802.1x网络认证

IEEE 802.1x是网络认证主机的标准，通常在大型网络，如校园网络或公司网络中使用，用于无线或有线网络认证。

在配置无线网络时候，需要使用以下工具命令：

• wpa_supplicant - wpa_supplicant是支持使用WPA和WPA2（IEEE 802.11i/RSN）协议的的Linux, BSD, Mac OS X，Windows工具命令。

• iw

• ip

• ping

软件包安装

Linux使用wpa_supplicant软件来实现 802.1x认证。在Ubuntu中，需要安装wpasupplicant

apt install wpasupplicant

基本配置

• 编辑/etc/wpa_supplicant.conf添加以下内容

# Where is the control interface located? This is the default path:
ctrl_interface=/var/run/wpa_supplicant

# Who can use the WPA frontend? Replace "0" with a group name if you
#   want other users besides root to control it.
# There should be no need to chance this value for a basic configuration:
ctrl_interface_group=0

# IEEE 802.1X works with EAPOL version 2, but the version is defaults 
#   to 1 because of compatibility problems with a number of wireless
#   access points. So we explicitly set it to version 2:
eapol_version=2

# When configuring WPA-Supplicant for use on a wired network, we don’t need to
#   scan for wireless access points. See the wpa-supplicant documentation if
#   you are authenticating through 802.1x on a wireless network:
ap_scan=0

无线网络配置

参考 Configuring 802.1X Authentication in Linux

• 配置/etc/wpa_supplicant.conf添加

network={
    ssid="YOURSSID"
    key_mgmt=WPA-EAP
    eap=PEAP
    phase1="peaplabel=0"
    phase2="auth=MSCHAPV2"
    identity="user@your_domain"
    password="your_password"
}

上述配置和在MacBook上安装Gentoo中有关配置802.1x相同，如果使用NetworkManager也可以参考Ubuntu Touch手机设置802.1x无线网络

启动无线：

wpa_supplicant -B -i wlp3s0 -c /etc/wpa_supplicant.conf

无线认证通过后，启动dhclient

dhclient wlp3s0

也可以重新加载 network 脚本

/etc/init.d/networking reload

• 上述手工执行任务成功以后，就可以修改成启动配置：修改/etc/network/interfaces

auto wlp3s0
iface wlp3s0 inet dhcp
    pre-up wpa_supplicant -B -i wlp3s0 -c /etc/wpa_supplicant.conf
    post-down killall -q wpa_supplicant

有线网络配置

以下案例为有线网络IEEE 802.1x，使用EAP-Tunnelled传输层安全，使用PAP和MD5作为认证协议，不使用证书：

network={
        key_mgmt=IEEE8021X
        eap=TTLS MD5
        identity="myloginname"
        anonymous_identity="myloginname"
        password="mypassword"
        phase1="auth=MD5"
        phase2="auth=PAP password=mypassword"
        eapol_flags=0
}

测试网络：

sudo wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i eth0

连接Pretected EAP(PEAP)

参考How to connect to Protected EAP (PEAP) wifi via terminal

• 修改/etc/network/interfaces

auto lo
iface lo inet loopback

auto wlan0
iface wlan0 inet dhcp
wireless-mode Managed
wpa-ssid **censored**
wpa-ap-scan 1
wpa-proto RSN WPA
wpa-pairwise CCMP TKIP
wpa-group CCMP TKIP
wpa-key-mgmt WPA-EAP
wpa-eap PEAP
wpa-identity **censored**
wpa-password **censored**
wpa-phase1 fast_provisioning=1
wpa-pac-file /home/kyle/Downloads/chain2.cer

• 执行以下命令连接

sudo ifconfig wlan0 down
sudo ifconfig wlan0 up
sudo dhclient wlan0 -v

参考

• Configuring 802.1X Authentication in Linux

• Network802.1xAuthentication

• How to connect to Protected EAP (PEAP) wifi via terminal

• Connect to WiFi network from command line in Linux