802.1X Authentication over Wireless
Using an Access Point and a Radius Server on Linux
Lab Requirements:
Please follow the instructions to complete the Lab:




For this LAB you need a wireless Router that supports WPA Radius authentication.
The Linux configured as Radius Server for Authentication.
A windows XP client machine with a wireless NIC that supports WPA TKIP.
Please read the Instructions below to complete the LAB.
802.1X Over Wireless Authentication
Internet Switch
192.168.1.1
Ethernet
Linux Radius
Authentication Server
192.168.1.51
I
192.168.1.5
192.168.1.52
Wireless Access Point
WPA Radius
Wireless PC
I
WPA-TKIP Client
1
Note:
You do not have to configure the Wireless Access Point:
The Wireless Access point has already been setup to support the WPA TKIP Radius
authentication. For every username and password entered the authentication will be done on
the Radius server. Once the User is authenticated the IP address from the configured DHCP
pool of 192.168.10.100 – 192.168.10.155 will be assigned with the gateway address of
192.168.10.1.
Login to Windows XP PC labeled TDC564-8021X _LAB in the LAN LAB.
The username and password to login to the windows XP will be assigned in the class.
1) You will have to provide three Ethereal Captures in this LAB:
2) Start the Ethereal capture after you have enabled the wireless NIC for 802.1x
authentication as shown in the Instructions below. Save the Ethereal capture and find
your user name in one of the EAP Packets. Take the screenshot of that packet
highlighting your name.
3) Once the authentication is successful and the IP address has been assigned to your
wireless NIC by the router. Start the Ethereal capture and Ping 192.168.1.5 take the
screenshot of that packet capture.
4) After connecting open the command prompt and add a network route as shown the
screen capture of this syntax is shown later in this document.
Route add 192.168.1.0 mask 255.255.255.0 192.168.10.1
5) After completing the lab take properties of the wireless connection and change the
authentication method to smartcard or other certificate and remove the SSID from the
wireless NIC properties. Start Ethereal capture and try to ping 192.168.1.5 again this
time the ping should fail. Provide the screenshot of this capture.
2
Please follow the steps as shown below to configure the Windows XP wireless PC for
802.1x Authentication over Wireless.
Step 1:
Configuring the Client Wireless PC with WPA – TKIP:
Click on the network connection and then properties of wireless NIC.
3
Click view wireless Networks and click on the tab Association:
4
Step 2:
Click Authentication TAB:
And choose Enable IEEE 802.1X Authentication
Choose Protected EAP (PEAP)
5
Step 3:
Click properties
And disable the Client certificate and Server certificate check box.
Choose secured password (EAP-MSCHAP) and click properties uncheck the when
connecting box.
Step 4:
Click Wireless Networks:
Add the testnet SSID as shown in the figure below.
6
7
Step 5:
Finally the users will be prompted to enter their usernames and passwords.
Before entering the usernames and password start the Wireshark capture as
Shown below:
8
Now start the Wireshark as shown:
Note:
Make sure that the capture packet in promiscuous mode is unchecked.
9
Enter the Usernames and password as provided in the class.
10
The Wireless NIC will show validating Identity:
11
The user will be connected as shown:
12
You need to add a route statement in the Command Prompt:
After that you should be able to ping 192.168.1.5 & 192.168.1.51:
13
.
14