LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: September 26th, 2014
Linux Security Week: September 22nd, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Supplicant: Setting up Xsupplicant

4. Supplicant: Setting up Xsupplicant

The Supplicant is usually a laptop or other (wireless) device that requires authentication. Xsupplicant does the bidding of being the "Supplicant" part of the IEEE 802.1X-2001 standard.

4.1. Installing Xsupplicant

Installing Xsupplicant

  1. Download the latest source from from http://www.open1x.org/

    
    # cd /usr/local/src
        # wget http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz
        # tar zxfv xsupplicant-1.0.tar.gz
        # cd xsupplicant
        
  2. Configure, make, and install:

    
    # ./configure
        # make
        # make install
        
  3. If the configuration file wasn't installed (copied) into the "etc" folder, do it manually:

    
    # mkdir -p /usr/local/etc/1x
        # cp etc/tls-example.conf /usr/local/etc/1x
        

If installation fails, check the README and INSTALL files included with the source. You may also check out the official documentation.

4.2. Configuring Xsupplicant

Configuring Xsupplicant

  1. The Supplicant must have access to the root certificate.

    If the Supplicant needs to authenticate against the Authentication Server (authentication both ways), the Supplicant must have certificates as well.

    Create a certificate folder, and move the certificates into it:

    
    # mkdir -p /usr/local/etc/1x/certs
        # cp root.pem /usr/local/etc/1x/certs/
        # (copy optional client certificate(s) into the same folder)
       
  2. Open and edit the configuration file:

    
   # startup_command: the command to run when Xsupplicant is first started.
       #   This command can do things such as configure the card to associate with
       #   the network properly.
       startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND>
       

    The startup.sh will be created shortly.

  3. When the client is authenticated, it will transmit a DHCP request or manually set an IP address. Here, the Supplicant sets its IP address manually in startup2.sh:

    
   # first_auth_command: the command to run when Xsupplicant authenticates to
       #   a wireless network for the first time.  This will usually be used to
       #   start a DHCP client process.
       #first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND>
       first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup2.sh<END_COMMAND>
       
  4. Since "-i" is just for debugging purpose (and may go away according to the developers), "allow_interfaces" must be set:

    
   allow_interfaces = eth0
       deny_interfaces = eth1
       
  5. Next, under the "NETWORK SECTION", we'll configure PEAP:

    
   # We'll be using PEAP
       allow_types = eap_peap
    
       # Don't want any eavesdropper to learn the username during the
       # first phase (which is unencrypted), so 'identity hiding' is 
       # used (using a bogus username).
       identity = <BEGIN_ID>anonymous<END_ID>
    
       eap-peap {
          # As in tls, define either a root certificate or a directory
          # containing root certificates.
          root_cert = /usr/local/etc/1x/certs/root.pem
          #root_dir = /path/to/root/certificate/dir
          #crl_dir = /path/to/dir/with/crl
          chunk_size = 1398
          random_file = /dev/urandom
          #cncheck = myradius.radius.com   # Verify that the server certificate
                                           # has this value in its CN field.
          #cnexact = yes                   # Should it be an exact match?
          session_resume = yes
    
          # Currently 'all' is just mschapv2.
          # If no allow_types is defined, all is assumed.
          #allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
          allow_types = eap_mschapv2
    
          # Right now, you can do any of these methods in PEAP:
          eap-mschapv2 {
            username = <BEGIN_UNAME>testuser<END_UNAME>
            password = <BEGIN_PASS>Secret149<END_PASS>
          }
       }
       
  6. The Supplicant must first associate with the access point. The script startup.sh does that job. It is also the first command Xsupplicant executes.

    Note

    Notice the bogus key we give to iwconfig (enc 000000000)! This key is used to tell the driver to run in encrypted mode. The key gets replaced after successful authentication. This can be set to enc off only if encryption is disabled in the AP (for testing purposes).

    Both startup.sh and startup2.sh must be saved under /usr/local/etc/1x/.

    
   #!/bin/bash
       echo "Starting startup.sh"
       # Take down interface (if it's up)
       /sbin/ifconfig eth0 down
       # To make sure the routes are flushed
       sleep 1
       # Configuring the interface with a bogus key
       /sbin/iwconfig eth0 mode managed essid testnet enc 000000000
       # Bring the interface up and make sure it listens to multicast packets
       /sbin/ifconfig eth0 allmulti up
       echo "Finished startup.sh"
       
  7. This next file is used to set the IP address statically. This can be omitted if a DHCP server is present (as it typically is, in many access points).

    
   #!/bin/bash
       echo "Starting startup2.sh"
       # Assigning an IP address
       /sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0
       echo "Finished startup2.sh"
       
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Honeypot Snares Two Bots Exploiting Bash Vulnerability
CloudFlare Rolls Out Free SSL
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.