4. 申请者：设置 Xsupplicant

安装 Xsupplicant

1. 从 http://www.open1x.org/ 下载最新的源代码

   # cd /usr/local/src # wget http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant-1.0.tar.gz # tar zxfv xsupplicant-1.0.tar.gz # cd xsupplicant

2. 配置，编译和安装

   # ./configure # make # make install

3. 如果配置文件没有安装（复制）到 “etc” 文件夹，请手动执行。

   # mkdir -p /usr/local/etc/1x # cp etc/tls-example.conf /usr/local/etc/1x

配置 Xsupplicant

1. 申请者必须能够访问根证书。

   如果申请者需要对认证服务器进行身份验证（双向身份验证），则申请者也必须拥有证书。

   创建一个证书文件夹，并将证书移动到其中

   # mkdir -p /usr/local/etc/1x/certs # cp root.pem /usr/local/etc/1x/certs/ # (copy optional client certificate(s) into the same folder)

2. 打开并编辑配置文件

   # startup_command: the command to run when Xsupplicant is first started. # This command can do things such as configure the card to associate with # the network properly. startup_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup.sh<END_COMMAND>

   Thestartup.sh将在稍后创建。

3. 当客户端通过身份验证后，它将发送 DHCP 请求或手动设置 IP 地址。 在这里，申请者在startup2.sh:

   # first_auth_command: the command to run when Xsupplicant authenticates to # a wireless network for the first time. This will usually be used to # start a DHCP client process. #first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND> first_auth_command = <BEGIN_COMMAND>/usr/local/etc/1x/startup2.sh<END_COMMAND>

4. 由于 “-i” 仅用于调试目的（并且可能会根据开发人员的说法而移除），因此必须设置 “allow_interfaces”。

   allow_interfaces = eth0 deny_interfaces = eth1

5. 接下来，在 “网络部分” 下，我们将配置 PEAP。

   # We'll be using PEAP allow_types = eap_peap # Don't want any eavesdropper to learn the username during the # first phase (which is unencrypted), so 'identity hiding' is # used (using a bogus username). identity = <BEGIN_ID>anonymous<END_ID> eap-peap { # As in tls, define either a root certificate or a directory # containing root certificates. root_cert = /usr/local/etc/1x/certs/root.pem #root_dir = /path/to/root/certificate/dir #crl_dir = /path/to/dir/with/crl chunk_size = 1398 random_file = /dev/urandom #cncheck = myradius.radius.com # Verify that the server certificate # has this value in its CN field. #cnexact = yes # Should it be an exact match? session_resume = yes # Currently 'all' is just mschapv2. # If no allow_types is defined, all is assumed. #allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM allow_types = eap_mschapv2 # Right now, you can do any of these methods in PEAP: eap-mschapv2 { username = <BEGIN_UNAME>testuser<END_UNAME> password = <BEGIN_PASS>Secret149<END_PASS> } }

6. 申请者必须首先与接入点关联。 脚本startup.sh完成这项工作。 它也是 Xsupplicant 执行的第一个命令。

   注意我们给 iwconfig 的虚假密钥 (enc 000000000)！ 此密钥用于告知驱动程序以加密模式运行。 密钥在成功通过身份验证后会被替换。 只有当 AP 中禁用加密时（用于测试目的），才可以将其设置为 enc off。

   Bothstartup.sh和startup2.sh都必须保存在/usr/local/etc/1x/.

   #!/bin/bash echo "Starting startup.sh" # Take down interface (if it's up) /sbin/ifconfig eth0 down # To make sure the routes are flushed sleep 1 # Configuring the interface with a bogus key /sbin/iwconfig eth0 mode managed essid testnet enc 000000000 # Bring the interface up and make sure it listens to multicast packets /sbin/ifconfig eth0 allmulti up echo "Finished startup.sh"

7. 下一个文件用于静态设置 IP 地址。 如果存在 DHCP 服务器（通常情况下，在许多接入点中都是如此），则可以省略此文件。

   #!/bin/bash echo "Starting startup2.sh" # Assigning an IP address /sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0 echo "Finished startup2.sh"