Introduction:
While studying one of the most important thing which is required is Internet, and when university configures new settings or protocols always produce disturbance in life for at least one or two days. But, I spent at least two weeks for just configuring 802.1x protocol on Linux, because i just started to work on Linux. But anyway it was good experience in order to learn new things while searching this solution. As I am studying in Politecnico di Milano, so I mainly focus on Politecnico network for configuration settings but other people have to change configuration file for their own which is described below.
Basic configuration:
wpa_supplicant software is required in order to authenticate network with 802.1x protocol. Fedora and Ubuntu comes with wpa_supplicant by default, so my main focus will be on the configuration file and some terminal commands, if wpa_supplicant is not installed then application can be installed from the following sites:
openssl: http://www.openssl.org/
wpa_supplicant: http://hostap.epitest.fi/wpa_supplicant/
Step 1:
For Polimi students:- They can download certificate from http://www.asi.polimi.it by entering their MATRICOLA and password. Certificate downloaded from the mentioned above site should be pulled out a certificate in CER format which can be done with the command:
openssl pkcs12-cacerts-in CertificatoASI.p12-out asi.cer
It will be better to make new directory with the name wpa_supplicant in /etc.
Then two certificates (CertificatoASI.p12 and asi.cer) must be copied into a /etc/wpa_supplicant folder.
Step 2:
The next step is to create a configuration file with any name, i will use wired.conf for Ethernet Network and wireless.conf for Wireless Network settings. Open Terminal and write the following command for file creation.
sudo gedit /etc/wpa_supplicant/wired.conf
In this file:
set the user: the user given by a letter ( "S" for students, "D" for teachers, "U" for the technical / administrative and "V" for visitors) followed by their matriculation. The example below for student with freshman S123456
Set the paths of certificates obtained
Set the passphrase used in obtaining the certificate (in this example is "secret")
For other people:- If they have certificate policy then you can do the same like above, because the main thing is the unique username and password that must be given to you by network administrator.
The example of configuration file for Ethernet network is given below:-
# Start wired.conf
# Where is the control interface located? This is the default path:
ctrl_interface=/var/run/wpa_supplicant_wired
# Who can use the WPA frontend? Replace "0" with a group name if you
# want other users besides root to control it.
# There should be no need to chance this value for a basic configuration:
ctrl_interface_group=1
# When configuring WPA-Supplicant for use on a wired network, we don’t need to # scan for wireless access points. See the wpa-supplicant documentation if you
# are authenticating through 802.1x on a wireless network:
ap_scan=0
network={
proto=WPA
key_mgmt=IEEE8021X
pairwise=TKIP
eap=TLS
anonymous_identity="S123456"
ca_cert="/etc/wpa_supplicant/asi.cer"
private_key="/etc/wpa_supplicant/CertificatoASI.p12"
private_key_passwd="secret"
phase2="auth=MSCHAPV2"
}
# End wired.conf
The example of configuration file for Wireless network is given below:-
# Start wireless.conf
# Where is the control interface located? This is the default path:
ctrl_interface=/var/run/wpa_supplicant_wireless
# Who can use the WPA frontend? Replace "0" with a group name if you
# want other users besides root to control it.
# There should be no need to chance this value for a basic configuration:
ctrl_interface_group=0
# When configuring WPA-Supplicant for use on a wired network, we don’t need to # scan for wireless access points. See the wpa-supplicant documentation if you
# are authenticating through 802.1x on a wireless network:
ap_scan=1
network={
ssid="internet" # The ID of Polimi network
proto=WPA
key_mgmt=WPA-EAP
auth_alg=OPEN
pairwise=TKIP
eap=TLS
anonymous_identity="S123456"
ca_cert="/etc/wpa_supplicant/asi.cer"
private_key="/etc/wpa_supplicant/CertificatoASI.p12"
private_key_passwd="secret"
phase2="auth=MSCHAPV2"
}
# End wireless.conf
Save and close the file.
Then specialy for Ubuntu users only;
-----------------------------------------
Open the network interface configuration file:
sudo gedit /etc/network/interfaces
There should already be a number of network interfaces configured in this file. Below we add 802.1x authentication for a wired network, be sure to select the proper driver for WPA-Supplicant if you want to authenticate to a wireless network:
# The loopback interface, this is the default configuration:
auto lo
iface lo inet loopback
# The first ethernet network interface.
# In this case we want to receive an IP-address through DHCP:
auto eth0
iface eth0 inet dhcp
wpa-driver wired
wpa-conf /etc/wired.conf
To test our new configuration, we stop the network on our system before saving the above configuration file:
sudo /etc/init.d/networking stop
After saving this file, we should be able to start the network with 802.1x authentication enabled:
sudo /etc/init.d/networking start
For Fedora users:
They don't need anything for writing network interfaces.
Then for Fedora:
-------------------------------
Now disable the network form network icon, and lastly only to configure the network using terminal commanads,
sudo ifconfig eth0 up
sudo ifconfig eth0 promisc
sudo wpa_supplicant -i eth0 -B -Dwired -c /etc/wpa_supplicant/wired.conf
sudo dhclient eth0 -nw
Remember: For wireless replace eth0 to wlan0 and -Dwired (Driver Name) to -Dwext for wireless settings so it becomes....
sudo ifconfig wlan0 up
sudo iwconfig wlan0 essid internet
sudo ifconfig wlan0 promisc
sudo wpa_supplicant -i wlan0 -B -Dwired -c /etc/wpa_supplicant/wired.conf
sudo dhclient wlan0 -nw
Now refresh the network, hopefully it will work, becuase i am doing the same in this regard. But the problem is everytime when you restart Linux you have to run above 4 sudo commands again form terminal and then refresh network, it really works.
