802.1X in linux http://tldp.org/HOWTO/html_single/8021X-HOWTO/
PPP EAP TLS Authentication Protocol: http://www.ietf.org/rfc/rfc2716.txt
http://www.ietf.org/rfc/rfc3579.txt
----------------------------------------------------------------------------------
RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)
http://www.ietf.org/rfc/rfc3579.txt
----------------------------------------------------------------------------------
Authenticating Peer Authenticator
------------------- -------------
<- PPP LCP Request-EAP
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity
PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
TLS finished)
PPP EAP-Response/
EAP-Type=EAP-TLS ->
<- PPP EAP-Success
PPP Authentication
Phase complete,
NCP Phase starts----------------
FreeRadius + EAP with 802.1X wireless WPA.
[peter@localhost certs]$ pwd /pub/rootfs/etc/raddb/certs [peter@localhost certs]$ ls 01.pem ca.key index.txt random server.cnf server.p12 bootstrap* ca.pem index.txt.attr README server.crt server.pem ca.cnf client.cnf index.txt.old serial server.csr xpextensions ca.der dh Makefile serial.old server.key
1. install ca.pem and server.pem to windows.(rename as *.cer in windows).
for more info of x509, see README for HOWTO EAP...
2. load ca.pem and server.pem. into windows.
3. start freeradius by #radius -X
freeradius是由radius 支援 各種module(包含eap)
[peter@localhost main]$ ls ../modules/
lib/ rlm_copy_packet/ rlm_exec/ rlm_logintime/ rlm_protocol_filter/ rlm_sql_log/
Makefile rlm_counter/ rlm_expiration/ rlm_mschap/ rlm_python/ rlm_unix/
rlm_acctlog/ rlm_cram/ rlm_expr/ rlm_opendirectory/ rlm_radutmp/ rlm_wimax/
rlm_acct_unique/ rlm_dbm/ rlm_fastusers/ rlm_otp/ rlm_realm/ rules.mak
rlm_always/ rlm_detail/ rlm_files/ rlm_pam/ rlm_sim_files/ stable
rlm_attr_filter/ rlm_digest/ rlm_ippool/ rlm_pap/ rlm_smb/
rlm_attr_rewrite/ rlm_dynamic_clients/ rlm_jradius/ rlm_passwd/ rlm_sql/
rlm_caching/ rlm_eap/ rlm_krb5/ rlm_perl/ rlm_sqlcounter/
rlm_chap/ rlm_eap2/ rlm_ldap/ rlm_policy/ rlm_sqlhpwippool/
rlm_checkval/ rlm_example/ rlm_linelog/ rlm_preprocess/ rlm_sqlippool/
其中我要try的是eap+tls,也就是wifi的wpa enterprise
而eap也只是個protocol的frame,tls就是包在eap。
trace code:
freeradus是以module來plugin各種module。(eap也是個module)
例如: freeradius-server-2.1.1/src/modules/rlm_example/rlm_example.c
218 module_t rlm_example = {
219 RLM_MODULE_INIT,
220 "example",
221 RLM_TYPE_THREAD_SAFE, /* type */
222 example_instantiate, /* instantiation */
223 example_detach, /* detach */
224 {
225 example_authenticate, /* authentication */
226 example_authorize, /* authorization */
227 example_preacct, /* preaccounting */
228 example_accounting, /* accounting */
229 example_checksimul, /* checksimul */
230 NULL, /* pre-proxy */
231 NULL, /* post-proxy */
232 NULL /* post-auth */
233 },
234 };
BIO_write 在int tls_handshake_recv(tls_session_t *ssn)和
[
再來要看這些functions是如何cowork的
for more info of x509, see README for HOWTO EAP...
2. load ca.pem and server.pem. into windows.
3. start freeradius by #radius -X
freeradius是由radius 支援 各種module(包含eap)
[peter@localhost main]$ ls ../modules/
lib/ rlm_copy_packet/ rlm_exec/ rlm_logintime/ rlm_protocol_filter/ rlm_sql_log/
Makefile rlm_counter/ rlm_expiration/ rlm_mschap/ rlm_python/ rlm_unix/
rlm_acctlog/ rlm_cram/ rlm_expr/ rlm_opendirectory/ rlm_radutmp/ rlm_wimax/
rlm_acct_unique/ rlm_dbm/ rlm_fastusers/ rlm_otp/ rlm_realm/ rules.mak
rlm_always/ rlm_detail/ rlm_files/ rlm_pam/ rlm_sim_files/ stable
rlm_attr_filter/ rlm_digest/ rlm_ippool/ rlm_pap/ rlm_smb/
rlm_attr_rewrite/ rlm_dynamic_clients/ rlm_jradius/ rlm_passwd/ rlm_sql/
rlm_caching/ rlm_eap/ rlm_krb5/ rlm_perl/ rlm_sqlcounter/
rlm_chap/ rlm_eap2/ rlm_ldap/ rlm_policy/ rlm_sqlhpwippool/
rlm_checkval/ rlm_example/ rlm_linelog/ rlm_preprocess/ rlm_sqlippool/
其中我要try的是eap+tls,也就是wifi的wpa enterprise
而eap也只是個protocol的frame,tls就是包在eap。
trace code:
freeradus是以module來plugin各種module。(eap也是個module)
例如: freeradius-server-2.1.1/src/modules/rlm_example/rlm_example.c
218 module_t rlm_example = {
219 RLM_MODULE_INIT,
220 "example",
221 RLM_TYPE_THREAD_SAFE, /* type */
222 example_instantiate, /* instantiation */
223 example_detach, /* detach */
224 {
225 example_authenticate, /* authentication */
226 example_authorize, /* authorization */
227 example_preacct, /* preaccounting */
228 example_accounting, /* accounting */
229 example_checksimul, /* checksimul */
230 NULL, /* pre-proxy */
231 NULL, /* post-proxy */
232 NULL /* post-auth */
233 },
234 };
整個架構是以一個status machine來design,所以trace起來還滿吃力的…
modules/rlm_eap/eap.c #EAP module from RADIUS.
modules/rlm_eap/rlm_eap.c #
modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c #TLS module plug by EAP module.
modules/rlm_eap/libeap/eap_tls.c #library TLS for TLS, TTLS, PEAP ...
討厭的是,TLS module for EAP也只是frame,它完全只是由openssl來implementation。
所以radius的eap+tls要由openssl的support.
先了解openssl的架構,openssl library是由ssl protocol和cipher組成
而SSL_xxx是protocol的部分,它包含了BIO_xxx,BIO_xxx是用來hook protocol的I/O stream。
BIO_read/BIO_write是我tracecode的重點。
我在
BIO_read在
modules/rlm_eap/eap.c #EAP module from RADIUS.
modules/rlm_eap/rlm_eap.c #
EAP module from RADIUS, loadable module.
modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c #TLS module plug by EAP module.
modules/rlm_eap/libeap/eap_tls.c #library TLS for TLS, TTLS, PEAP ...
討厭的是,TLS module for EAP也只是frame,它完全只是由openssl來implementation。
所以radius的eap+tls要由openssl的support.
先了解openssl的架構,openssl library是由ssl protocol和cipher組成
而SSL_xxx是protocol的部分,它包含了BIO_xxx,BIO_xxx是用來hook protocol的I/O stream。
BIO_read/BIO_write是我tracecode的重點。
我在
modules/rlm_eap/libeap/tls.c找到了
BIO_read在
int tls_handshake_recv(tls_session_t *ssn)和
int tls_handshake_send(tls_session_t *ssn)
BIO_write 在int tls_handshake_recv(tls_session_t *ssn)和
[
modules/rlm_eap/libeap/eap_tls.c ] eaptls_status_t eaptls_process(EAP_HANDLER *handler)
再來要看這些functions是如何cowork的
沒有留言:
張貼留言