个人工具

UbuntuHelp:Network802.1xAuthentication

来自Ubuntu中文

Wikibot讨论 | 贡献2010年5月19日 (三) 23:43的版本

(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳转至: 导航, 搜索
  1. title Authenticating to a network using the IEEE 802.1x protocol

This document explains how the network on a Ubuntu system can be configured to use 802.1x authentication.

Introduction

IEEE 802.1x is a standard for authenticating a computer on the network. It is often used for gaining access to large networks with a variety of users, such as a university network or a community network. This authentication protocol can be used on both wireless and wired networks. IconsPage?action=AttachFile&do=get&target=IconNote.png Windows users might be familiar with the SecureW2 software, which provides 802.1x authentication for the Microsoft Windows 2000, XP and Vista operating systems.

Basic configuration

To authenticate to a network with the 802.1x protocol, the WPA-Supplicant software can be used. Despite the software’s heavy focus on wireless networking, it can be used for the authentication of wired networks as well. Ubuntu comes with WPA-Supplicant installed by default. To configure our computer for using WPA-Supplicant, two configuration files need to be edited. First, create a new text file in /etc with your favourite editor or, if you are logged in to a graphical environment, by typing in a terminal:

sudo gedit /etc/wpa_supplicant.conf

Copy the following basic configuration into the new file:

# Where is the control interface located? This is the default path:
ctrl_interface=/var/run/wpa_supplicant

# Who can use the WPA frontend? Replace "0" with a group name if you
#   want other users besides root to control it.
# There should be no need to chance this value for a basic configuration:
ctrl_interface_group=0

# IEEE 802.1X works with EAPOL version 2, but the version is defaults 
#   to 1 because of compatibility problems with a number of wireless
#   access points. So we explicitly set it to version 2:
eapol_version=2

# When configuring WPA-Supplicant for use on a wired network, we don’t need to
#   scan for wireless access points. See the wpa-supplicant documentation if
#   you are authenticating through 802.1x on a wireless network:
ap_scan=0

Next, we need to set up the authentication configuration for the network we are authenticating to. There is no single configuration that will work for every network, so check with your network administrator or institution for the specific settings and protocols needed for your situation. Multiple networks can be configured in the WPA-Supplicant configuration file. A basic setup might look like the following. Example for a wired network with:

  • Network access authentication through IEEE 802.1x.
  • EAP-Tunnelled Transport Layer Security, using PAP and MD5 as the authentication protocol.
  • No certificates.
network={
        key_mgmt=IEEE8021X
        eap=TTLS MD5
        identity="myloginname"
        anonymous_identity="myloginname"
        password="mypassword"
        phase1="auth=MD5"
        phase2="auth=PAP password=mypassword"
        eapol_flags=0
}

To test the authentication process, we can call WPA-Supplicant directly with our new configuration file. For example, in case of a wired network, execute the following command:

sudo wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i eth0

IconsPage?action=AttachFile&do=get&target=IconTip.png See WifiDocs/WPAHowTo for more information on configuring WPA-Supplicant for wireless networks. If WPA-Supplicant can authenticate our computer to the network, we can add it to the global network configuration. By doing this WPA-Supplicant is automatically run when we boot up the computer or restart its network. Open the network interface configuration file:

sudo gedit /etc/network/interfaces

There should already be a number of network interfaces configured in this file. Below we add 802.1x authentication for a wired network, be sure to select the proper driver for WPA-Supplicant if you want to authenticate to a wireless network:

# The loopback interface, this is the default configuration:
auto lo
iface lo inet loopback

# The first network interface.
# In this case we want to receive an IP-address through DHCP:
auto eth0
iface eth0 inet dhcp

# In this case we have a wired network:
wpa-driver wired

# Tell the system we want to use WPA-Supplicant with our configuration file:
wpa-conf /etc/wpa_supplicant.conf

To test our new configuration, we stop the network on our system before saving the above configuration file:

sudo /etc/init.d/networking stop

After saving this file, we should be able to start the network with 802.1x authentication enabled:

sudo /etc/init.d/networking start

For most cases, this is all that is required to automatically authenticate our computer to the network using the IEEE 802.1x protocol.

Advanced topics

Using WPA-Supplicant on a bridged network interface

If you are using a bridged network interface, using WPA-Supplicant to authenticate your system to the network is no problem if you have a working WPA-Supplicant configuration. In the example below, we add a bridge with eth0 as its only interface: IconsPage?action=AttachFile&do=get&target=IconNote.png More interfaces can be added to the bridge dynamically, for instance for use with a virtual machine using QEMU or KVM.

# The loopback interface, this is the default configuration
auto lo
iface lo inet loopback

# The first network interface
auto eth0
iface eth0 inet manual

# The bridge
auto br0
iface br0 inet dhcp
bridge_ports eth0
bridge_stp off
bridge_maxwait 5

# Configure the system to authenticate with WPA-Supplicant on interface eth0
wpa-iface eth0
wpa-bridge br0
wpa-driver wired
wpa-conf /etc/wpa_supplicant.conf

IconsPage?action=AttachFile&do=get&target=IconTip.png For more information on network bridging in Ubuntu, see NetworkConnectionBridge.

More information

The WPA-Supplicant documentation details the available configuration directives. It can be found in /usr/share/doc/wpasupplicant if WPA-Supplicant is installed. See also the system manual pages for wpa_supplicant and wpa_supplicant.conf.

Related links