6. 测试平台
6.1. 测试用例
图示 测试平台:无线节点请求身份验证。
我们的测试平台由两个节点和一个接入点 (AP) 组成。一个节点充当 Supplicant (WN),另一个节点充当运行 RADIUS (AS) 的后端身份验证服务器。接入点是 Authenticator。有关说明,请参见图 测试平台。
 | 接入点能够到达(ping 通)身份验证服务器,反之亦然,这一点至关重要! |
6.2. 运行一些测试
运行一些测试
RADIUS 服务器在调试模式下启动。这将产生大量调试信息。重要的代码片段如下
# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf ...... Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) ...... Module: Loaded eap eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no 
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "SecretKeyPass77"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2" 
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
......
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users" 
......
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests. 
- 默认 EAP 类型设置为 PEAP。
- RADIUS 的 TLS 设置在此处初始化。证书类型、位置和密码在此处列出。
- 在 PEAP 隧道内部,使用 MS-CHAPv2。
- 用户名/密码信息在users文件中找到。
- RADIUS 服务器启动成功。等待传入请求。
radius 服务器现在已准备好处理请求!
上面包含了最有趣的输出。如果您收到任何错误消息而不是最后一行,请仔细检查配置(如上所述)。
现在 Supplicant 已准备好进行身份验证。在调试模式下启动 Xsupplicant。请注意,我们将看到两个启动脚本产生的输出startup.sh和startup2.sh.
# xsupplicant -c /usr/local/etc/1x/1x.conf -i eth0 -d 6 Starting /etc/1x/startup.sh Finished /etc/1x/startup.sh Starting /etc/1x/startup2.sh Finished /etc/1x/startup2.sh
同时,RADIUS 服务器正在产生大量输出。关键代码片段如下所示
...... rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: group authenticate returns ok for request 8
Login OK: [testuser/<no User-Password attribute>] (from client testnet port 37 cli 0002a56fa08a)
Sending Access-Accept of id 8 to 192.168.2.1:1032
MS-MPPE-Recv-Key = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10a79c550ae61a5206
MS-MPPE-Send-Key = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8161683bfb7e7af18
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
Authenticator(接入点)也可能在其日志中显示如下内容
00:02:16 (Info): Station 0002a56fa08a Associated 00:02:17 (Info): Station=0002a56fa08a User="testuser" EAP-Authenticated
就是这样!Supplicant 现在已通过身份验证可以使用接入点!