The document discusses 802.1X port-based authentication and describes the components involved, including the supplicant, authenticator, authentication server, and certificate authority. It provides details on installing and configuring the authentication server software FreeRADIUS and Radiator, and installing the certificate authority on Windows Server 2003. It also outlines how a user can obtain a certificate from the local certificate authority or a public certificate authority through their browser.

1. 802.1X Port-Based
Authentication
Scott Shu
<scott.shu@gmail.com>
[ Scott.Shu ] - 1 of 75.

2. WLAN Architecture
[ Scott.Shu ] - 2 of 75.

3. WLAN 802.1X Architecture
[ Scott.Shu ] - 3 of 75.

4. WLAN 802.1X Architecture
[ Scott.Shu ] - 4 of 75.

5. EAP
• Extensible Authentication Protocol (EAP)
How authentication messages are to be exchanged between
the supplicant, authenticator and authentication server.
The EAP standard does not define the security protocols or
mechanisms for the authentication process.
EAP supports a number of authentication protocols to provide
security during the authentication process.
For example: MD5, MSCHAPv2, TTLS, etc.
The EAP protocol does not require the IP protocol to
communicate, because it uses the link layer.
RFC2284 (Point-to-Point Extensible Authentication Protocol)
[ Scott.Shu ] - 5 of 75.

6. Authentication Message Exchange
Supplicant Authenticator AS
EAP-Request/Identity
EAP-Response/Identity Radius Access-Request
EAP-Request/MD5 Challenge Radius Access-Challenge
EAP-Request/Identity Radius Access-Request
EAP Success Radius Access-Accept
Port Authorized
EAP Logoff
Port Scott.Shu ] - 6 of 75.
[ Unauthorized

7. Supplicant Authenticator AS
Association Request
Association Response
EAPOL Start
EAP-Request/Identity
EAP-Response/Identity Radius Access-Request
EAP-Request/MD5 Challenge Radius Access-Challenge
EAP-Request/Identity Radius Access-Request
EAP Success Radius Access-Accept
Port Authorized
EAP Logoff
Port Scott.Shu ] - 7 of 75.
[ Unauthorized

8. Wireless 802.1X Network
[ Scott.Shu ] - 8 of 75.

9. Wireless 802.1X Network
[ Scott.Shu ] - 9 of 75.

10. (1) Supplicant
[ Scott.Shu ] - 10 of 75.

11. Supplicant
• wpa_supplicant
• Juniper Odyssey Access Client
• Xsupplicant
[ Scott.Shu ] - 11 of 75.

12. Juniper Odyssey Access Client
• Add Adapters
• Add Networks
• Add Profiles
[ Scott.Shu ] - 12 of 75.

13. [ Scott.Shu ] - 13 of 75.

14. (2) Authenticator
[ Scott.Shu ] - 14 of 75.

15. Authenticator
• Access Point (AP)
– Radius Server (Primary, Secondary)
(1) Radius Server’s IP Address
(2) Authentication Port Number
1812 (UDP) or 1645 (UDP / Windows System)
(3) Accounting Port Number
1813 (UDP) or 1646 (UDP / Windows System)
(4) Shared Secret
– Security Policy
WPA / WPA2
Configuring and setting up 802.1X on the AP may differ between vendors.
[ Scott.Shu ] - 15 of 75.

16. (3) Authentication Server
[ Scott.Shu ] - 16 of 75.

17. Authentication Server (AS)
• FreeRadius
• Radiator
• Microsoft Windows Server 2003
Internet Authentication Service (IAS)
• Cisco ACS
[ Scott.Shu ] - 17 of 75.

18. FreeRadius
• Installing Free-RADIUS
[ ]# wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.0.2.tar.gz
[ ]# tar zxvf freeradius-server-2.0.2.tar.gz
[ ]# cd freeradius-server
[ ]# ./configure
[ ]# make
[ ]# make install
Or directly install FreeRadius by RPM.
[ Scott.Shu ] - 18 of 75.

19. FreeRadius (cont.)
• Configuring FreeRADIUS
1. The configuration files can be found under /usr/local/etc/raddb/
2. Open the main configuration file radiusd.conf
3. Change the clients.conf file to specify what network it's serving.
4. Open the eap configuration file eap.conf.
5. The user information is stored in a plain text file users.
[ Scott.Shu ] - 19 of 75.

20. Radiator
• Installing Radiator
• Configuring Radiator
[ Scott.Shu ] - 20 of 75.

21. IAS
• Installing IAS
• Configuring IAS
[ Scott.Shu ] - 21 of 75.

22. (4) Certificate Authority
[ Scott.Shu ] - 22 of 75.

23. Certificate Authority (CA)
• Who needs a Certificate?
EAP Method Supplicant Authentication
Server
EAP-TLS Certificate is required Certificate is required
EAP-TTLS Certificate is optional Certificate is required
PEAP Certificate is optional Certificate is required
EAP-FAST
LEAP
[ Scott.Shu ] - 23 of 75.

24. • Installing
– Install the IIS Service
– Install the CA Service
• Configuring
• For User (Client side)
– Obtain a certificate from the CA by MMC
– Obtain a certificate from the CA by Internet
browser (Easy Way)
– Obtain a certificate from a Public Certificate
Authority by Internet browser
[ Scott.Shu ] - 24 of 75.

25. Install the IIS Service
• Click Start > Control
Panel > Add or Remove
Programs
• Click Add/Remove
Windows Components.
[ Scott.Shu ] - 25 of 75.

26. • Click on Application
Server and press on the
Details button.
[ Scott.Shu ] - 26 of 75.

27. • Click to select IIS and
click OK.
[ Scott.Shu ] - 27 of 75.

28. • Now, total disk spaces
required: 15.1 MB
• Click on Next
[ Scott.Shu ] - 28 of 75.

29. • After the wizard
completes the installation,
click Finish.
[ Scott.Shu ] - 29 of 75.

30. Install the CA Service
• Click Start > Control
Panel > Add or Remove
Programs
• Click Add/Remove
Windows Components.
• Select Certificate
Services.
[ Scott.Shu ] - 30 of 75.

31. • You will get a warning
about domain
membership and
computer renaming
constraints, and then click
Yes.
[ Scott.Shu ] - 31 of 75.

32. • On the CA Type page,
click Stand-alone root CA,
and then click Next.
[ Scott.Shu ] - 32 of 75.

33. • On this page, in the
Common name for this
CA box, type the name of
the server, and then click
Next.
[ Scott.Shu ] - 33 of 75.

34. • If the private key already
exists, Do you want to
overwrite this key with a
new one?
• Just click Yes.
• You will not get this
prompt if this is your first
time installation.
[ Scott.Shu ] - 34 of 75.

35. • On this page, accept the
default settings, and then
just click Next.
[ Scott.Shu ] - 35 of 75.

36. • You will get a prompt to
stop IIS, click Yes.
[ Scott.Shu ] - 36 of 75.

37. • On this page, accept the
default settings, and then
just click Next.
[ Scott.Shu ] - 37 of 75.

38. • Enable Active Server
Pages (ASPs), by click
Yes.
[ Scott.Shu ] - 38 of 75.

39. • After the installation
process is completed,
click Finish.
[ Scott.Shu ] - 39 of 75.

40. Issue Certificate
• Click Start > Programs >
Administrative Tools >
Certification Authority
[ Scott.Shu ] - 40 of 75.

41. • Certification Authority
[ Scott.Shu ] - 41 of 75.

42. • Click Pending Requests
[ Scott.Shu ] - 42 of 75.

43. • Click All Tasks > Issue
• If there is no pending
request, do “Request a
certificate” now. (see
below)
[ Scott.Shu ] - 43 of 75.

44. • You can check Issued
Certificates now.
[ Scott.Shu ] - 44 of 75.

45. Obtain a DC from the CA by MMC
• Go to the start menu >
Run > type mmc and
press Enter
[ Scott.Shu ] - 45 of 75.

46. • You will get the MMC
window.
[ Scott.Shu ] - 46 of 75.

47. • In the MMC window, go
to the File menu and
select Add/Remove
Snap-In.
[ Scott.Shu ] - 47 of 75.

48. • Press the Add button.
[ Scott.Shu ] - 48 of 75.

49. • Select Certificates from
the available list of snap-
ins and click Add.
[ Scott.Shu ] - 49 of 75.

50. • Select My User Account.
Click Finish.
[ Scott.Shu ] - 50 of 75.

51. • Expend Certificates
[ Scott.Shu ] - 51 of 75.

52. • Right-click the Personal
folder and select All
Tasks > Request New
Certificate.
[ Scott.Shu ] - 52 of 75.

53. [ Scott.Shu ] - 53 of 75.

54. Obtain a DC from the CA by
Internet browser
• Open an Internet browser
such as IE or Firefox.
• Type the following URL in
the address bar:
http://10.7.15.165/certsrv
where 10.7.15.165 is the CA server IP
address.
• In this page, click
Request a certificate
[ Scott.Shu ] - 54 of 75.

55. • Click Web Browser
Certificate
[ Scott.Shu ] - 55 of 75.

56. • To complete your
certificate, type the
requested information.
[ Scott.Shu ] - 56 of 75.

57. • You will get a prompt to
conform your request,
just click Yes.
[ Scott.Shu ] - 57 of 75.

58. • Wait…
• After the CA administrator
issue your certificate …
Next slide …
[ Scott.Shu ] - 58 of 75.

59. • Open an Internet browser
such as IE or Firefox.
• Type the following URL in
the address bar again:
http://10.7.15.165/certsrv
where 10.7.15.165 is the CA server IP
address.
• In this page, click
Download a CA certificate,
certificate chain, or CRL
[ Scott.Shu ] - 59 of 75.

60. • In this page, click
Download CA Certificate
[ Scott.Shu ] - 60 of 75.

61. • Click Save or Open
“certnew.cer”
[ Scott.Shu ] - 61 of 75.

62. • Open the certificate
• Install this CA certificate,
click Install certificate…
[ Scott.Shu ] - 62 of 75.

63. • Click Next
[ Scott.Shu ] - 63 of 75.

64. • Click Next
[ Scott.Shu ] - 64 of 75.

65. • Click Finish
[ Scott.Shu ] - 65 of 75.

66. • You will get a prompt to
make sure you want to
install this certificate, just
click Yes.
[ Scott.Shu ] - 66 of 75.

67. • You did it.
[ Scott.Shu ] - 67 of 75.

68. • Open the certificate again
• Now, it’s a effective
certificate.
[ Scott.Shu ] - 68 of 75.

69. Obtain a DC from a Public
Certificate Authority
• Open an Internet browser
such as IE or Firefox.
• Type the following URL in
the address bar:
http://archimedes.csisoftware.net/
• In this page, click
Request a certificate
[ Scott.Shu ] - 69 of 75.

70. • Click Web Browser
Certificate
[ Scott.Shu ] - 70 of 75.

71. • To complete your
certificate, type the
requested information.
[ Scott.Shu ] - 71 of 75.

72. • You will get a prompt to
conform your request,
just click Yes.
[ Scott.Shu ] - 72 of 75.

73. • Generating request…
[ Scott.Shu ] - 73 of 75.

74. • Wait…
[ Scott.Shu ] - 74 of 75.

75. Testbed
OS, Programs
Supplicant Windows XP Prof. SP3
Notebook Odyssey Client
Authentication Windows XP
Server (Radius 1) Radiator 4.0
Authentication Linux
Server (Radius 2) FreeRadius
Certificate Windows Server 2003
Authority Enterprise SP1
Access Point
[ Scott.Shu ] - 75 of 75.