Professional Documents
Culture Documents
1x for enterprise
network
Mukhammad Andri Setiawan, PhD
andri.setiawan@uii.ac.id
andri@idnic.net
• Why 802.1x
• a supplicant,
• an authenticator, and
• an authentication server
// JOIN DOMAIN
#net join –U Administrator
// TEST AUTH
// We will use this command in the ntlm_auth module of freeRADIUS
#ntlm_auth –-request-nt-key –-domain=XYZDOM –-username=example_user
client wlc {
ipaddr = 10.x.x.x
secret = myRADIUS
}
eap {
default_eap_type = peap
}
VALUES INNOVATION PERFECTION
Authentication: Enable MSCHAPv2
• Available at /etc/freeradius/mods-enabled/mschap
mschap {
ntlm_auth = "/usr/bin/ntlm_auth
--request-nt-key --domain=%{%{mschap:NT-Domain}:-myDOMAIN}
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
--require-membership-of='myDOMAIN\\eduroam'”
}
authorize {
mschap
}
authenticate {
ntlm_auth
Auth-Type MS-CHAP {
mschap
}
eap
}
ldap {
server = '10.254.254.101’
port = 389
identity = 'CN=Administrator,CN=Users,DC=uii,DC=ac,DC=id’
password = thisIsAVeryLongPasswordDoNotForgetIt
base_dn = 'OU=Accounts,DC=uii,DC=ac,DC=id’
user {
base_dn = "${..base_dn}”
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})”
}
}
dot1x system-auth-control
radius server <radius-name>
address ipv4 <ip-radius> auth-port 1812 acct-port 1813
key 0 <key-secret-radius>
// setup compiler
# sudo apt-get install git libssl-dev devscripts pkg-config libnl-
3-dev libnl-genl-3-dev
//setup eapol_test
# git clone --depth 1 --no-single-branch
https://github.com/FreeRADIUS/freeradius-server.git
# cd freeradius-server/scripts/travis/
# ./eapol_test-build.sh
# cp ./eapol_test/eapol_test /usr/local/bin/
client localhost {
ipaddr = 127.0.0.1
secret = testing123
}
VALUES INNOVATION PERFECTION
Setup testing user
• For this workshop, we simply create a test file as our
authentication part
• File is located at: /etc/freeradius/users
• Add this line