::: °­ÁÂ/¼Ò½º/¹®¼­ :::

°­ÁÂ/¼Ò½º/¹®¼­ ¼º°Ý¿¡ ¸ÂÁö ¾Ê´Â ±¤°í,ºñ¹æ,Áú¹®ÀÇ ±ÛÀº Áï½Ã »èÁ¦Çϸç
³»¿ëÀ» º¹»çÇÏ¿© »ç¿ëÇÒ °æ¿ì ¹Ýµå½Ã ÀÌ°÷(http://www.howto.pe.kr)À» Ãâó·Î ¸í½ÃÇÏ¿© ÁÖ¼¼¿ä


Category

  ±è¿µ´ë(2004-06-16 11:23:15, Hit : 24323, Vote : 2335
 http://www.howto.pe.kr
 [°­ÁÂ] À¯¹«¼± °øÀ¯±â Á¦ÀÛ: 802.1x, RADIUS ¼³Ä¡ [4]

// Á¦  ¸ñ: À¯¹«¼± °øÀ¯±â Á¦ÀÛ: 802.1x, RADIUS ¼³Ä¡ [4]
// ÀÛ¼ºÀÚ: ±è¿µ´ë( http://www.howto.pe.kr )

Å×½ºÆ® ȯ°æ
   - È£½ºÆ® Àåºñ(Linux):
        ÀÛ¾÷ µð·ºÅ丮: /home/LDS
          ½© ÇÁ·ÒÇÁÆ®: [root@cozylinux]
                   IP: 211.204.72.53

   - Ÿ°Ù Àåºñ(LDS2000):
    NFS ·çÆ® µð·ºÅ丮: /home/LDS/LDS2000/External/RootFS/image
          ½© ÇÁ·ÒÇÁÆ®: [root@cozyLDS]
                   IP: 211.204.72.60

¹«¼±·£ ÃÊâ±â¿¡ IEEE802.11 Ç¥ÁØÈ­ ¹× °³¹ßÀÚµéÀº SSID¿Í WEP(Wired Equivalent Privacy) ¸¦
¹«¼± º¸¾È Ç¥ÁØÀ¸·Î Á¦½ÃÇÏ¿´´Ù. ÇÏÁö¸¸ ÀÌ°ÍÀº ¹«¼± ·£ÀÇ º¸¾È¼º¿¡ ½É°¢ÇÑ Ãë¾à¼ºÀ» º¸¿©ÁÖ¸ç
»õ·Î¿î ´ë¾ÈÀ» ã°Ô Çß´Ù. ¶ÇÇÑ AP ¿¡ Á¢¼Ó(association)ÇÑ »ç¿ëÀÚÀÇ °ú±Ý Á¤Ã¥, »ç¿ë Á¦ÇÑ, ´ë¿ª ÇÒ´ç
µî Áß¾Ó ÁýÁßÀûÀÎ »ç¿ëÀÚ °ü¸®°¡ ÇÊ¿äÇÏ°Ô µÇ¾ú´Ù. ±×¸®ÇÏ¿© µîÀåÇÑ°ÍÀÌ 802.1x ÇÁ·¡ÀÓ¿öÅ© ÀÌ´Ù.
°á±¹ IEEE802.1x ÀÇ ¸ñÀûÀº »ç¿ëÀÚµéÀÌ AP¿Í °°Àº NAS ¿¡ Á¢¼ÓÇϱâ Àü¿¡ RADIUS ÀÎÁõ ¼­¹ö·Î ºÎÅÍ
»ç¿ëÀÚ ÀÎÁõÀ» ¹ÞÀº ÈÄ AP ¸¦ »ç¿ëÇÒ ¼ö ÀÖ°Ô ÇÏ´Â °ÍÀÌ´Ù.
±×·¯¹Ç·Î ÀÌ ¹®¼­¸¦ ÀбâÀü¿¡ ¹Ýµå½Ã 802.1x ¿Í RADIUS ¼­¹ö¿¡ ´ëÇÑ ÀڷḦ ã¾Æ ÃæºÐÈ÷ ¼÷ÁöÇÑ ÈÄ
ÁøÇàÇϱ⠹ٶõ´Ù. ƯÈ÷ ÇöÀç Windows 2000/XP ¿¡¼­ Áö¿øÇÏ´Â EAP ÀÎÁõ ¾Ë°í¸®ÁòÀº µÎ°¡Áö·Î
EAP-TLS, PEAP(MD5/MSCHAPv2) À̹ǷΠÀÌ µÎ°¡Áö¸¦ ÁßÁ¡ÀûÀ¸·Î »ìÆ캸±â ¹Ù¶õ´Ù.

Âü°í »çÀÌÆ®:
  - http://www.dslreports.com/forum/remark,9286052~mode=flat
  - http://www.missl.cs.umd.edu/wireless/eaptls
  - http://www.freeradius.org/doc/EAPTLS.pdf
  - http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
  - http://www.missl.cs.umd.edu/Projects/wireless/2kclient/2kclient.html

802.1x ÀÇ ±¸¼º Àåºñ 3°¡Áö:
  - Supplicant: ÀÎÁõ ¹ÞÀ» ¹«¼± ·£Ä«µå¸¦ ÀåÂøÇÑ ÀÏ¹Ý PC
                (¿©±â¼­´Â Windows 2000 ¿¡ 802.1x Client ¸¦ ¼³Ä¡ÇÏ¿© »ç¿ëÇϸç Windows XP ÀÇ °æ¿ì´Â
                 ÀÌ¹Ì ¼³Ä¡µÇ¾î ÀÖ´Ù. ºÒÇàÈ÷µµ WIndows 98 ÀÌÇÏ´Â »ç¿ëÇÒ ¼ö ¾ø´Ù)
  - Authenticator: ÀÎÁõ °á°ú¿¡ µû¶ó ³×Æ®¿öÅ© Á¢±Ù Æ÷Æ®¸¦ Á¦¾îÇÏ´Â NSA(Network Access Server ¶Ç´Â RAS)
                   (¿©±â¼­´Â ŸÄÏ ÀåºñÀÎ AccessPoint ¸¦ ¸»ÇÑ´Ù)
  - Authentication Server: À¯¼±À¸·Î NAS(AccessPoint, Bridge, Switch µîµî) ¿¡ ÀÎÁõ ¼­ºñ½º Á¦°ø
                   (¿©±â¼­´Â È£½ºÆ® ÀåºñÀÎ Linux ¸¦ ¸»ÇÑ´Ù)

¼³Ä¡ÇÒ ÆÄÀÏ ´Ù¿î:
  - Windows 2000 Patch: 802.1x for Windows 2000 (Windows XP ÀÇ °æ¿ì´Â ÀÌ¹Ì ¼³Ä¡µÇ¾î ÀÖÀ½)
      http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6B78EDBE-D3CA-4880-929F-453C695B9637
  - HostAP source (hostap-2002-10-12.tar.gz)
      http://hostap.epitest.fi/releases
  - OpenSSL source (openssl.tar.gz, ÇöÀç´Â 0.9.7d ¹öÀüÀÌ´Ù)
      http://www.openssl.org
  - freeRADIUS source (freeradius.tar.gz, ÇöÀç´Â 1.0.0-pre1 ¹öÀüÀÌ´Ù)
      http://www.freeradius.org


1.802.1x for Windows 2000 patch ¼³Ä¡ - Supplicant
  Supplicant ·Î »ç¿ëÇÒ ÀÏ¹Ý PC ¿¡ 802.1x for Windows 2000 patch ¸¦ ¼³Ä¡ ÇÑ ÈÄ À̸¦ ¼­ºñ½º·Î ±¸µ¿
  ½ÃÄÑ¾ß ÇÑ´Ù. ¼³Ä¡ ÈÄ "½ÃÀÛ"->"¼³Á¤"->"Á¦¾îÆÇ"->"°ü¸®µµ±¸"->"¼­ºñ½º" ¿¡¼­ "Wireless Configuration"
  Ç׸ñÀ» ¼±ÅÃÇÑ ÈÄ ¼­ºñ½º¸¦ "½ÃÀÛ" »óÅ·Π¸¸µç´Ù. À©µµ¿ìÁîÀÇ ºÎÆýø¶´Ù ÀÌ°ÍÀ» ÀÚµ¿ ½ÃÀÛÇÏ°Ô ÇÏ·Á¸é
  µî·Ï Á¤º¸¿¡¼­ ½ÃÀÛ À¯ÇüÀ» "ÀÚµ¿"À¸·Î ÇÏ¸é µÈ´Ù.
  ±×¸®°í µ¥½ºÅ©Å¾ÀÇ "³×Æ®¿öÅ© ȯ°æ"ÀÇ µî·Ï Á¤º¸¸¦ ¼±ÅÃÇÑ ÈÄ ¹«¼± ·£¿¡ ÇØ´çÇÏ´Â "·ÎÄà ¿µ¿ª ¿¬°á"À»
  ¼±ÅÃÇÏ¿© µî·Ï Á¤º¸¸¦ º¸¸é "ÀÎÁõ" ÅÇÀÌ º¸ÀÏ °ÍÀÌ°í ±× ¾È¿¡ 802.1x °ü·Ã ¼³Á¤ Ç׸ñµéÀÌ º¸ÀÏ °ÍÀÌ´Ù.
  ¼¼ºÎÀûÀÎ ¼³Á¤Àº ¾Æ·¡¿¡ ´Ù½Ã ÀÚ¼¼È÷ ´Ù·é´Ù.
  Âü°í·Î "EAP Á¾·ù" ÀÇ "½º¸¶Æ®Ä«µå ¶Ç´Â ±âŸ ÀÎÁõ¼­"´Â EAP-TLS ¸¦ ÀǹÌÇÏ°í,
  "º¸È£µÈ EAP (PEAP)" ´Â Ŭ¶óÀ̾ðÆ® ÀÎÁõ ¹æ¹ýÀ¸·Î MD5(MSCHAPv2)¸¦ »ç¿ëÇÏ´Â PEAP ¸¦ ÀǹÌÇÑ´Ù.

2.HostAP ÀÇ hostapd ¼³Ä¡ - Authenticator
  hostapd ´Â ÀÌÀü¿¡ ¼³Ä¡ÇÑ HostAP µå¶óÀ̹ö¿Í ÇÔ²² ¹èÆ÷µÇ´Â ÆÄÀÏ·Î ¾Æ¸¶ ±× ¿ëµµ¸¦ ±Ã±ÝÇØ ÇßÀ»°ÍÀÌ´Ù.
  Áö±Ý ´çÀå HostAP °¡ ¼³Ä¡µÇ¾î ÀÖ´Â µð·ºÅ丮·Î À̵¿ÇÏ¿© hostapd µð·ºÅ丮°¡ ÀÖ´ÂÁö È®ÀÎÇ϶ó.
  ÀÌ ÆÄÀÏÀÌ ¹Ù·Î AP ¿¡¼­ µ¿ÀÛÇÏ´Â Authenticator ÀÌ´Ù. Authenticator ´Â ´ÜÁö Supplicant ¿Í
  Authentication Server »çÀÌ¿¡¼­ EAPOL/EAP over Radius ÇÁ·¡ÀÓÀ» Áß°èÇÏ°í Authentication Server ÀÇ
  ÀÎÁõ °á°ú¿¡ µû¶ó Supplicant ÀÇ Controlled Port ¸¦ ÅëÁ¦ÇÏ¿© AP ·ÎÀÇ °áÇÕ(association)À» °áÁ¤ÇÑ´Ù.

  È¤½Ã ÀÌÀü¿¡ HostAP ¸¦ ¼³Ä¡ÇÏÁö ¾ÊÀº »ç¶÷À» À§ÇØ HostAP ¼³Ä¡ ºÎºÐÀ» ÇÔ²² ¼³¸íÇÑ´Ù.
  ´Ù¿î¹ÞÀº HostAP ÀÇ ¾ÐÃàÀ» Ǭ ÈÄ µð·ºÅ丮·Î À̵¿ÇÑ´Ù.(ÀÌ¹Ì HostAP ¸¦ ¼³Ä¡Çß´Ù¸é ´ÜÁö µð·ºÅ͸®·Î À̵¿)
    [root@cozylinux temp]# tar xvfz hostap-2002-10-12.tar.gz
    [root@cozylinux temp]# cd hostap-2002-10-12

  Ã³À½¿¡ HostAP µå¶óÀ̹ö¸¦ ¼³Ä¡ÇÏ¸é µå¶óÀ̹ö¿¡ hostapd °¡ disable µÇ¾î ÀÖ¾î À̸¦ enable ÇØ¾ß ÇÑ´Ù
  ¼³Á¤ÇÏ´Â ¹æ¹ýÀº HostAP ¾ÐÃà¿ï Ǭ µð·ºÅ丮ÀÇ driver/modules/hostap_config.h ÆÄÀÏÀ» ¿­¾î ´ÙÀ½ µÎ°³ÀÇ
  ÁÖ¼®À» Ç®°í ÀúÀåÇÑ´Ù.
    #define PRISM2_HOSTAPD
    #define PRISM2_DOWNLOAD_SUPPORT

  hostapd µð·ºÅ丮·Î À̵¿ÇÏ¿© Makefile À» ¿­¾î Ä¿³Î ¼Ò½º¿Í gcc ÄÄÆÄÀÏ·¯¸¦ º¯°æÇÑ´Ù
  "KERNEL_PATH" ¿¡´Â Ä¿³Î ¼Ò½º°¡ ÀÖ´Â µð·ºÅ丮¸¦ "CC"´Â Å©·Î½º ÄÄÆÄÀÏ·¯ ½ÇÇà ÆÄÀϸíÀ» ¸»ÇÑ´Ù.
    KERNEL_PATH=/home/LDS/LDS2000/kernel-2.4.18
    CC=arm-linux-gcc

  ±×·± ÈÄ ÄÄÆÄÀÏ ÇÑ´Ù
    [root@cozylinux hostapd]# make clean
    [root@cozylinux hostapd]# make

  Áö±Ý ÄÄÆÄÀÏÀº È£½ºÆ® Àåºñ¿¡¼­ Ÿ°Ù Àåºñ¸¦ À§ÇØ Å©·Î½º ÄÄÆÄÀÏ ÇÑ °ÍÀ̹ǷΠÄÄÆÄÀÏÇÑ hostapd ÆÄÀÏÀ»
  ½ÇÁ¦ NFS ·Î Àü´ÞÇØÁÙ µð·ºÅ丮(Ÿ°Ù ÀåºñÀÇ NFS Root µð·ºÅ丮)ÀÇ sbin ¿¡ º¹»çÇØ ÁØ´Ù
    [root@cozylinux hostapd]# cp hostapd /home/LDS/LDS2000/External/RootFS/image/sbin

  HostAP µå¶óÀ̹ö¿¡ hostapd ¸¦ enable ½ÃŲ °ÍÀ̹ǷΠÀ̰͵µ ´Ù½Ã ÄÄÆÄÀÏÇØÁØ´Ù
    [root@cozylinux hostap-2002-10-12]# make clean
    [root@cozylinux hostap-2002-10-12]# make pccard
    [root@cozylinux hostap-2002-10-12]# make install_pccard

3.OpenSSL ¼³Ä¡ - Authentication Server
  OpenSSL Àº Linux ¼³Ä¡½Ã º¸Åë ÇÔ²² ¼³Ä¡µÈ´Ù. ÀÌÀü¿¡ ¼³Ä¡µÈ OpenSSL ÀÌ ¼Ò½ºÀÌ¸é ´Ù½Ã ¼³Ä¡ÇÒ ÇÊ¿ä°¡
  ¾øÁö¸¸ Redhat ÀÇ binary RPM ó·³ binary ¸¸ ¼³Ä¡µÈ °æ¿ì´Â ¼Ò½º¸¦ Ãß°¡ ¼³Ä¡ÇÑ´Ù
  (ÀÌÀü¿¡ ¼³Ä¡µÈ binary RPM Àº »èÁ¦ÇÏÁö ¾Ê°í ¼Ò½º¸¦ ¼³Ä¡Çϴ°ÍÀÌ ÁÁ´Ù)

  OpenSSL ÀÇ ¼Ò½º¸¦ Ǭ ÈÄ ÇØ´ç µð·ºÅ丮·Î À̵¿ÇÏ¿© ÄÄÆÄÀÏÇÑ´Ù
  ¾Æ·¡¿Í °°ÀÌ ¼Ò½º¸¦ ÄÄÆÄÀÏÇÏ¿© /usr/local/openssl µð·ºÅ丮¿¡ ¼³Ä¡ÇÑ´Ù
    [root@cozylinux openssl-0.9.7d]# ./config shared --prefix=/usr/local/openssl
    [root@cozylinux openssl-0.9.7d]# make clean
    [root@cozylinux openssl-0.9.7d]# make
    [root@cozylinux openssl-0.9.7d]# make install

  OpenSSL ¼³Ä¡½Ã È­¸é¿¡ Ãâ·ÂµÇ´Â ·Î±× ¸Þ½ÃÁöµéÀ» ³ªÁß¿¡ Âü°íÇϱâ À§ÇØ ÀúÀåÇϴ°͵µ ÁÁÀº ½À°üÀÌ´Ù
  ¾Æ·¡ ¿¹Ã³·³ redirection ÇÏ¿© ÆÄÀÏ·Î Á¤ÇÒ ¼ö ÀÖ´Ù
    [root@cozylinux openssl-0.9.7d]# make > make.log 2>&1

4.freeRADIUS ¼³Ä¡ - Authentication Server
  freeRADIUS ÀÇ ¼Ò½º¸¦ Ǭ ÈÄ ÇØ´ç µð·ºÅ丮·Î À̵¿ÇÏ¿© ÄÄÆÄÀÏÇÑ´Ù
  ¾Æ·¡¿Í °°ÀÌ ¼Ò½º¸¦ ÄÄÆÄÀÏÇÏ¿© /usr/local µð·ºÅ丮 ¾Æ·¡¿¡ ¼³Ä¡ÇÑ´Ù (/usr/local/etc/raddb °¡ »ý¼ºµÈ´Ù)
    [root@cozylinux freeradius-1.0.0-pre1]# ./configure \
    --with-openssl-includes=/usr/local/openssl/include \
    --with-openssl-libraries=/usr/local/openssl/lib \
    --prefix=/usr/local

5.ÀÎÁõ¼­(cerrificate) ¸¸µé±â - Authentication Server
  3Á¾·ùÀÇ ÀÎÁõ¼­¸¦ ¸¸µé Â÷·ÊÀÌ´Ù.
  ÀÎÁõ¼­¸¦ ¸¸µå´Â ÀÌÀ¯´Â 802.1x ÇÁ·¡ÀÓ¿öÅ©¿¡¼­ ÀÎÁõ ¾Ë°í¸®ÁòÀ¸·Î EAP-TLS, PEAP ¸¦ »ç¿ëÇϱâ À§ÇÔÀÌ´Ù.
  EAP-TLS, PEAP ¸ðµÎ ¾ç¹æÇâ ÀÎÁõ ¹æ½ÄÀ¸·Î Supplicant ´Â Authentication Server ¸¦ ÀÎÁõÇÏ°í Supplicant´Â
  Authentication Server ¸¦ ÀÎÁõÇÑ´Ù. EAP-TLS ÀÇ °æ¿ì´Â ¾çÂÊ ´Ù ÀÎÁõ¼­°¡ ÇÊ¿äÇÏ´Ù. ÇÏÁö¸¸ AP¸¦
  »ç¿ëÇÒ¶§¸¶´Ù ÀÎÁõ¼­¸¦ ÁغñÇØ¾ß ÇÏ´Â SupplicantÀÇ ºÒÆíÀ» ´ú¾îÁÖ°íÀÚ ³ª¿Â°ÍÀÌ PEAP ÀÌ´Ù.
  PEAP ÀÇ °æ¿ì Supplicant´Â Authentication Server ÀÇ ÀÎÁõ¼­¸¦ °¡Áö°í Authentication Server ¸¦ ÀÎÁõ
  ÇÏÁö¸¸ Authentication Server ´Â Supplicant ÀÇ UserID/Password ¸¦ º¸°í Supplicant ¸¦ ÀÎÁõÇÑ´Ù.

  ±×·¡¼­ ÀÌ ÀÎÁõ¼­¸¦ ¸¸µé¾î¾ß ÇϹǷΠOpenSSL ÀÌ ÇÊ¿äÇß´ø°ÍÀÌ´Ù.
  OpenSSL µµ ³»ºÎ µ¿ÀÛÀÌ ÀÎÁõ¼­¸¦ »ç¿ëÇÏ´Â PKI ¿ä¼Ò°¡ µé¾î°¡ ÀÖÀ¸¹Ç·Î OpenSSLÀÌ Á¦°øÇÏ´Â ÀÎÁõ¼­¸¦
  ¸¸µå´Â À¯Æ¿¸®Æ¼¸¦ »ç¿ëÇϱâ À§Çؼ­ÀÌ´Ù.

  OpenSSL À» ÀÌ¿ëÇÏ¿© ÀÎÁõ¼­¸¦ ¸¸µé±â Àü¿¡ ¸ÕÀú ÀÎÁõ¼­ »ý¼º½Ã ÇÊ¿äÇÑ ±âº» Á¤º¸µéÀ» µî·ÏÇØ¾ß ÇÑ´Ù.
  /usr/local/openssl/ssl µð·ºÅ丮¿¡ ÀÖ´Â openssl.cnf ÆÄÀÏÀ» ¿­¾î ¼öÁ¤ÇÑ´Ù.
  ´Ù¸¥ Ç׸ñµéÀº ±×³É ³öµÎ°í ¾Æ·¡ÀÇ "X" ¹®ÀÚ°¡ ÀÖ´Â ºÎºÐÀ» ¼öÁ¤ÇÑ´Ù. Ȥ½Ã Ç׸ñÀÌ ¾ø´Ù¸é ÇØ´ç À§Ä¡¿¡
  Ãß°¡ÇØÁØ´Ù. countryName_default ¸¸ ¹Ýµå½Ã 2±ÛÀÚ·Î ÀÔ·ÂÇÏ°í(¿¹, KR) ³ª¸ÓÁö´Â ±æÀÌ°¡ ³Ë³ËÇÏ°Ô ÀâÇô
  ÀÖÀ¸¹Ç·Î Àǹ̿¡ ºÎÇյǰԸ¸ ÀÔ·ÂÇÑ´Ù.
  challengePassword_default ´Â ÀÎÁõ¼­ ¾ÏÈ£À̹ǷΠ´Ù¸¥ °ÍÀ¸·Î °íÄ¡´õ¶óµµ ¹Ýµå½Ã ¸Þ¸ðÇصдÙ.

    countryName_default             = XX
    stateOrProvinceName_default     = XXXXXXXXXXX
    localityName_default            = XXXXXXXXXXX
    0.organizationName_default      = XXXXXXXXXXXXXXXXXXXXXX
    organizationalUnitName_default  = XXXXXXXXXXXXXXXXXXXXXX
    commonName_default              = XXXXXXXXXXX
    emailAddress_default            = XXXXXXXXXXXXXXXXXXXXXX
    challengePassword_default       = whatever

  ¸¸µé¾î¾ßÇÒ ÀÎÁõ¼­´Â ÃÑ 3Á¾·ùÀÌ´Ù.
  PEAPÀÇ °æ¿ì´Â Authentication Server ÀÇ ÀÎÁõ¼­¸¸ ÇÊ¿äÇÏÁö¸¸ EAP-TLS´Â Supplicant, Authentication Server
  ¸ðµÎ ÀÎÁõ¼­°¡ ÇÊ¿äÇÏ´Ù. ÀÌ·¸°Ô 2°³ÀÇ ÀÎÁõ¼­´Â ¿ëµµ°¡ ºÐ¸íÇѵ¥ ³ª¸ÓÁö ÇϳªÀÇ ÀÎÁõ¼­°¡ ±Ã±ÝÇØÁø´Ù.
  ÀÌ°ÍÀº ¾ÕÀÇ 2°³ÀÇ ÀÎÁõ¼­¸¦ x.509 ÇüÅÂÀÇ ÀÎÁõ¼­·Î ¸¸µé¶§ signature ·Î »ç¿ëµÇ´Â root CAÀÇ ÀÎÁõ¼­ÀÌ´Ù.
  º¸Åë root CA µéÀº ±¹Á¦ÀûÀÎ °øÀÎ ±â°üÀÌ°í ¿©±â¼­ ¹èÆ÷ÇÏ´Â °ÍÀÌÁö¸¸ ¿©±â¼­´Â ÀÚ½ÅÀÌ root CA °¡ µÇ¾î
  ¾ÕÀÇ 2°³ÀÇ ÀÎÁõ¼­¸¦ °øÀÎÇÏ´Â °ÍÀÌ´Ù. ¹°·Ð ÀÌ°ÍÀº ¾îµð±îÁö³ª Å×½ºÆ®¸¦ À§ÇÑ °ÍÀÌ´Ù. ½ÇÁ¦·Î´Â °øÀÎ
  root CA ÀÇ ÀÎÁõ¼­¸¦ ±¸ÀÔÇÏ¿© ¾ÕÀÇ 2°³ÀÇ ÀÎÁõ¼­¸¦ °øÀÎ ¹Þ¾Æ¾ß ÇÏÁö¸¸ ±×·¯¸é ºñ¿ëÀÌ µç´Ù.

  ´ÙÇàÈ÷µµ ÀÌ 3°³ÀÇ ÀÎÁõ¼­¸¦ Çѹø¿¡ ¸¸µé¾îÁÖ´Â ½ºÅ©¸³Æ®°¡ freeRADIUS µð·ºÅ丮¿¡ ÁغñµÇ¾î ÀÖ´Ù.
  freeRADIUS ÀÇ ¾ÐÃàÀ» Ǭ µð·ºÅ丮 ¾Æ·¡ÀÇ scripts µð·ºÅ丮¿¡ CA.all ÆÄÀÏÀÌ ±×°ÍÀÌ´Ù.
  ÀÌ ÆÄÀÏÀ» ¿­¾î ´ÙÀ½ µÎÁÙÀ» ¾Æ·¡¿Í °°ÀÌ OpenSSL ¼³Ä¡ µð·ºÅ丮¿¡ ¸Â°Ô ¼öÁ¤ÇØ ÁØ´Ù.
    SSL=/usr/local/openssl
    echo "newreq.pem" | /usr/local/openssl/ssl/misc/CA.pl -newca

  ±× ´ÙÀ½ ¾Æ·¡Ã³·³ ½ÇÇàÇϸé 3°³ÀÇ ÀÎÁõ¼­¸¦ ¸¸µå´Â °úÁ¤ÀÌ Â÷·Ê´ë·Î ÁøÇàµÈ´Ù.
    [root@cozylinux scripts]# ./CA.all
  ROOT CA ´Â root CA ÀÎÁõ¼­¸¦,
  client certificate ´Â Supplicant ÀÎÁõ¼­¸¦,
  server certificate ´Â Authentication Server ÀÎÁõ¼­¸¦ ÀǹÌÇÑ´Ù.

  root CA ÀÎÁõ¼­ÀÇ °æ¿ì´Â openssl.cnf ¿¡ ÀûÈù ±×´ë·Î ¼öÁ¤ÇÒ°ÍÀÌ ¾øÀ¸¹Ç·Î ±×³É ¿£ÅÍÅ°¸¦ Ä¡°í ³Ñ¾î°£´Ù.
  client certificate, server certificate ÀÇ °æ¿ì´Â ¸¶Âù°¡Áö·Î °ÅÀÇ ¼öÁ¤ÇÒ°ÍÀÌ ¾ø°í ´ÜÁö ±¸ºÐÀ» À§Çؼ­
  commonName Á¤µµ´Â º»ÀÎÀÇ À̸§µé·Î ¼öÁ¤ÇØÁִ°ÍÀÌ ÁÁ´Ù. ³ªÀÇ °æ¿ì´Â ROOT CA ¿¡ "Young-DAE, Kim CA" ¸¦,
  client certificate ¿¡ "youngdae" ¸¦, server certificate ¿¡ "cozykyd" ¶ó´Â commonName À» ÁÖ¾ú´Ù.
  ±×¸®°í ºñ¹Ð¹øÈ£´Â ÀüºÎ whatever (¶Ç´Â openssl.cnf ¿¡¼­ ¼öÁ¤ÇÑ ºñ¹Ð¹øÈ£)¸¦ »ç¿ëÇÏ°Ô µÈ´Ù.

  »ý¼ºµÈ ÆÄÀÏÀº ÃÑ 9°³·Î
    root CA ÀÎÁõ¼­ = root.pem, root.p12, root.der,
    Supplicant ÀÎÁõ¼­ = cert-clt.pem, cert-clt.p12, cert-clt.der,
    Authentication Server ÀÎÁõ¼­ = cert-srv.pem, cert-srv.p12, cert-srv.der ÀÌ´Ù.

  ÀÌ ÀÎÁõ¼­µéÀº OpenSSL ·Î ¸¸µé¾î Áø°ÍÀ¸·Î freeRADIUS ¿¡¼­ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï º¹»çÇØ ÁØ´Ù
    [root@cozylinux scripts]# cp *pem *p12 *der /usr/local/etc/raddb/certs

  ³ªÁß¿¡ ´Ù½Ã ¾Ö±âÇÏ°ÚÁö¸¸ Supplicant ÀÎÁõ¼­´Â PC ·Î ´Ù¿î¹Þ¾Æ ÀÎÁõ¼­¸¦ ¼³Ä¡ÇØ¾ß ÇÑ´Ù. ±×·¯±â À§Çؼ­
  root.der, cert-clt.p12 ¸¦ Supplicant ·Î »ç¿ëµÇ´Â ÀÏ¹Ý PC ¿¡ ´Ù¿î¹Þ¾Æ ¼³Ä¡ÇÏ°Ô µÈ´Ù.

6.freeRADIUS ȯ°æ ¼³Á¤ ¹× ½ÇÇà - Authentication Server
  ¸ÕÀú freeRADIUS °¡ ¼³Ä¡µÈ µð·ºÅ丮·Î À̵¿ÇÑ´Ù.
    [root@cozylinux scripts]# cd /usr/local/etc/raddb

  802.1x °ü·Ã ÀڷḦ º¸¸é ¾Ë°ÚÁö¸¸ Authentication Server(RADIUS)¿¡ ´ëÇØ Authenticator(AccessPoint)´Â
  ÇϳªÀÇ Å¬¶óÀ̾ðÆ®·Î¼­ µ¿ÀÛÇÏ°Ô µÈ´Ù. ±×·¡¼­ Á¦ÀÏ ¸ÕÀú ÇÒ°ÍÀº ÀÌ·± Ŭ¶óÀ̾ðÆ®µéÀ» Authentication
  Server ¿¡ ¾Ë·ÁÁִ°ÍÀÌ´Ù.
  À̸¦ À§ÇØ clients.conf À» ¿­¾î ¸Ç ¾Æ·¡¿¡ ´ÙÀ½ÀÇ ¿¹¿Í °°ÀÌ Ãß°¡ÇÑ´Ù.
  °¢°¢ÀÇ Àǹ̴ 211.204.72.60 ´Â Authenticator Áï AccessPoint ÀÇ IP ÁÖ¼Ò¸¦ ÀǹÌÇÏ¸ç ¸¸¾à µî·ÏÇÒ AP °¡
  ¿©·¯°³¶ó¸é ¾Æ·¡¿Í °°Àº ºí·°À» ¿©·¯°³ µî·ÏÇÏ¸é µÈ´Ù. ¹°·Ð °¢°¢ÀÇ AP µéÀÇ IP µéÀ» µî·ÏÇÒ ¼öµµ ÀÖÁö¸¸
  subnet mask ¸¦ ÀÌ¿ëÇÏ¿© µî·ÏÇÏ´Â ¹æ¹ýµµ ÀÖ´Ù. ÀÌ°ÍÀº clients.conf ÆÄÀÏ ¾È¿¡ ¿¹Á¦°¡ ÀÖ´Ù.
  secret Àº Authentication Server ¿Í Authenticator °¡ ÀÎÁõ°úÁ¤ ¿¡¼­ »ç¿ëÇÒ °øÀ¯Å°(shared secret key)·Î
  ÀÌ°ÍÀ» ÀÌ¿ëÇÏ¿© ÀÎÁõ ¸Þ½ÃÁöµéÀÌ º¸È£µÈ´Ù.
  shortname Àº ´ÜÁö ÁÖ¼®°ú °°Àº ¼³¸í¹®À¸·Î ÁÖ·Î ÇØ´ç AP ÀÇ SSID ¸¦ µî·ÏÇØ ÁÖ´Â°Ô ÁÁ´Ù.
    client 211.204.72.60 {
        secret          = cozykyd_ssap
        shortname       = ssap
    }

  ´ÙÀ½Àº ÀÎÁõÇØÁÙ »ç¿ëÀÚ(Supplicant)µéÀ» µî·ÏÇÏ´Â °úÁ¤ÀÌ´Ù.
  °°Àº µð·ºÅ丮¿¡ users ÆÄÀÏÀÌ ±×°ÍÀÌ´Ù. ÀÌ ÆÄÀÏ¿¡´Â ÀÎÁõ°úÁ¤À» °ÅÃÄ Authenticator(AccessPoint) ¸¦
  »ç¿ëÇÒ ¼ö ÀÖ´Â »ç¿ëÀÚ(Supplicant) ¸¦ µî·ÏÇÏ¸é µÇ´Âµ¥ À̶§ »ç¿ëÀÚ ¾ÆÀ̵ð´Â Supplicant ÀÎÁõ¼­¸¦
  ¸¸µé¶§ ÀÔ·ÂÇÑ commonName ÀÌ´Ù.
  ÀÌÀü¿¡ º»ÀÎÀÇ °æ¿ì´Â "youngdae" ·Î ÀÔ·ÂÇßÀ¸¹Ç·Î ¾Æ·¡ ¿¹Ã³·³ µî·ÏÇØÁØ´Ù
    #
    # This is an entry for a user with a space in their name.
    # Note the double quotes surrounding the name.
    #
    #"John Doe"     Auth-Type := Local, User-Password == "hello"
    #               Reply-Message = "Hello, %u"
    youngdae  User-Password == "cozypass"

  User-Password == "cozypass" ºÎºÐÀº PEAP ÀÎÁõÀ» ÇÒ¶§¸¸ »ç¿ëµÇ´Â ºñ¹Ð¹øÈ£ ÀÔ·Â ¶õÀÌ´Ù.
  Áï EAP-TLS ÀÇ °æ¿ì´Â commonName ¿¡ ÀûÀº Supplicant ÀÇ ÀÎÁõ¼­¸¦ ÀÌ¿ëÇÏ¿© ÀÎÁõÇÏ´Â °ÍÀ̹ǷΠºñ¹Ð¹øÈ£°¡
  ÇÊ¿ä¾øÁö¸¸ PEAP ´Â Supplicant ¸¦ ÀÎÁõÇÒ¶§ À§ ¹®ÀåÀÇ ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£¸¦ ÀÌ¿ëÇÏ¿© ÀÎÁõÇÑ´Ù.

  °°Àº µð·ºÅ丮¿¡ radiusd.conf ÆÄÀÏÀ» ¿­¾î ¾Æ·¡ Ç׸ñµéÀ» Ãß°¡Çϰųª ¼öÁ¤ÇØÁØ´Ù
  ¾Æ·¡ÀÇ È¯°æ¼³Á¤ ÆÄÀÏÀ» º¸¸é¼­ ¾Ë°ÚÁö¸¸ Radius ¿¡´Â ´Ù¾çÇÑ ÀÎÁõ ¾Ë°í¸®Áò°ú ¹æ½ÄÀ» Áö¿øÇÑ´Ù.
  ¿©±â¼­ »ç¿ëÇÒ·Á°í ÇÏ´Â EAP-TLS, PEAP ¸¸ Àִ°ÍÀÌ ¾Æ´Ï¶ó EAP-MD5(CHAP), EAP-TTLS, LEAP ÀÎÁõ ¾Ë°í¸®Áò
  »Ó¸¸ ¾Æ´Ï¶ó Supplicant Á¤º¸¸¦ ÁÖ´Â ¹æ¹ýµµ ¿©±â¼­Ã³·³ users ÆÄÀÏÀ» ÅëÇϱ⵵ ÇÏ°í Unix ÀÇ passwd ÆÄÀÏ
  À» »ç¿ëÇÏ¿© ÀÎÁõÇϱ⵵ ÇÏ°í ½ÉÁö¾î LDAP À̳ª DB ¸¦ ÅëÇÏ¿© ÀÎÁõÇÏ´Â ¹æ¹ýµµ Á¦°øÇÑ´Ù.

    eap {
      default_eap_type = tls
      timer_expire     = 60
      ignore_unknown_eap_types = no
      cisco_accounting_username_bug = no

      tls {
        private_key_password = whatever
        private_key_file = ${raddbdir}/certs/cert-srv.pem
        certificate_file = ${raddbdir}/certs/cert-srv.pem
        CA_file = ${raddbdir}/certs/root.pem
        dh_file = ${raddbdir}/certs/dh
        random_file = ${raddbdir}/certs/random
        fragment_size = 1024
        include_length = yes
      }

      peap {
        default_eap_type = mschapv2
      }
    }

    authorize {
      preprocess
      chap
      eap
      suffix
      files
    }

    authenticate {
      unix
      eap
    }

  À§¿¡¼­ default_eap_type À» "tls" ·Î ÁöÁ¤ÇÏ¿© EAP-TLS ¸¦ ±âº» ÀÎÁõ ¹æ½ÄÀ¸·Î ÇÏ°Ú´Ù°í ¼±¾ðÇÏ¿´´Âµ¥
  ÀÌ°÷¿¡ "peap" ¸¦ Àû¾îµµ µÈ´Ù. ÀÌ°ÍÀº ¾îµð±îÁö³ª ±âº» EAP ÀÎÁõ ¹æ½ÄÀ» ¼±¾ðÇϴ°ÍÀ¸·Î Supplicant ¿Í
  Authentication Server °£¿¡ ÀÎÁõ ¾Ë°í¸®ÁòÀ» Çù»óÇÏ´Â ºÎºÐÀÌ ÀÎÁõ °úÁ¤ÀÇ ÇÁ·ÎÅäÄÝ ¾È¿¡ ÀÖ°í ÀÌ Çù»ó
  °úÁ¤¿¡¼­ °áÁ¤µÇ´Â ¾Ë°í¸®ÁòÀ» »¡¸® °áÁ¤Çϱâ À§ÇÑ ¹æ¹ýÀÏ »ÓÀÌ´Ù.
  private_key_password ´Â ÀÎÁõ¼­ ¸¸µé¶§ »ç¿ëÇÑ ºñ¹Ð¹øÈ£ÀÎ challengePassword_default °ª°ú µ¿ÀÏÇÑ °ÍÀÌ´Ù
  ±×¸®°í ${raddbdir} ´Â ¿©±â¼­´Â /usr/local/etc/raddb ¸¦ ÀǹÌÇÑ´Ù.

  º¸Åë ÀÎÁõ°úÁ¤¿¡¼­´Â session key ¶ó´Â °ÍÀ» »ç¿ëÇÏ¿© Á¤ÀûÀÎ Å°¸¦ »ç¿ëÇÔÀ¸·Î¼­ ¹ß»ýÇÏ´Â °ø°ÝÀ» ¸·´Â´Ù.
  ºÎ¸£Æ® Æ÷½º °ø°ÝÀ» ¸·À» ¼ö ÀÖ´Â ¼¼¼Ç Å°¸¦ ¸¸µé±â À§ÇÑ µÎ°³ÀÇ ÆÄÀÏÀ» ¸¸µé¾î¾ß ÇÑ´Ù.
  certs µð·ºÅ丮·Î À̵¿ÇÑ´Ù. ÀÌ°÷¿¡´Â ÀÌÀü¿¡ »ý¼ºÇÑ 9°³ÀÇ ÀÎÁõ¼­°ü·Ã ÆÄÀϵéÀÌ º¹»çµÇ¾î ÀÖÀ»°ÍÀÌ´Ù.
  ÀÌ°÷¿¡ ÀÓÀÇÀÇ ¹®ÀÚµéÀÌ µé¾î°£ µÎ°³ÀÇ ÆÄÀÏ DH, Random ÆÄÀÏÀ» ¸¸µç´Ù.
  °£´ÜÇÏ°Ô ¸¸µé±â À§Çؼ­ µÎ°³ÀÇ ÆÄÀÏ ÀüºÎ ÇöÀç ½Ã°£°ªÀ» ¾Æ·¡Ã³·³ ÇÏ¿© ³Ö¾îÁØ´Ù.
    [root@cozylinux raddb]# cd certs
    [root@cozylinux certs]# date > dh
    [root@cozylinux certs]# date > random

  ±× ´ÙÀ½ RADIUS ¼­¹ö¸¦ ½ÇÇà½Ãų ½ºÅ©¸³Æ®¸¦ ¸¸µé¾î º»´Ù.
  /usr/local/sbin ¾Æ·¡¿¡ run-radius ¶ó´Â ½ÇÇà°¡´ÉÇÑ ½ºÅ©¸³Æ®¸¦ ¸¸µç´Ù.

    [root@cozylinux certs]# vi /usr/local/sbin/run-radius
    #!/bin/sh -x
    LD_LIBRARY_PATH=/usr/local/openssl/lib
    LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
    export LD_LIBRARY_PATH LD_PRELOAD
    /usr/local/sbin/radiusd $@

  ÀÌ°ÍÀº radiusd ¿¡ ´ëÇÑ wrapper ·Î ÇÊ¿äÇÑ SSL¶óÀ̺귯¸®¸¦ ¹Ì¸® ·ÎµåÇϱâ À§ÇØ ÀÌó·³ ÇÑ°ÍÀÌ´Ù.
  ½ºÅ©¸³Æ® À̹ǷΠ½ÇÇà ±ÇÇÑÀ» ¾Æ·¡Ã³·³ ÁØ´Ù.
    [root@cozylinux certs]# chmod 700 /usr/local/sbin/run-radius

  ÀÌÁ¦ RADIUS ¸¦ ½ÇÇàÇÏ°í ÀÎÁõÀÌ Á¤»óÀûÀ¸·Î µ¿ÀÛÇÏ´ÂÁö Å×½ºÆ® ÇÒ Â÷·ÊÀÌ´Ù.
  RADIUS ¸¦ ¾Æ·¡Ã³·³ ÀÎÁõ ·Î±ë(-A) ¹× µð¹ö±ë(-X) ¸ðµå·Î ½ÇÇàÇÑ´Ù. Ãâ·ÂµÇ´Â ¸Þ½ÃÁö¸¦ º¸±â ¹Ù¶õ´Ù.
    [root@cozylinux raddb]# /usr/local/sbin/run-radius -X -A
    ...
    ...
    Listening on authentication *:1812
    Listening on accounting *:1813
    Listening on proxy *:1814
    Ready to process requests.

  ¾ÆÁ÷ Supplicant ¸¦ À§ÇÑ È¯°æÀ» ¼³Á¤ÇÏÁö ¸øÇßÀ¸¹Ç·Î Áö±ÝÀº localhost °¡ Supplicant °¡ µÇ¾î Unix ÀÇ
  passwd ÆÄÀÏ¿¡ ÀÖ´Â »ç¿ëÀÚ·Î ÀÎÁõÇغ¸ÀÚ
  clients.conf ¸¦ À¯½ÉÈ÷ º» µ¶ÀÚ´Â client 127.0.0.1 {...} ºÎºÐÀ» º¸¾ÒÀ» °ÍÀÌ´Ù. ÀÌ°ÍÀ» ÀÌ¿ëÇÏ¿© ÀÎÁõÀ»
  ½ÃÄѺ¸¸é ¾Æ·¡¿Í °°¾Æ. ¸ÕÀú /etc/passwd ÆÄÀÏ¿¡ ¾ø´Â »ç¿ëÀÚ(Supplicant)¸¦ ÀÎÁõ½ÃÄѺ¸¸é
    [root@cozylinux raddb]# /usr/local/bin/radtest test test localhost 0 testing123
    Sending Access-Request of id 203 to 127.0.0.1:1812
            User-Name = "test"
            User-Password = "test"
            NAS-IP-Address = cozylinux.grid.or.kr
            NAS-Port = 0
    rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=203, length=20
  ¿ª½Ã Access-Reject ´çÇß´Ù.

  À̹ø¿¡´Â ½ÇÁ¦ º»ÀÎÀÇ Linux ¿¡ ÀÖ´Â passwd ¿¡ ÀÖ´Â °èÁ¤À» ÀÌ¿ëÇØ ÀÎÁõÇغ¸¸é
    [root@cozylinux raddb]# /usr/local/bin/radtest honggildong test1234 localhost 0 testing123
    Sending Access-Request of id 198 to 127.0.0.1:1812
            User-Name = "honggildong"
            User-Password = "test1234"
            NAS-IP-Address = cozylinux.grid.or.kr
            NAS-Port = 0
    rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=198, length=20
  À̹ø¿¡´Â Á¤»óÀûÀ¸·Î Access-Accept ·Î ÀÎÁõµÇ¾ú´Ù.

7.AccessPoint ȯ°æ¼³Á¤ - Authenticator
  AccessPoint ¿¡ 802.1x °ü·Ã ȯ°æ¼³Á¤ÇÏ´Â ºÎºÐÀÌ´Ù. ¸¸¾à ´Ù¸¥ Á¦Ç°ÀÇ AccessPoint ¸¦ »ç¿ëÇÑ´Ù¸é ÇØ´ç
  ¸Þ´º¾óÀ» Âü°íÇÏ°í ¿©±â¼­´Â HostAP 2002-10-12 ¹öÀüÀ» ¼³Ä¡ÇßÀ¸¹Ç·Î º°µµ·Î ¼³Á¤ÇÒ ÆÄÀÏÀº ¾ø´Ù
  (¸¸¾à ÃÖ½ÅÀÇ HostAP v0.2.1 ÀÌ»óÀ» ¼³Ä¡ÇÏ¿´´Ù¸é hostapd.conf ÆÄÀÏÀ» ¼öÁ¤ÇØ¾ß ÇÑ´Ù)

  È£½ºÆ® Àåºñ¿¡¼­ Å©·Î½º ÄÄÆÄÀÏÇÑ ÆÄÀÏ hostapd ÆÄÀÏÀ» Ÿ°Ù Àåºñ(AccessPoint)ÀÇ NFS ·Î Àü´ÞÇØÁÙ
  µð·ºÅ丮(Ÿ°Ù ÀåºñÀÇ NFS Root µð·ºÅ丮)ÀÇ sbin ¿¡ º¹»çÇØ ÁØ°ÍÀ» ±â¾ïÇÒ°ÍÀÌ´Ù.
  Å¸°Ù Àåºñ¸¦ ºÎÆà ÇÑ ÈÄ sbin ¿¡ ÀÖ´Â hodstapd ¸¦ ¾Æ·¡ ¿¹Ã³·³ ½ÇÇàÇÑ´Ù.
    [root@cozyLDS sbin]$hostapd -x -o 211.204.72.60 -a 211.204.72.53 -S ssap -s cozykyd_ssap wlan0
    Using interface wlan0ap with hwaddr 00:30:0d:1a:fa:72 and ssid 'ssap'
    Flushing old station entries

  °¢°¢ÀÇ ¿É¼Ç ¼³¸íÀº
    -x ´Â 802.1x ÀÎÁõ,
    -o 211.204.72.60 ´Â Authenticator(AccessPoint) ÀÇ IP
    -a 211.204.72.53 ´Â Authentication Server ÀÇ IP
    -S ssap ´Â AP ÀÇ SSID
    -s cozykyd_ssap ´Â Authentication Server ¿Í ÀÎÁõ°úÁ¤¿¡¼­ »ç¿ëÇÒ °øÀ¯Å°(shared secret key)
    wlan0 ´Â ¹«¼±·£ ÀÎÅÍÆäÀ̽º À̸§ÀÌ´Ù.

8.Windows 2000/XP ȯ°æ¼³Á¤ - Supplicant
  Windows 2000 ÀÇ °æ¿ì "802.1x for Windows 2000" patch ¸¦ ÅëÇÏ¿© 802.1x ÇÁ·¡ÀÓ¿öÅ©¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Â
  ±âº» ȯ°æÀ» ÀÌÀü¿¡ ¸¸µé¾ú¾ú´Ù. Windows XP ÀÇ °æ¿ì´Â ÀÌ¹Ì ¼³Ä¡µÇ¾î ÀÖ´Ù.

  Supplicant ÀÎÁõ¼­¸¦ PC ¿¡ ¼³Ä¡ÇÏ´Â ÀÌÀ¯´Â ÀÌ ÀÎÁõ¼­¸¦ ÀÌ¿ëÇÏ¿© Authentication Server ¿¡ ÀÎÁõÀ» ¹Þ¾Æ
  Authenticator(AccessPoint)¿¡ Á¢¼ÓÇϵµ·Ï Çϴ°ÍÀÌ´Ù. ÇÑ°¡Áö ¾Ë¾ÆµÑ°ÍÀº EAP-TLS ÀÇ °æ¿ì´Â Supplicant
  ÀÎÁõ¼­¸¦ ÅëÇÏ¿© ÀÎÁõÀ» ¹ÞÁö¸¸ PEAP ÀÎ °æ¿ì´Â ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£¸¦ ÀÌ¿ëÇÏ¿© ÀÎÁõÀ» ¹ÞÀ¸¹Ç·Î Supplicant
  ÀÎÁõ¼­´Â »ç¿ëµÇÁö ¾Ê´Â´Ù. PEAP ÀÇ °æ¿ì´Â MD5(MSCHAPv2) Çؽ¬¸¦ ÀÌ¿ëÇÏ¿© ÀÎÁõÀ» ¹Þ±â ¶§¹®ÀÌ´Ù.

  °¡Àå ¸ÕÀú ÇÒ°ÍÀº ÀÎÁõ ¼­¹ö¿¡¼­ ¸¸µç Supplicant ÀÎÁõ¼­¸¦ PC ·Î ´Ù¿î¹Þ¾Æ ÀÎÁõ¼­¸¦ ¼³Ä¡ÇØ¾ß ÇÑ´Ù.
  ±×·¯±â À§Çؼ­ root.der, cert-clt.p12 ¸¦ Supplicant ·Î »ç¿ëµÇ´Â ÀÏ¹Ý PC ¿¡ ´Ù¿î¹Þ¾Æ ¼³Ä¡ÇÏ¸é µÈ´Ù.
  cert-clt.p12 Àº ÆÄÀÏ¸í ±×´ë·Î client certificate Áï Supplicant ÀÎÁõ¼­¸¦ ¸»ÇÑ´Ù. root.der ÀÇ ¿ëµµ´Â
  root CA ÀÎÁõ¼­·Î ÀÌ Supplicant ÀÎÁõ¼­¸¦ signature ÇÑ ÀÎÁõ¼­ÀÌ´Ù.

  ¸ÕÀú root CA ÀÎÁõ¼­ÀÎ root.der À» ¼³Ä¡ÇÑ´Ù.
  PC ·Î ´Ù¿î¹ÞÀº root.der À» ´õºíŬ¸¯ÇÑ´Ù. ±×·¯¸é ÀÎÁõ¼­ Á¤º¸°¡ ù È­¸é¿¡ º¸À̴µ¥ ¿©±â¼­ "¹ß±ÞÀÚ"
  Ç׸ñÀ» º¸¸é ÀÌÀü¿¡ root CA ÀÎÁõ¼­ ¸¸µé¶§ »ç¿ëÇÑ commonName ÀÌ º¸ÀÏ°ÍÀÌ´Ù. ±× È­¸é¿¡¼­ "ÀÎÁõ¼­ ¼³Ä¡"
  ¹öÆ°À» Ŭ¸¯ÇÑ´Ù. "ÀÎÁõ¼­ ÀúÀå¼Ò" ´Ü°è¿¡¼­ "¸ðµç ÀÎÁõ¼­¸¦ ´ÙÀ½ ÀúÀå¼Ò¿¡ ÀúÀå"À» ¼±ÅÃÇÏ°í "ã¾Æº¸±â"
  ¹öÆ°À» Ŭ¸¯ÇÏ¿© ³ªÅ¸³­ ¸ñ·Ï¿¡¼­ "½Å·ÚµÈ ·çÆ® ÀÎÁõ ±â°ü"À» ¼±ÅÃÇÏ°í È®ÀÎÀ» ´­·¯ ¼³Ä¡ ÀÛ¾÷À» ¸¶Ä£´Ù.

  À̹ø¿¡´Â Supplicant ÀÎÁõ¼­ÀÎ cert-clt.p12 ¸¦ ¼³Ä¡ÇÑ´Ù.
  ¸¶Âù°¡Áö·Î cert-clt.p12 À» ´õºíŬ¸¯ÇÏ¿© ¾ÏÈ£ È­¸é±îÁö À̵¿ÇÑ´Ù. "¾ÏÈ£" Ç׸ñ¿¡ ÀÎÁõ¼­ ¸¸µé떄 »ç¿ëÇÑ
  challengePassword_default °ªÀÎ whatever ¸¦ ÀÔ·ÂÇÏ°í ´ÙÀ½À¸·Î ³Ñ¾î°£´Ù. À̹ø¿¡µµ "ÀÎÁõ¼­ ÀúÀå¼Ò"
  È­¸éÀÌ ³ªÅ¸³ª´Âµ¥ À̶§´Â "ÀÎÁõ¼­ Á¾·ù ±âÁØÀ¸·Î ÀÎÁõ¼­ ÀúÀå¼Ò¸¦ ÀÚµ¿À¸·Î ¼±ÅÃ" À» ¼±ÅÃÇÏ¿© ¿Ï·áÇÑ´Ù.

9.ÅëÇÕ Å×½ºÆ® EPA-TLS
  Supplicant ÀÎÁõ¼­¸¦ »ç¿ëÇÏ¿© AccessPoint ¸¦ »ç¿ëÇÏ´Â Å×½ºÆ® ȯ°æÀ» ¸¸µé¾î º»´Ù.

  Authentication Server ÀÎ RADIUS ¸¦ ½ÇÇàÇÑ´Ù.
    [root@cozylinux raddb]# /usr/local/sbin/run-radius -X -A

  Authenticator ÀÎ AccessPoint ÀÇ hostapd ¸¦ ½ÇÇàÇÑ´Ù.
    [root@cozyLDS sbin]$hostapd -x -o 211.204.72.60 -a 211.204.72.53 -S ssap -s cozykyd_ssap wlan0

  Supplicant ÀÎ ÀÏ¹Ý PC ÀÇ "³×Æ®¿öÅ© ȯ°æ"ÀÇ µî·Ï Á¤º¸¸¦ ¼±ÅÃÇÑ ÈÄ ¹«¼± ·£¿¡ ÇØ´çÇÏ´Â "·ÎÄà ¿µ¿ª ¿¬°á"À»
  ¼±ÅÃÇÏ¿© µî·Ï Á¤º¸¸¦ º¸¸é "ÀÎÁõ" ÅÇÀÌ º¸ÀÏ °ÍÀÌ°í ±× ¾È¿¡ 802.1x °ü·Ã ¼³Á¤ Ç׸ñµéÀÌ º¸ÀÏ °ÍÀÌ´Ù.
  "IEEE 802.1x¸¦ »ç¿ëÇÏ¿© ³×Æ®¿öÅ© ¾×¼¼½º Á¦¾î" ¸¦ ¼±ÅÃÇÑ´Ù.
  "EAP Á¾·ù" ·Î "½º¸¶Æ®Ä«µå ¶Ç´Â ±âŸ ÀÎÁõ¼­" ¸¦ ¼±ÅÃÇÑ´Ù. ÀÌ°ÍÀº EAP-TLS¸¦ ÀǹÌÇÑ´Ù.
  "ÄÄÇ»ÅÍ Á¤º¸°¡ ÀÖÀ¸¸é ÄÄÇ»ÅÍ·Î ÀÎÁõ"À» ¼±ÅÃÇÑ´Ù.
  ±× ´ÙÀ½ "¼Ó¼º" ¹öÆ°À» Ŭ¸¯ÇÏ¿© "½º¸¶Æ®Ä«µå ¶Ç´Â ´Ù¸¥ ÀÎÁõ¼­ ¼Ó¼º" È­¸éÀ¸·Î À̵¿ÇÑ´Ù.
  "ÀÌ ÄÄÇ»ÅÍÀÇ ÀÎÁõ¼­ »ç¿ë"À» ¼±ÅÃÇÏ°í "°£´ÜÇÑ ÀÎÁõ¼­ ¼±Åà »ç¿ë(±ÇÀå)"À» ¼±ÅÃÇÑ´Ù.
  "¼­¹ö ÀÎÁõ¼­ À¯È£¼º °Ë»ç"À» ¼±ÅÃÇÑ ÈÄ "½Å·ÚµÈ ·çÆ® ÀÎÁõ ±â°ü" ¸ñ·Ï¿¡¼­ root CA ÀÎÁõ¼­ ¸¸µé¶§ »ç¿ëÇÑ
  commonName À» ¼±ÅÃÇÑ´Ù.

  ÀÌÁ¦ ȯ°æ¼³Á¤Àº ³¡³µÀ¸¹Ç·Î ½ÇÁ¦ EAP-TLS ÀÎÁõÀ» ÅëÇÑ AccessPoint Á¢¼Ó ¿©ºÎ¸¦ Å×½ºÆ® ÇÑ´Ù.
  EAP-TLS ÀÎÁõÀ» ÅëÇÑ Å×½ºÆ® °á°ú Á¤»óÀûÀ¸·Î ÀÎÁõÀÌ µÈ´Ù¸é Authenticator ÀÎ AccessPoint ÀÇ hostapd ´Â
  ¾Æ·¡¿Í °°Àº ÀÎÁõÀÌ ¼º°øÇÑ ¸Þ½ÃÁö¸¦ È­¸é¿¡ Ãâ·ÂÇÑ´Ù.
    Station 00:e0:63:50:9a:9e authenticated (open system)
    Station 00:e0:63:50:9a:9e associated (aid 1)
    IEEE 802.1X: Start authentication for new station 00:e0:63:50:9a:9e
    IEEE 802.1X: Unauthorizing station 00:e0:63:50:9a:9e
    IEEE 802.1X: Authorizing station 00:e0:63:50:9a:9e

  ±×¸®°í Authentication Server ÀÎ RADIUS µµ ¾Æ·¡¿Í °°Àº Access-Request ¸Þ½ÃÁö¸¦ º¸¿©ÁØ´Ù.
    rad_recv: Access-Request packet from host 211.204.72.60:1025, id=0, length=154
        User-Name = "youngdae"
        NAS-IP-Address = 211.204.72.60
        NAS-Port = 1
        Called-Station-Id = "00-30-0D-1A-FA-72:ssap"
        Calling-Station-Id = "00-E0-63-50-9A-9E"
        Framed-MTU = 2304
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0202000d01796f756e67646165
        Message-Authenticator = 0x2e2637890114574f6decf999900d9b5a
    ...
    ...
    rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
      TLS_accept: SSLv3 read client key exchange A
    rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
      TLS_accept: SSLv3 read certificate verify A
    rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
    rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
      TLS_accept: SSLv3 read finished A
    rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
      TLS_accept: SSLv3 write change cipher spec A
    rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
      TLS_accept: SSLv3 write finished A
      TLS_accept: SSLv3 flush data
      (other): SSL negotiation finished successfully
    SSL Connection Established
    ....
    ....
    Sending Access-Accept of id 5 to 211.204.72.60:1026
        MS-MPPE-Recv-Key = 0x4929fe53257ac2151c87cac8dc38bf0b5bebbc6271e22a8dc2090f7ad775259c
        MS-MPPE-Send-Key = 0x518cd21f38c1e470a8614aa624d514fd49162e5d9da767231ffbe7e2448c6a92
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "youngdae"

10.ÅëÇÕ Å×½ºÆ® PEAP
  ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£¸¦ ÀÌ¿ëÇÏ¿© AccessPoint ¸¦ »ç¿ëÇÏ´Â Å×½ºÆ® ȯ°æÀ» ¸¸µé¾î º»´Ù.

  Authentication Server ÀÎ RADIUS ¸¦ ½ÇÇàÇÑ´Ù.
    [root@cozylinux raddb]# /usr/local/sbin/run-radius -X -A

  Authenticator ÀÎ AccessPoint ÀÇ hostapd ¸¦ ½ÇÇàÇÑ´Ù.
    [root@cozyLDS sbin]$hostapd -x -o 211.204.72.60 -a 211.204.72.53 -S ssap -s cozykyd_ssap wlan0

  Supplicant ÀÎ ÀÏ¹Ý PC ÀÇ "³×Æ®¿öÅ© ȯ°æ"ÀÇ µî·Ï Á¤º¸¸¦ ¼±ÅÃÇÑ ÈÄ ¹«¼± ·£¿¡ ÇØ´çÇÏ´Â "·ÎÄà ¿µ¿ª ¿¬°á"À»
  ¼±ÅÃÇÏ¿© µî·Ï Á¤º¸¸¦ º¸¸é "ÀÎÁõ" ÅÇÀÌ º¸ÀÏ °ÍÀÌ°í ±× ¾È¿¡ 802.1x °ü·Ã ¼³Á¤ Ç׸ñµéÀÌ º¸ÀÏ °ÍÀÌ´Ù.
  "IEEE 802.1x¸¦ »ç¿ëÇÏ¿© ³×Æ®¿öÅ© ¾×¼¼½º Á¦¾î" ¸¦ ¼±ÅÃÇÑ´Ù.
  "EAP Á¾·ù" ·Î "º¸È£µÈ EAP (PEAP)" ¸¦ ¼±ÅÃÇÑ´Ù. ÀÌ°ÍÀº PEAP¸¦ ÀǹÌÇÑ´Ù.
  "ÄÄÇ»ÅÍ Á¤º¸°¡ ÀÖÀ¸¸é ÄÄÇ»ÅÍ·Î ÀÎÁõ"À» ¼±ÅÃÇÑ´Ù.
  ±× ´ÙÀ½ "¼Ó¼º" ¹öÆ°À» Ŭ¸¯ÇÏ¿© "º¸È£µÈ EAP ¼Ó¼º" È­¸éÀ¸·Î À̵¿ÇÑ´Ù.
  "¼­¹ö ÀÎÁõ¼­ À¯È£¼º °Ë»ç"À» ¼±ÅÃÇÑ ÈÄ "½Å·ÚµÈ ·çÆ® ÀÎÁõ ±â°ü" ¸ñ·Ï¿¡¼­ root CA ÀÎÁõ¼­ ¸¸µé¶§ »ç¿ëÇÑ
  commonName À» ¼±ÅÃÇÑ´Ù.
  "ÀÎÁõ ¹æ¹ý ¼±ÅÃ" Àº "º¸¾ÈµÈ ¾ÏÈ£ (EAP-MSCHAP v2)"¸¦ ¼±ÅÃÇÏ°í ¹Ù·Î ¿·ÀÇ "±¸¼º" ¹öÆ°À» Ŭ¸¯ÇÏ¿© ³ªÅ¸³­
  È­¸é¿¡¼­ "ÀÚµ¿À¸·Î Windows ·Î±×¿Â À̸§ ¹× ¾ÏÈ£(µµ¸ÞÀÎÀÌ ÀÖÀ¸¸é µµ¸ÞÀεµ »ç¿ë)"Àº ¼±ÅÃÀ» ÇØÁ¦ÇÑ´Ù.

  ÀÌÁ¦ ȯ°æ¼³Á¤Àº ³¡³µÀ¸¹Ç·Î ½ÇÁ¦ MD5(MSCHAPv2)ÀÎÁõÀ» ÅëÇÑ AccessPoint Á¢¼Ó ¿©ºÎ¸¦ Å×½ºÆ® ÇÑ´Ù.
  PEAP ÀÎÁõÀ» ÅëÇÑ Å×½ºÆ® °á°ú freeRADIUS ȯ°æ ÆÄÀÏÁß users ÆÄÀÏ¿¡ µî·ÏÇÑ ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£·Î
  "»ç¿ëÀÚ À̸§"°ú "¾ÏÈ£"¸¦ ÀÔ·ÂÇÏ°í Á¤»óÀûÀ¸·Î ÀÎÁõÀÌ µÈ´Ù¸é Authenticator ÀÎ AccessPoint ÀÇ hostapd ´Â
  ¾Æ·¡¿Í °°Àº ¸Þ½ÃÁö¸¦ È­¸é¿¡ Ãâ·ÂÇÑ´Ù.
    Station 00:e0:63:50:9a:9e authenticated (open system)
    Station 00:e0:63:50:9a:9e associated (aid 1)
    IEEE 802.1X: Start authentication for new station 00:e0:63:50:9a:9e
    IEEE 802.1X: Unauthorizing station 00:e0:63:50:9a:9e
    EAP Identifier of the Response-Identity from 00:e0:63:50:9a:9e does not match (was 1, expected 2)
    EAP Identifier of the Response-Identity from 00:e0:63:50:9a:9e does not match (was 1, expected 2)
    IEEE 802.1X: Authorizing station 00:e0:63:50:9a:9e

  ±×¸®°í Authentication Server ÀÎ RADIUS µµ ¾Æ·¡¿Í °°Àº Access-Request ¸Þ½ÃÁö¸¦ º¸¿©ÁØ´Ù.
    rad_recv: Access-Request packet from host 211.204.72.60:1030, id=7, length=188
        User-Name = "youngdae"
        NAS-IP-Address = 211.204.72.60
        NAS-Port = 1
        Called-Station-Id = "00-30-0D-1A-FA-72:ssap"
        Calling-Station-Id = "00-E0-63-50-9A-9E"
        Framed-MTU = 2304
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0209001d19001703010012b922110d106dead559c232a997f421baddb6
        State = 0x398048c0eee8260705486fa942d6a792
        Message-Authenticator = 0x1633ebee04daa5bd6bce3ec9ee364739
    ...
    ...
    modcall: group authenticate returns ok for request 7
      PEAP: Got tunneled reply RADIUS code 2
            EAP-Message = 0x03090004
            Message-Authenticator = 0x00000000000000000000000000000000
            User-Name = "youngdae"
      PEAP: Processing from tunneled session code 0x81877a0 2
            EAP-Message = 0x03090004
            Message-Authenticator = 0x00000000000000000000000000000000
            User-Name = "youngdae"
      PEAP: Tunneled authentication was successful.
      rlm_eap_peap: SUCCESS
    ....
    ....
    Sending Access-Accept of id 8 to 211.204.72.60:1030
        MS-MPPE-Recv-Key = 0x48a148c708b87dcecdac16521edd01e3fec235822fe9ce5bb228a8a34a896dd6
        MS-MPPE-Send-Key = 0xba52fa4eadcbcdc98ca0ab4d1801c512726660a2aad41e832b5c551f0757fe40
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "youngdae"






  [ÀÓº£µðµå] [°­ÁÂ] À¯¹«¼± °øÀ¯±â Á¦ÀÛ: 802.1x, RADIUS ¼³Ä¡ [4]  ±è¿µ´ë 2004/06/16 24323 2335
3   [ÀÓº£µðµå] [°­ÁÂ] À¯¹«¼± °øÀ¯±â Á¦ÀÛ: PCMCIA, HostAP, Bridge ¼³Ä¡ [2]  ±è¿µ´ë 2004/06/16 21815 1983
2   [ÀÓº£µðµå] [°­ÁÂ] À¯¹«¼± °øÀ¯±â Á¦ÀÛ: NAT, firewall, DHCP ¼³Ä¡ [3]  ±è¿µ´ë 2004/06/16 13920 3089
1   [ÀÓº£µðµå] [°­ÁÂ] À¯¹«¼± °øÀ¯±â Á¦ÀÛ: Á¦ÀÛ È¯°æ [1]  ±è¿µ´ë 2004/06/16 12516 1739

1
 

Copyright 1999-2024 Zeroboard / skin by zero