV CLASS="variablelist" ><DL ><DT ><A NAME="phase2_type" ></A ><CODE CLASS="varname" >phase2_type</CODE ></DT ><DD ><P > The phase2_type directive specifies which phase2 type to use when authenticating with TTLS. </P ><P > Valid phase 2 types are: <A HREF="#chap" >chap</A >, <A HREF="#mschap" >mschap</A >, <A HREF="#mschapv2" >mschapv2</A >, <A HREF="#pap" >pap</A >. </P ><P > <DIV CLASS="example" ><A NAME="AEN887" ></A ><P ><B >Example 5-37. EAP-TTLS Option "phase2_type"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > phase2_type = pap </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="chap" ></A ><CODE CLASS="varname" >chap</CODE ></DT ><DD ><P > Use this option in TTLS to specify a username and password for a CHAP authentication. </P ><P > Most people will probably want to use PAP with TTLS, however. </P ><P > Valid chap options are: <A HREF="#username" >username</A >, <A HREF="#password" >password</A >, </P ><P > <DIV CLASS="example" ><A NAME="AEN901" ></A ><P ><B >Example 5-38. EAP-TTLS Option "chap"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > chap { username = "myid@mynet.net" password = password } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="mschap" ></A ><CODE CLASS="varname" >mschap</CODE ></DT ><DD ><P > Use this option in TTLS to specify a username and password for an MSCHAP authentication. </P ><P > Most people will probably want to use PAP with TTLS, however. </P ><P > Valid mschap options are: <A HREF="#username" >username</A >, <A HREF="#password" >password</A >, </P ><P > <DIV CLASS="example" ><A NAME="AEN915" ></A ><P ><B >Example 5-39. EAP-TTLS Option "mschap"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > mschap { username = "myid@mynet.net" password = password } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="mschapv2" ></A ><CODE CLASS="varname" >mschapv2</CODE ></DT ><DD ><P > Use this option in TTLS to specify a username and password for an MSCHAPv2 authentication. This option is different than <A HREF="#eap-mschapv2" >eap-mschapv2</A >. </P ><P > Most people will probably want to use PAP with TTLS, however. </P ><P > Valid mschapv2 options are: <A HREF="#username" >username</A >, <A HREF="#password" >password</A >, </P ><P > <DIV CLASS="example" ><A NAME="AEN930" ></A ><P ><B >Example 5-40. EAP-TTLS Option "mschapv2"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > mschapv2 { username = "myid@mynet.net" password = password } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ><DT ><A NAME="pap" ></A ><CODE CLASS="varname" >pap</CODE ></DT ><DD ><P > Use this option in TTLS to specify a username and password for a PAP authentication. </P ><P > Most people will probably want to use this option when authenticating with TTLS. </P ><P > Valid pap options are: <A HREF="#username" >username</A >, <A HREF="#password" >password</A >, </P ><P > <DIV CLASS="example" ><A NAME="AEN944" ></A ><P ><B >Example 5-41. EAP-TTLS Option "pap"</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > pap { username = "myid@mynet.net" password = password } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P ></P ></DD ></DL ></DIV ></DIV ></DIV ><DIV CLASS="section" ><HR><H4 CLASS="section" ><A NAME="leap" >5.4.3.11. LEAP</A ></H4 ><P > Valid options for LEAP are: <A HREF="#password" >password</A > </P ><P > <DIV CLASS="example" ><A NAME="AEN953" ></A ><P ><B >Example 5-42. Example LEAP Configuration</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > logfile = /var/log/xsupplicant.log default { allow_types = leap identity = "myid@mynet.net" leap { password = password } } </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ></DIV ></DIV ><DIV CLASS="section" ><HR><H3 CLASS="section" ><A NAME="AEN956" >5.4.4. User Config File</A ></H3 ><P > We hope to provide the ability to specify both a global configuration file and a more specific user configuration file capability in a future release of xsupplicant. </P ></DIV ><DIV CLASS="section" ><HR><H3 CLASS="section" ><A NAME="AEN959" >5.4.5. Using a GUI for Configuration</A ></H3 ><P > The current version of Xsupplicant does not provide a mechanism to configure itself from a Graphical User Interface, except for providing a password. We hope to provide such tools in the future. Fortunately, the 1.0 config file format is much easier to read than older versions. </P ><P > If you have the QT development tools installed, you can compile and use the qt-gremlin, or xsup_monitor programs, to provided with Xsupplicant for real-time password prompting in X11. We hope to extend this tool so it can also display EAP-Notifications as well. </P ></DIV ></DIV ></DIV ><DIV CLASS="chapter" ><HR><H1 ><A NAME="ch6" ></A >Chapter 6. Advanced Usage</H1 ><P > This chapter is intended to provide examples for making xsupplicant easier to use. </P ></DIV ><DIV CLASS="chapter" ><HR><H1 ><A NAME="ch7" ></A >Chapter 7. Troubleshooting</H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="AEN968" >7.1. A Guide to Troubleshooting</A ></H2 ><P > If you experience any problems with xsupplicant, please use the following guide to troubleshoot your issues: <P ></P ><UL ><LI ><P > Send us a debug output of xsupplicant, and any relevant xsupplicant options. </P ></LI ><LI ><P > Tell us what card driver you are using, including revision (which can usually be found with dmesg)! </P ></LI ><LI ><P > Send us a gdb backtrace, if possible. </P ></LI ><LI ><P > Send us a copy of your configuration file. </P ></LI ><LI ><P > Please make sure you *DO NOT* include passwords in your configuration file, or in your -d 7 output. </P ></LI ></UL > </P ><P > Run xsupplicant in debug mode by using the "-d 7" and "-f" switches and gather the output. If you are segfaulting, run xsupplicant in gdb, if possible and provide a backtrace: </P ><P > <DIV CLASS="example" ><A NAME="AEN984" ></A ><P ><B >Example 7-1. Getting a GDB Backtrace</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="programlisting" > gdb xsupplicant (gdb) set args (any args you normally use) (gdb) run (gdb) backtrace (after segfault) </PRE ></FONT ></TD ></TR ></TABLE ></DIV > </P ><P > This will help us find the problem easier. </P ><P > Send us a copy of your configuration (but remove the passwords please). </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN989" >7.2. Known Problems</A ></H2 ><P > The following is a summary of the known issues with this version of xsupplicant. <P ></P ><UL ><LI ><P > The supplicant may get confused on wired ports that are set up to allow more than one client per port. </P ></LI ><LI ><P > Cisco 340/350 cards do not work correctly with Xsupplicant 1.0. This appears to be due to the driver (or firmware?) hijacking the 0x888e frames, which prevents 802.1X authentication from being possible. </P ><P > UPDATE: We have been successful getting a Cisco 350 card to work with the built-in Linux 2.6.7 Aironet driver. </P ></LI ></UL > </P ></DIV ></DIV ><DIV CLASS="appendix" ><HR><H1 ><A NAME="ap1" ></A >Appendix A. Setup for Authenticators and RADIUS Servers</H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="AEN1000" >A.1. Authenticators</A ></H2 ><DIV CLASS="section" ><H3 CLASS="section" ><A NAME="AEN1002" >A.1.1. Open Source Authenticator Projects</A ></H3 ><P > <P ></P ><UL ><LI ><P > HostAP (<A HREF="http://hostap.epitest.fi/" TARGET="_top" >http://hostap.epitest.fi/</A >) </P ></LI ><LI ><P > Rose (<A HREF="http://www.rosewlan.com/" TARGET="_top" >http://www.rosewlan.com/</A >) </P ></LI ></UL > </P ></DIV ><DIV CLASS="section" ><HR><H3 CLASS="section" ><A NAME="AEN1012" >A.1.2. Commercial Authenticators</A ></H3 ><P > <P ></P ><UL ><LI ><P ></P ></LI ></UL > </P ><P >not a complete setup guide for all APs on the market, instead some comments on how to setup the more common APs to work with open1x. also provide pointers to more complete setup & config guides</P ></DIV ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN1019" >A.2. Authentication Servers</A ></H2 ><DIV CLASS="section" ><H3 CLASS="section" ><A NAME="AEN1021" >A.2.1. Open Source Authentication Servers</A ></H3 ><P > See the Authentication Server Compatibility Matrix for a complete list of supported EAP types. </P ><P ></P ><UL ><LI ><P >FreeRADIUS</P ></LI ></UL ></DIV ><DIV CLASS="section" ><HR><H3 CLASS="section" ><A NAME="AEN1027" >A.2.2. Commercial Authentication Servers</A ></H3 ><P > See the Authentication Server Compatibility Matrix for a complete list of supported EAP types. </P ><P ></P ><UL ><LI ><P >Cisco ACS</P ></LI ><LI ><P >Funk SBR</P ></LI ><LI ><P >Infoblox</P ></LI ><LI ><P >Meetinghouse AEGIS</P ></LI ><LI ><P >Microsoft IAS</P ></LI ><LI ><P >Radiator (Source Code Included with Purchase)</P ></LI ><LI ><P >Roving Planet CSD (Based on FreeRADIUS)</P ></LI ></UL ></DIV ></DIV ></DIV ><DIV CLASS="appendix" ><HR><H1 ><A NAME="ap2" ></A >Appendix B. Links to Related Resources</H1 ><DIV CLASS="section" ><H2 CLASS="section" ><A NAME="AEN1047" >B.1. Companies that Support Open1x</A ></H2 ><P > The following entities have donated hardware/software to the Open1x project: </P ><P > Contributions are listed in the order they were received. </P ><P > The companies listed below do not endorse Open1x. <P ></P ><UL ><LI ><P >Proactive Network Management & Proxim <P ></P ><UL ><LI ><P > ORiNOCO AP-600 (802.11b/g) </P ></LI ><LI ><P > <A HREF="http://www.pnmc.com/" TARGET="_top" >http://www.pnmc.com/</A > </P ></LI ><LI ><P > <A HREF="http://www.proxim.com/" TARGET="_top" >http://www.proxim.com/</A > </P ></LI ></UL ></P ></LI ><LI ><P >Radiator <P ></P ><UL ><LI ><P > Many bug fixes, and added features in a very timely manner. </P ></LI ><LI ><P > <A HREF="http://www.open.com.au/" TARGET="_top" >http://www.open.com.au/</A > </P ></LI ></UL ></P ></LI ><LI ><P >Hewlett-Packard <P ></P ><UL ><LI ><P > HP Procurve 420 AP (802.11b/g) </P ></LI ><LI ><P > <A HREF="http://www.hp.com/" TARGET="_top" >http://www.hp.com/</A > </P ></LI ></UL ></P ></LI ><LI ><P >3Com <P ></P ><UL ><LI ><P > 3Com 8200 AP & 802.11a/b/g Wireless Card (3CRPAG175) </P ></LI ><LI ><P > <A HREF="http://www.3com.com/" TARGET="_top" >http://www.3com.com/</A > </P ></LI ></UL ></P ></LI ><LI ><P >University of Utah Center for High Performance Computing <P ></P ><UL ><LI ><P > Funding for the Networld + Interop HotStage 2004 </P ></LI ><LI ><P > <A HREF="http://www.chpc.utah.edu/" TARGET="_top" >http://www.chpc.utah.edu/</A > </P ></LI ></UL ></P ></LI ><LI ><P >Cisco Systems <P ></P ><UL ><LI ><P > Cisco 1200 AP (802.11b/g) </P ></LI ><LI ><P > <A HREF="http://www.cisco.com/" TARGET="_top" >http://www.cisco.com/</A > </P ></LI ></UL ></P ></LI ><LI ><P >Brad Midgley <P ></P ><UL ><LI ><P > Many different types of Mini-PCI wireless cards. </P ></LI ><LI ><P > <A HREF="" TARGET="_top" ></A > </P ></LI ></UL ></P ></LI ></UL > </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN1112" >B.2. 802.1X Related Open Source Projects</A ></H2 ><P > <A HREF="http://wire.cs.nthu.edu.tw/wire1x/" TARGET="_top" >Wire1x</A > - An Open Source xsupplicant port for Windows. </P ><P > <A HREF="http://weap.sourceforge.net/" TARGET="_top" >wEAP</A > - An Open Source project for Windows EAP Plugins. </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN1118" >B.3. 802.1X related proprietary projects</A ></H2 ><P > </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN1121" >B.4. Standards</A ></H2 ><P > <A HREF="http://grouper.ieee.org/groups/802/11/" TARGET="_top" > The 802.11 Specification </A > [ieee.org] </P ><P > <A HREF="http://www.wirelessethernet.com/" TARGET="_top" > Wireless Ethernet </A > [wirelessethernet.com] </P ><P > <A HREF="http://grouper.ieee.org/groups/802/dots.html" TARGET="_top" > IEEE Working Groups </A > [ieee.org] </P ><P > <A HREF="http://grouper.ieee.org/groups/802/11/index.html" TARGET="_top" > IEEE 802.11b Specification </A > [ieee.org] </P ><P > <A HREF="http://www.ieee802.org/1/pages/802.1x.html" TARGET="_top" > IEEE 802.1X </A > [ieee.org] </P ><P > <A HREF="http://www.open1x.org/papers/draft-congdon-radius-8021x-10.txt" TARGET="_top" > RADIUS with IEEE 802.1X </A > [local] </P ><P > <A HREF="http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/" TARGET="_top" > Wireless LAN Resources for Linux </A > [hpl.hp.com] </P ></DIV ><DIV CLASS="section" ><HR><H2 CLASS="section" ><A NAME="AEN1137" >B.5. Other Resources</A ></H2 ><DIV CLASS="section" ><H3 CLASS="section" ><A NAME="AEN1139" >B.5.1. Howtos</A ></H3 ><P > <A HREF="http://www.cs.umd.edu/~npetroni/airo.html" TARGET="_top" > Sniffing a wireless network with a Cisco WLAN card. </A > [umd.edu] </P ><P > <A HREF="http://www.cs.umd.edu/~mvanopst/8021x/howto/" TARGET="_top" > Setting up 802.1X using a WinXP client and a Win2K Radius server. </A > [umd.edu] </P ><P > <A HREF="http://www.missl.cs.umd.edu/wireless/eaptls/" TARGET="_top" > Setting up 802.1X using Xsupplicant and FreeRADIUS </A > [umd.edu] </P ><P > <A HREF="http://www.oreillynet.com/pub/wlg/4602" TARGET="_top" > Using the Orinoco (Hermes) card with Xsupplicant. </A > [oreillynet.com] </P ></DIV ><DIV CLASS="section" ><HR><H3 CLASS="section" ><A NAME="AEN1149" >B.5.2. Related Links</A ></H3 ><P > <A HREF="http://www.missl.cs.umd.edu/wireless/ethereal/" TARGET="_top" > Ethereal Patches for 802.1X Decoding </A > [umd.edu] </P ><P > <A HREF="http://www.microsoft.com/presspass/press/2001/Mar01/03-26XPWirelessPR.asp" TARGET="_top" > Support for 802.1X in WinXP </A > [microsoft.com] </P ><P > <A HREF="http://wireless.utah.edu/" TARGET="_top" > The University of Utah 802.1X Wireless Website </A > [utah.edu] </P ></DIV ></DIV ></DIV ></DIV ></BODY ></HTML >