config EAP/TLS by using wpa_supplicant /freeradius

amuhong

                                                                                                                                                config EAP/TLS by using wpa_supplicant /freeradius
下面介绍如何利用wpa_supplicant 和 FreeRADIUS 来搭建 wpa 企业模式里的 EAP/TLS 安全模式
（wpa_supplicant 是运行在 linux 环境中）
下图是一个示意图，FreeRADIUS 是装在PC机上的，中间是AP，与PC机用网线相连。它们处于同一网端。
右边是Client端，可以是PC机，手机等，它通过无线与AP交互，并请求建立连接。
|-----------------|           |----------|                              |--------------|
|  FreeRADIUS |--------|    AP    | -  -  -  -  -  -  -  -  -  -|    Client    |
|-----------------|           |----------|                              |--------------|
1. on PC side, install FreeRADIUS software on Window XP.
省略
2. on PC side, modify FreeRADIUS configuration file as below.
2.1 eap.conf
the default setting is TLS, so no need to change it.
2.2 client.conf
client 192.168.200.1/32 {    secret      = 12345678    shortname   = tp-link-test}
comments: 192.168.200.1 is AP's IP Address. shortname is ssid settings for AP.
secret is the password.
2.3 users.conf
no need change.
keep the original settings for FreeRADIUS.net-Client as below
FreeRADIUS.net-Client   User-Password == "demo"
also we can set it to
FreeRADIUS.net-Client   Auth-Type := EAP
2.4 reboot FreeRADIUS
3. on Client side, modify wpa_supplicant.conf
network={        ssid="tp-link-test"        proto=RSN        key_mgmt=WPA-EAP        group=CCMP TKIP        eap=TLS        identity="FreeRADIUS.net-Client"        ca_cert="/data/misc/wifi/FreeRADIUS.net-CA.crt"        #client_cert="/data/misc/wifi/FreeRADIUS.net-Client.p12"        private_key="/data/misc/wifi/FreeRADIUS.net-Client.p12"        private_key_passwd="demo"        priority=1}
comments:
a. we use certificates which are  demo certificates in FreeRADIUS.
b. for standard wpa_supplicant, it can parse crt formate for client_cert.
but from the code, I find when it parse private_key, if the file is p12, it will
parse private_key and also client_cert, so just comments out client_cert setting
in the configuration file.
4. on Client side and PC side, adjust the time.
as we use the demo cert, and for these cert, the certificate time is between 2006
and 2016, so please check the time settings in both RADIUS server and phone.
5. launch wpa_supplicant in Client side.
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u3/103613/showart_2049282.html