# 802.1x网络认证 `IEEE 802.1x`是网络认证主机的标准,通常在大型网络,如校园网络或公司网络中使用,用于无线或有线网络认证。 在配置无线网络时候,需要使用以下工具命令: * `wpa_supplicant` - `wpa_supplicant`是支持使用WPA和WPA2(IEEE 802.11i/RSN)协议的的Linux, BSD, Mac OS X,Windows工具命令。 * `iw` * `ip` * `ping` ## 软件包安装 Linux使用`wpa_supplicant`软件来实现 802.1x认证。在Ubuntu中,需要安装`wpasupplicant` ``` apt install wpasupplicant ``` ## 基本配置 * 编辑`/etc/wpa_supplicant.conf`添加以下内容 ```bash # Where is the control interface located? This is the default path: ctrl_interface=/var/run/wpa_supplicant # Who can use the WPA frontend? Replace "0" with a group name if you # want other users besides root to control it. # There should be no need to chance this value for a basic configuration: ctrl_interface_group=0 # IEEE 802.1X works with EAPOL version 2, but the version is defaults # to 1 because of compatibility problems with a number of wireless # access points. So we explicitly set it to version 2: eapol_version=2 # When configuring WPA-Supplicant for use on a wired network, we don’t need to # scan for wireless access points. See the wpa-supplicant documentation if # you are authenticating through 802.1x on a wireless network: ap_scan=0 ``` ### 无线网络配置 > 参考 [Configuring 802.1X Authentication in Linux](https://www.nowiressecurity.com/configure-8021x-authentication-linux) * 配置`/etc/wpa_supplicant.conf`添加 ``` network={ ssid="YOURSSID" key_mgmt=WPA-EAP eap=PEAP phase1="peaplabel=0" phase2="auth=MSCHAPV2" identity="user@your_domain" password="your_password" } ``` > 上述配置和[在MacBook上安装Gentoo](https://github.com/huataihuang/cloud-atlas-draft/tree/6f3204fffc11cf006abd394631e2598d98b415c3/os/linux/gentoo/install_gentoo_on_macbook/README.md)中有关配置802.1x相同,如果使用NetworkManager也可以参考[Ubuntu Touch手机设置802.1x无线网络](https://github.com/huataihuang/cloud-atlas-draft/tree/6f3204fffc11cf006abd394631e2598d98b415c3/os/develop/ubuntu_touch/802.1x_wireless_network_to_ubuntu_phone) 启动无线: ``` wpa_supplicant -B -i wlp3s0 -c /etc/wpa_supplicant.conf ``` 无线认证通过后,启动dhclient ``` dhclient wlp3s0 ``` 也可以重新加载 network 脚本 ``` /etc/init.d/networking reload ``` * 上述手工执行任务成功以后,就可以修改成启动配置:修改`/etc/network/interfaces` ``` auto wlp3s0 iface wlp3s0 inet dhcp pre-up wpa_supplicant -B -i wlp3s0 -c /etc/wpa_supplicant.conf post-down killall -q wpa_supplicant ``` ### 有线网络配置 以下案例为有线网络IEEE 802.1x,使用EAP-Tunnelled传输层安全,使用PAP和MD5作为认证协议,不使用证书: ``` network={ key_mgmt=IEEE8021X eap=TTLS MD5 identity="myloginname" anonymous_identity="myloginname" password="mypassword" phase1="auth=MD5" phase2="auth=PAP password=mypassword" eapol_flags=0 } ``` 测试网络: ``` sudo wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i eth0 ``` ## 连接Pretected EAP(PEAP) > 参考[How to connect to Protected EAP (PEAP) wifi via terminal](https://askubuntu.com/questions/682135/how-to-connect-to-protected-eap-peap-wifi-via-terminal) * 修改`/etc/network/interfaces` ``` auto lo iface lo inet loopback auto wlan0 iface wlan0 inet dhcp wireless-mode Managed wpa-ssid **censored** wpa-ap-scan 1 wpa-proto RSN WPA wpa-pairwise CCMP TKIP wpa-group CCMP TKIP wpa-key-mgmt WPA-EAP wpa-eap PEAP wpa-identity **censored** wpa-password **censored** wpa-phase1 fast_provisioning=1 wpa-pac-file /home/kyle/Downloads/chain2.cer ``` * 执行以下命令连接 ``` sudo ifconfig wlan0 down sudo ifconfig wlan0 up sudo dhclient wlan0 -v ``` ## 参考 * [Configuring 802.1X Authentication in Linux](https://www.nowiressecurity.com/configure-8021x-authentication-linux) * [Network802.1xAuthentication](https://help.ubuntu.com/community/Network802.1xAuthentication) * [How to connect to Protected EAP (PEAP) wifi via terminal](https://askubuntu.com/questions/682135/how-to-connect-to-protected-eap-peap-wifi-via-terminal) * [Connect to WiFi network from command line in Linux](https://www.blackmoreops.com/2014/09/18/connect-to-wifi-network-from-command-line-in-linux/)