p8021x howto

7/31/2019 p8021x Howto

1/29

802.1X Port Tabanl Kimlik Kantlama NASIL

Yazan:Lars Strand

Dzenleyen:Rick Moen

0.0 taslagnn dil dzenlemesi

eviren:Olcay Kabal

20040818

zet

Bu belge arkau Kimlik Kantlama Sunucusu olarak FreeRADIUS(B1) ile birlikte Xsupplicant(B2)

kullanarak IEEE 802.1X Port Tabanl Ag Erisim Denetimi(B3)ni kurmak ve kullanmak iin yazlm veyordamlar tanmlar.

Konu Baslklar

1. Giris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.1. 802.1X nedir? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2. 802.11i nedir? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2.1. WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2.2. 802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.2.3. Anahtar Ynetimi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.2.3.1. Dinamik anahtar degisimi ve ynetimi . . . . . . . . . . . . . . . . . . . . . . . . . 61.2.3.2. npaylasml Anahtar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.2.4. TSN (WPA) / RSN (WPA2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.3. EAP nedir? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.4. EAP kimlik kantlama yntemleri . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.5. RADIUS nedir? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2. Sertifikalarn Sa glanmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93. Kimlik Kantlama Sunucusu: FreeRADIUSun Kurulmas . . . . . . . . . . . . . . . . . . . . . . . 103.1. FreeRADIUSun Kurulumu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.2. FreeRADIUSun Yaplandrlmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4. Istemci: Xsupplicantn Kurulmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.1. Xsupplicantn Kurulumu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.2. Xsupplicantn Yaplandrlmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

5. Kimlik Kantlayc: Kimlik Kantlaycnn Kurulmas (Erisim Noktas) . . . . . . . . . . . . . . . . 155.1. Erisim Noktas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155.2. Linux Kimlik Kantlayc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

6. Deneme A g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

6.1. Deneme Sistemi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166.2. Baz denemeler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

7. Xsupplicant ve Src deste gi hakknda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
http://standards.ieee.org/getieee802/download/802.1X-2001.pdfhttp://www.open1x.org/http://www.freeradius.org/

7/31/2019 p8021x Howto

2/29


8. SSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209. Faydal Kaynaklar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2110. Tesekkr vs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

10.1. Bu belge nasl retildi? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2210.2. Geri bildirim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

10.3. Tesekkr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22GNU Free Documentation License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

http://belgeler.org Linux Kitaplg 2 / 29
http://belgeler.org/

7/31/2019 p8021x Howto

3/29


Bu evirinin srm bilgileri:

1.0 Aralk 2005 OKIlk eviri

zgn belgenin srm bilgileri:

1.0 2004-10-18 LKSTLDP tarafndan gzden geirilen Ilk Srm.

0.2b 2004-10-13 LKSesitli gncellemeler. Dil gzden geirmesi iin Rick Moene tesekkr ederim.

0.0 2004-07-23 LKSIlk taslak.

Telif Hakk 2004 Lars Strand zgn belge

Telif Hakk 2005 Olcay Kabal Trke eviri

Yasal Aklamalar

Bu belgenin, 802.1X Port Tabanl Kimlik Kantlama NASIL evirisinin 1.0 srmnn telif hakk 2005Olcay Kabala, zgn Ingilizce srmnn telif hakk 2004 Lars Stranda aittir. Bu belgeyi, Free Soft-ware Foundation tarafndan yaynlanms bulunan GNUzgr Belgeleme Lisansnn 1.2ya da daha sonrakisrmnn kosullarna bagl kalarak kopyalayabilir, dagtabilir ve/veya degistirebilirsiniz. Bu Lisansn birkopyasn GNU Free Documentation License(sayfa: 22) baslkl blmde bulabilirsiniz.

BU BELGE "CRETSIZ" OLARAK RUHSATLANDIGI IIN, IERDIGI BILGILER IIN ILGILI KA-NUNLARIN IZIN VERDIGI LDE HERHANGI BIR GARANTI VERILMEMEKTEDIR. AKSI YAZILI

OLARAK BELIRTILMEDIGI MDDETE TELIF HAKKI SAHIPLERI VE/VEYA BASKA SAHISLAR BEL-GEYI "OLDUGU GIBI", ASIKAR VEYA ZIMNEN, SATILABILIRLIGI VEYA HERHANGI BIR AMACAUYGUNLUGU DA DAHIL OLMAK ZERE HIBIR GARANTI VERMEKSIZIN DAGITMAKTADIRLAR.BILGININ KALITESI ILE ILGILI TM SORUNLAR SIZE AITTIR. HERHANGI BIR HATALI BILGIDENDOLAYI DOGABILECEK OLAN BTN SERVIS, TAMIR VEYA DZELTME MASRAFLARI SIZE AITTIR.

ILGILI KANUNUN ICBAR ETTIGI DURUMLAR VEYA YAZILI ANLASMA HARICINDE HERHANGI BIRSEKILDE TELIF HAKKI SAHIBI VEYA YUKARIDA IZIN VERILDIGI SEKILDE BELGEYI DEGISTIRENVEYA YENIDEN DAGITAN HERHANGI BIR KISI, BILGININ KULLANIMI VEYA KULLANILAMAMASI(VEYA VERI KAYBI OLUSMASI, VERININ YANLIS HALE GELMESI, SIZIN VEYA NC SAHISLARINZARARA UGRAMASI VEYA BILGILERIN BASKA BILGILERLE UYUMSUZ OLMASI) YZNDENOLUSAN GENEL, ZEL, DOGRUDAN YA DA DOLAYLI HERHANGI BIR ZARARDAN, BYLE BIRTAZMINAT TALEBI TELIF HAKKI SAHIBI VEYA ILGILI KISIYE BILDIRILMIS OLSA DAHI, SORUMLUDEGILDIR.

Tm telif haklar aksi zellikle belirtilmedigi srece sahibine aittir. Belge iinde geen herhangi bir terim,bir ticari isim ya da kuruma itibar kazandrma olarak alglanmamaldr. Bir rn ya da markann kullanlmsolmas ona onay verildigi anlamnda grlmemelidir.


7/31/2019 p8021x Howto

4/29


1. GirisBu belge kimlik kantlama yntemi olarak PEAPli (PEAP/MSCHAPv2) Xsupplicant(B6) ve arkau KimlikKantlama Sunucusu olarak FreeRADIUS(B7)u kullanarak IEEE 802.1X Port Tabanl Ag Erisim Denetimi(B8)nikurmak ve kullanmak iin yazlm ve yordamlar tanmlar.

Eger PEAPten baska bir kimlik kantlama mekanizmas tercih edilirse, rnegin, EAPTLS veya EAPTTLS,sadece az sayda yaplandrma seeneginin degistirilmesine gerek vardr. PEAP/MSCHAPv2 de Windows XPSP1/Windows 2000 SP3 tarafndan desteklenir.

1.1. 802.1X nedir?

802.1X2001 standard sudur:

Port tabanl ag erisim denetimi, noktadannoktaya baglant zelliklerine sahip bir yerel ag portunataklan cihazlarn kimlik dogrulamasve yetkilendirmeiin ve bu sayede kimlik dogrulamas ve yetk-ilendirmesi basarsz olmas durumunda o portuerisimden koruyarakIEEE 802 yerel ag altyaplarnn

fiziksel erisim zelliklerinin kullanmna olanak saglar. Bu baglamda bir port, yerel ag altyapsna eklitekil bir noktadr.

802.1X2001, sayfa 1.

Sekil 1. 802.1X

Bir kablosuz dgmn diger yerel ag kaynaklarna erisebilmesi iin kimlik kantlamas yaplmaldr.1. Yeni bir telsiz dgm (TD) bir yerel ag kaynagna erisim isterse, erisim noktas (EN) TDnin kimligini

sorar.TDnin kimli gi dogrulanmadan EAPden baska hibir aksa izin verilmez ("port" kapaldr).

Kimlik kantlamas isteyen telsiz dgme genellikle Istemci denir, aslnda telsiz dgmn bir Istemciierdigini sylemek daha dogru olur. Istemci gven ortamn olusturacak Kimlik Kantlayc veriye cevapvermekle sorumludur. Ayns erisim noktas iin de geerlidir; Kimlik Kantlayc erisim noktas degildir.Syle ki, erisim noktas bir Kimlik Kantlayc ierir ama Kimlik Kantlayc erisim noktasnda olmasa daolur; harici bir unsur da olabilir.

Kimlik kantlama iin kullanlan EAP ilk olarak evirmeli PPP iin kullanld. Kimlik olarak kullanc ad ile

birlikte PAP veya CHAP [RFC1994(B9)] tarafndan dogrulamas yaplacak kullanc parolas kullanlr. Kimlikak (sifrelenmemis) gnderildigi iin kt niyetli bir dinleyici kullancnn kimligini grenebilir. O zaman"Kimlik saklama" (Identity hiding) kullanlr; sifrelenmis TLS tneli kurulmadan gerek kimlik gnderilmez.

http://belgeler.org/http://www.ietf.org/rfc/rfc1994.txthttp://standards.ieee.org/getieee802/download/802.1X-2001.pdfhttp://www.freeradius.org/http://www.open1x.org/

7/31/2019 p8021x Howto

5/29


2. Kimlik gnderildikten sonra kimlik kantlama sreci baslar. Istemci ve Kimlik Kantlayc arasnda kullanlanprotokol EAPtr; veya daha dogru olarak EAP kaplamal yerel agdr (EAPOL). Kimlik Kantlayc EAPiletilerini RADIUS biimine yeniden dnstrr ve onlar Kimlik Kantlayc Sunucuya aktarr.

Kimlik kantlama sresince, Kimlik Kantlayc sadece Istemci ve Kimlik Kantlama Sunucusu arasnda

paketleri nakleder. Kimlik kantlama sreci bittiginde Kimlik Kantlama Sunucusu basar (veya dogrulamabasarsz olursa, basarszlk) iletisi gnderir ve Kimlik Kantlayc "port"uIstemci iin aar.

3. Basarl bir kimlik kantlamadan sonra Istemci diger yerel ag kaynaklarna/Internete erismeye hak kazanr.

Aklama iin 802.1X(sayfa: 4)e baknz.

Neden "port" tabanl kimlik kantlamadeniyor?nk, Kimlik Kantlayc denetimlive denetimsizportlarlaugrasr.Denetimli port da denetimsiz port da mantksal varlklardr (sanal portlar); ama yerel aga ayn fiziksel baglantykullanrlar (ayn baglama noktas).

Sekil 2. 802.1X denetimli/denetimsiz port

Denetimli portun yetkilendirme durumu.

Kimlik kantlama ncesinde sadece denetimsiz port aktr. Sadece EAPOL trafigine izin verilir; 802.1X dene-timli/denetimsiz port(sayfa: 5)de Authenticator System 1e baknz. Istemci kimligi kantlandktan sonra, dene-

timli port alr ve diger yerel ag kaynaklarna erisim hakk verilir; 802.1X denetimli/denetimsiz port(sayfa: 5)deAuthenticator System 2ye baknz.

802.1X, yeni IEEE telsiz standard 802.11ide nemli bir rol oynar.

1.2. 802.11i nedir?

1.2.1. WEP

Asl 802.11 standartnn paras olan Wired Equivalent Privacy (WEP) gvenilirlik saglamalyd. Maalesef WEPgsz tasarlanmstr ve kolayca krlr. Kimlik kantlama mekanizmas yoktur, erisim denetimi iin sadece zayfbir form mevcuttur (iletisim kurmak iin paylasml anahtara sahip olunmaldr). Daha fazlasn buradan(B13)

okuyun.

http://belgeler.org/http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

7/31/2019 p8021x Howto

6/29


WEPin bozuk gvenligine cevap olarak, IEEE 802.11i olarak isimlendirilen yeni bir telsiz gvenlik standart ilegelmistir. 802.1X bu yeni standartta nemli bir rol oynar.

1.2.2. 802.11i

Haziran 2004te onaylanan yeni gvenlik standart, 802.11i tm WEP zayflklarn onarr. ana kategoriyeayrlr:

1. Geici Anahtar Tmlesikligi Protokol (Temporary Key Integrity Protocol TKIP) tm WEP zayflklarnonaran ksavadeli bir zmdr. TKIP eski 802.11 ekipmanlaryla kullanlabilir (src/aygt yazlmgncellemesinden sonra) ve tmlesiklik ile gvenilirlik saglar.

2. CBCMAC ile Saya Modu Protokol (Counter Mode with CBCMAC Protocol CCMP) [RFC2610(B14)]tepeden trnaga yeni bir protokoldr. Sifreleme algoritmas olarak AES [FIPS 197(B15)] kullanr ve buRC4ten (WEP ve TKIPta kullanld) daha yogun islemci kullandgndan yeni 802.11 donanmna ihtiyaduyulabilir. Baz srcler yazlmda CCMPyi uygulayabilirler. CCMP tmlesiklik ve gvenilirlik saglar.

3. 802.1X Port Tabanl Ag Erisim Denetimi: TKIP veya CCMP kullanlrken kimlik kantlama iin 802.1Xkullanlr.

Ek olarak, seimlik bir sifreleme yntemi olan "Wireless Robust Authentication Protocol" (WRAP) CCMPninyerine kullanlabilir. WRAP, 802.11i iin AEStabanl asl teklifti, ama sahiplik ykmllkleriyle sorun yasanncaCCMP ile degistirildi. WRAP iin destek seime bagldr, ama 802.11ide CCMP destegi zorunludur.

802.11i bir sonraki ksmda tanmlanan genisletilmis bir anahtar tretme/ynetim islevine sahiptir.

1.2.3. Anahtar Ynetimi

1.2.3.1. Dinamik anahtar degisimi ve ynetimi

Sifreleme ve tmlesiklik algoritmalar kullanarak bir gvenlik kurallar btn olusturmak iin anahtarlar kul-lanlmaldr. Neyse ki 802.11i bir anahtar tretme/ynetim tarzn ierir. Asagdaki sekle baknz.

Sekil 3. 802.1X Anahtar Ynetimi

http://belgeler.org/http://csrc.nist.gov/publications/fips/fips197/fips-197.pdfhttp://www.ietf.org/rfc/rfc3610.txt

7/31/2019 p8021x Howto

7/29


802.11ide anahtar ynetimi ve dagtm.

1. Istemci (WN) ve Kimlik Kantlama Sunucusu (AS) dogrulama yaparken ASden gnderilen dogrulamannbasarl oldugunu syleyen son iletilerden biri bir Ana Anahtardr (MK Master Key). Gnderildikren sonraMK sadece WN ve AS tarafndan bilinir. MK, WN ve AS arasndaki bu oturuma bagldr.

2. Hem WN hem AS, MKdan bir Ana Oturum Anahtar(PMK Pairwise Master Key) retir.

3. O zaman PMK ASden Kimlik Kantlaycya (AP) tasnr. PMKyi sadece WN ve AS tretebilir, bununyannda AP, ASnin yerine erisimdenetim kararlar verebilir. PMK, WN ve AP arasndaki bu oturuma baglyepyeni bir simetrik anahtardr.

4. Ana Oturum Anahtarn tretmek, baglamak ve dogrulamak iin WN ve AP arasnda PMK ve 4 ynl elsksma kullanlr. PTK isletimsel anahtarlar toplulugudur:

Anahtar Dogrulama Anahtar(KCK Key Confirmation Key ), isminden de anlaslacag zerePMKyesahipligi kantlamak ve PMKyi APye baglamak iin kullanlr.

Anahtar Sifreleme Anahtar(KEK Key Encryption Key), Grup Geis Anahtar(GTK Group Tran-sient Key) dagtm iin kullanlr. Asagda tanmlanmstr.

Geici Anahtar 1 ve 2 (TK1/TK2 Temporal Key 1 & 2) sifreleme iin kullanlr. TK1 ve TK2ninkullanm sifreleme trne zeldir.

Ana Oturum Anahtarna gz atmak iin Ana Oturum Anahtar (PMK) Dzeni(sayfa: 7)e baknz.

5. KEK ve 4 ynl grup elsksmas ASden WNye Grup Geis Anahtarn (GTK) gndermek iin kullanlr.GTK ayn Kimlik Kantlaycya bagl tm Istemciler (WNler) arasnda paylaslan bir anahtardr ve ogagnderimli iletisim aksn gvenli klmak iin kullanlr.

Sekil 4. Ana Oturum Anahtar (PMK) Dzeni


7/31/2019 p8021x Howto

8/29


Ana Oturum Anahtar Dzeni

1.2.3.2. npaylasml Anahtar

Kk alsma odalar / evdeki alsma odalar, amacaynelik aglar veya ev kullanm iin npaylasml Anahtar

(PSK PreShared Key) kullanlabilir. PSK kullanrken tm 802.1X kimlik kantlama srecinde birseyler eksikolur. EAP (ve RADIUS) kullanan WPAya "Kurumsal WPA" veya sadece "WPA" dendigi gibi buna da "KisiselWPA" (WPAPSK) denmistir.

[RFC2898(B17)]den PBKDFv2 kullanlarak verilen bir paroladan 256 bitlik PSK retilir ve yukardaki anahtarynetim usulnde tanmlandg gibi Ana Anahtar (MK) olarak kullanlr. Tm ag iin tek bir PSK (emniyetsiz)veya her Istemciye bir PSK olabilir (daha emniyetli).

1.2.4. TSN (WPA) / RSN (WPA2)

Endstrinin 802.11i standartnn tamamlanmasn bekleyecek kadar vakti yoktu. WEP sorunlarnn hemen

onarlmasn istediler. WiFi Alliance

(B18)

basky hissetti, standardn (3. taslaga dayanan) "bir anlk grntsn"ald ve ona WiFi Korumal Erisim(WPA WiFi Protected Access) dedi. Tek gereksinim mevcut 802.11 ekip-mannn WPA ile kullanlabilmesiydi, dolaysyla WPA temelde TKIP + 802.1Xtir.

WPA uzun vadeli zm degildir. ok Gvenli Ag (RSN Robust Secure Network) elde etmek iin donanmCCMPyi desteklemeli ve kullanmaldr. RSN temel olarak CCMP + 802.1Xtir.

CCMPnin yerine TKIPkullananRSNye GeisGvenlikAgda(TSN Transition Security Network) denir.RSNyeWPA2 de denir, bu sayede piyasann akl karsmaz.

Aklnz m karst?

Temel olarak:

TSN= TKIP + 802.1X= WPA(1) RSN= CCMP + 802.1X= WPA2nceki blmde tanmlandg gibi bunlar kendi anahtar ynetimleri ile gelir.

1.3. EAP nedir?

Genisletilebilir Kimlik Kantlama Protokol (EAP Extensible Authentication Protocol) [RFC 3748(B19)] kimlikkantlama iin sadece iyilestirilmis bir iletim protokoldr, kendisi bir kimlik kantlama yntemi degildir:

EAP oklu kimlik kantlama yntemlerini destekleyen bir kimlik kantlama alsma erevesidir. EAP

tipik olarak PointtoPoint Protokol(PPP) veya IEEE 802 gibi dogrudan veri iletim katmanlar z-erinde IPye ihtiya duymadan alsr. EAP ift eleme ve tekrar iletim iin kendi destegini saglar, amadaha dsk seviyeli garantilere gvenmek durumundadr. EAPnin kendisinde serpistirme destek-lenmez; bununla birlikte, baska baz EAP yntemleri bunu destekleyebilir.

RFC 3748, sayfa 3

1.4. EAP kimlik kantlama yntemleri

802.1X EAP kullanyor oldugundan ok farkl kimlik kantlama planlar eklenebilir; akll kartlar, Kerberos, ak

anahtar, bir kerelik parolalar ve digerleri dahil.

http://belgeler.org/http://www.ietf.org/rfc/rfc3748.txthttp://www.wi-fi.org/http://www.ietf.org/rfc/rfc2898.txt

7/31/2019 p8021x Howto

9/29


En ok kullanlan EAP kimlik kantlama mekanizmalarndan bazlar asagda listelenmistir. Kaytl EAP kim-lik kantlama trlerinin tam bir listesi IANAda http://www.iana.org/assignments/eap-numbersadresinde mevcuttur:

Uyar

Tm kimlik kantlama mekanizmalarnn gvenli oldugu dsnlmez!

EAPMD5: MD5li Kimlik Kantamas kullanc ad/parolaya gereksinim duyar ve PPP CHAP protokolnn[RFC1994(B21)] esdegeridir. Bu yntem szlk saldrs direnci, karslkl kimlik kantlama veya anahtartretimi iermez ve telsiz kimlik kantlama ortamnda az kullanlr.

Hafif EAP (LEAP): Kimlik kantlama iin Kimlik Kantlama Sunucusuna (RADIUS) bir kullanc ad/parolaifti gnderilir. Leap, Cisco tarafndan gelistirilmis mseccel bir protokoldr ve gvenli oldugu dsnlmez.Cisco LEAPi PEAP niyetine sunmustur. Yaynlanms bir standarta en yakn sey burada(B22) bulunabilir.

EAPTLS: EAPile Istemci ve KimlikKantlama Sunucusu arasnda birTLSoturumu olusturur. Hem sunucuhem istemci(ler) geerli bir sertifikaya (x509) ve bununla birlikte bir PKIya ihtiya duyar. bu yntem her ikiynde kimlik kantlama saglar. EAPTLS RFC2716(B23)]da tanmlanmstr.

EAPTTLS: Kimlik kantlama verisinin emniyetli iletimi iin sifreli bir TLS tneli kurar. TLS tnelinden diger(herhangi) kimlik kantlama yntemleri faydalanr. Funk Software ve Meetinghouse tarafndan gelistirlmistirve su an bir IETF taslag halindedir.

Korumal EAP (PEAP): EAPTTLS gibi sifreli bir TLS tneli kullanr. Hem EAPTTLS hem EAPPEAPiin istemci (WN) sertifikalar seimliktir, ama sunucu (AS) sertifikalar gereklidir. Microsoft, Cisco ve RSASecurity tarafndan gelistirimistir ve su an bir IETF taslagdr.

EAPMSCHAPv2: Kullanc ad/parolaya ihtiya duyar ve temel olarak MSCHAPv2nin [RFC2759(B24)]

EAP kaplamal olandr. Genellikle PEAP sifreli tnelde kullanlr. Microsoft tarafndan gelistirilmistir ve suan bir IETF taslagdr.

1.5. RADIUS nedir?

Uzaktan Aramal Kullanc Kimlik Kantlama Servisi (RADIUS Remote Authentication DialIn User Service)(ve arkadaslar) [RFC2865(B25)]te tanmlanmstr ve ilk olarak, kullanclar, ISSnin agn kullanmak iin yetk-ilendirilmeden nce kullanc ad ve parola dogrulamas yapacak olan ISSler tarafndan kullanlmstr.

802.1X ne esit bir arkau kimlik kantlama sunucusu olmas gerektigini belirtmez, ama RADIUS, 802.1Xte

kullanlan fiili arkau kimlik kantlama sunucusudur.

Mevcut birok AAA (Authentication, Authorization, Accounting) protokol yoktur, ama hem RADIUS hemDIAMETER [RFC3588(B26)] (genisletmeler dahil) tam AAA destegi saglarlar. AAA, Authentication (KimlikKantlama), Authorization (Yetkilendirme) ve Accounting (Hesap Ynetimi) kelimelerinin bas harflerinden olusur(IETFnin AAA alsma Grubu(B27)).

2. Sertifikalarn Saglanmas

Bilgi

EAPTLS, EAPTTLS veya PEAPi kullanmak iin OpenSSL kurulmaldr!

http://belgeler.org/http://www.ietf.org/html.charters/aaa-charter.htmlhttp://www.ietf.org/rfc/rfc3588.txthttp://www.ietf.org/rfc/rfc2865.txthttp://www.ietf.org/rfc/rfc2759.txthttp://www.ietf.org/rfc/rfc2716.txthttp://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.htmlhttp://www.ietf.org/rfc/rfc1994.txthttp://www.iana.org/assignments/eap-numbers

7/31/2019 p8021x Howto

10/29


EAPTLSyi kullanrken hem Kimlik Kantlama Sunucusu hem de tm istemciler sertifikalara ihtiya du-yar [RFC2459(B28)]. EAPTTLS veya PEAPi kullanrken ise sadece Kimlik Kantlama Sunucusu sertifikalaragereksinim duyar; Istemci sertifikalar seimliktir.

Sertifikalar yerel sertifika yetkilisinden (SY) alrsnz. Eger hi yerel SY yoksa OpenSSL kendindenimzal

sertifikalar retmek iin kullanlabilir.FreeRADIUS kaynagna dahil edilmis, kendindenimzal sertifikalar retmek iin baz yardmc betikler mev-cuttur. Betikler, FreeRADIUS kaynagnda bulunan scripts/ klasrnn altnda bulunmaktadr:

CA.all sordugu baz sorulara dayanarak sertifikalar reten bir kabuk betigidir. CA.certs betiginbaslangcnda nceden tanmlanms bilgiye dayanarak etkilesimsiz olarak sertifikalar retir.

Bilgi

Betikler OpenSSLde mevcut olan CA.pl denilen bir Perl betigi kullanr. CA.all ve CA.certste buPerl betigine olan yol, betigin alstrlabilmesi iin degistirilmeye ihtiya duyabilir.

Ipucu

Kendi sertifikalarnz nasl retebileceginiz hakknda daha fazla bilgiyi SSL certificates HOWTO(B29) bel-gesinde bulabilirsiniz.

3. Kimlik Kantlama Sunucusu: FreeRADIUSun KurulmasFreeRADIUS tamamen GPLli RADIUS sunucu uygulamasdr. Kimlik kantlama mekanizmalarn genis aptadestekler, ama bu belgede rnek olarak PEAP kullanlmstr.

3.1. FreeRADIUSun Kurulumu

Ynerge 1. Kurulum

1. FreeRADIUS sitesine gidin, http://www.freeradius.org/ ve en son srm indirin.

# cd /usr/local/src

# wget ftp://ftp.freeradius.org/pub/radius/freeradius1.0.0.tar.gz

# tar zxfv freeradius1.0.0.tar.gz

# cd freeradius1.0.0

2. Paketi yaplandrn, derleyin ve kurun:

# ./configure

# make

# make install

configure betigini alstrrken seenek belirtebilirsiniz. Daha fazla bilgi iin./configure helpkullann veya README dosyasn okuyun.

alstrabilir dosyalar /usr/local/bin ve /usr/local/sbine, yaplandrma dosyalar ise/usr/local/etc/raddb altna kurulur.

Eger birsey yanls giderse, kaynakla birlikte gelen INSTALL ve README dosyalarn okuyun. RA-

DIUS SSS

(B31)

de degerli bilgiler ierir.

3.2. FreeRADIUSun Yaplandrlmas

http://belgeler.org/http://www.freeradius.org/faq/http://www.freeradius.org/faq/http://www.freeradius.org/http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/http://www.ietf.org/rfc/rfc2459.txt

7/31/2019 p8021x Howto

11/29


FreeRADIUS byk ve gl bir yaplandrma dosyasna sahiptir. O kadar byktr ki, bu dosya daha kkbirka dosyaya paralanp daha sonra bu dosyalar ana radius.conf dosyasna "dahil edilmektedir".

Istediginizi yapmanz iin FreeRADIUSu kullanmann ve ayaga kaldrmann esitli yollar vardr: rn., kullancbilgisini LDAP, SQL, PDC, Kerberos, vs.den aln. Bu belgede, dz metin dosyas userstaki kullanc bilgisi

kullanlmaktadr.

Ipucu

Yaplandrma dosyalarna ayrntl bir sekilde yorum satrlar eklenmistir, ama eger yeterli gelmezse kay-nakla birlikte gelen doc/ dizini ek bilgi ierir.

Ynerge 2. Yaplandrma

1. Yaplandrma dosyalar /usr/local/etc/raddb/ altnda bulunabilir.

# cd /usr/local/etc/raddb/

2. Ana yaplandrma dosyasradiusd.confu an, ve yorum satrlarn okuyun!Sifreli PEAP tneli iinde,MSCHAPv2 kimlik kantlama mekanizmas kullanlr.

a. MPPE [RFC3078(B32)] PMKyi APye gndermekten sorumludur. Asagdaki ayarlarn yapldgndanemin olun:

# MODULES altnda mschapn yorum satr gibi yer

# almadgndan emin olun!

mschap {

# authtype degeri, eger varsa, kimlik kantlama sresince

# AuthTypen stne yazmak (veya eklemek) iin kullanlacak.

# Normalde, MSCHAP olmal.

authtype = MSCHAP

# eger use_mppe noya ayarlanmamssa, mschap,

# MSCHAPv2 iin,MSCHAPv1 ve MSMPPERecvKey/MSMPPESendKey

# iin MSCHAPMPPEKeys ekleyecektir.

use_mppe = yes

# eger mppe etkinse, require_encryption ile

# sifreleme etkinlestirilebilir.

#

require_encryption = yes

# require_strong her zaman 128 bitlik anahtar# sifrelemesi gerektirir.

#

require_strong = yes

authtype = MSCHAP

# modl kimlik kantlamay kendi kendine yapabilir VEYA

# bir Windows Domain Controller kullanabilir. Bunun nasl

# yaplacag iin radius.conf dosyasna baknz.

}

b. authorize ve authenticatein sunlar ierdiginden emin olun:

authorize {

preprocess

mschap

http://belgeler.org/http://www.ietf.org/rfc/rfc3078.txt

7/31/2019 p8021x Howto

12/29


suffix

eap

files

}

authenticate {

#

# MSCHAP kimlik kantlamas.

AuthType MSCHAP {

mschap

}

#

# EAP kimlik kantlamasna izin ver.

eap

}

3. clients.conf dosyasn hangi aga hizmet ettigini belirlemek iin degistirin:

# Burada, hangi aga hizmet verdigimizi belirliyoruz:

client 192.168.0.0/16 {

# Bu Kimlik Kantlayc (erisim noktas) ve Kimlik

# Kantlama Sunucusu (RADIUS) arasnda paylaslan srdr.

secret = SharedSecret99

shortname = testnet

}

4. eap.conf da olduka ak olmal.

a. default_eap_type peape ayarlaynz:

default_eap_type = peap

b. PEAP TLS kullandg iin TLS blm sunlar iermeli:

tls {

# zel anahtar parolas

private_key_password = SecretKeyPass77

# zel anahtar

private_key_file = ${raddbdir}/certs/certsrv.pem

# Gvenilir st Sertifika Yetkilisi

CA_file = ${raddbdir}/certs/demoCA/cacert.pem

dh_file = ${raddbdir}/certs/dh

random_file = /dev/urandom}

c. peap blmn bulun ve asagdakini ierdiginden emin olun:

peap {

# Tnelli EAP oturumu tnelsiz EAP modlnden farkl

# bir EAP trne ihtiya duyar.

# PEAP tnelinde Windows istemcileri tarafndan

# desteklenen ntanml tr olarak MSCHAPv2

# kullanmanz tavsiye ederiz.

default_eap_type = mschapv2

}

5. Kullanc bilgisi bir dz metin dosyas olan usersta tutulur. Kullanc bilgisini tutmak iin daha karmaskbir zm tercih edilebilirdi (SQL, LDAP, PDC, vs.)., su an bir IETF taslagdr.


7/31/2019 p8021x Howto

13/29


users dosyasnn asagdaki kayd ierdiginden emin olun:

"testuser" UserPassword == "Secret149"

4. Istemci: Xsupplicantn KurulmasIstemci kimlik kantlamasna gereksinim duyan genellikle bir dizst bilgisayar veya diger baska bir (telsiz)aygttr. Xsupplicant IEEE 802.1X2001 standartnn "Istemci" paras oldugunu bildirir.

4.1. Xsupplicantn Kurulumu

Ynerge 3. Kurulum

1. En gncel kaynag http://www.open1x.org/ adresinden indirin.

# cd usr/local/src

# wget http://belnet.dl.sourceforge.net/sourceforge/open1x/xsupplicant

1.0.tar.gz

# tar zxfv xsupplicant1.0.tar.gz

# cd xsupplicant

2. Paketi yaplandrn, derleyin ve kurun:

# ./configure

# make

# make install

3. Eger yaplandrma dosyas etc dizininin altna kurulmamssa kendiniz yapn:

# mkdir p /usr/local/etc/1x

# cp etc/tlsexample.conf /usr/local/etc/1x

Eger kurulum basarsz olursa kaynaga dahil edilmis olan README ve INSTALL dosyalarn okuyun. Ayrca,Resmi Belgelendirme(B34)yi de okuyabilirsiniz.

4.2. Xsupplicantn Yaplandrlmas

Ynerge 4. Yaplandrma

1. Istemci root sertifikasna erisebilmelidir.

EgerIstemci Kimlik Kantlama Sunucusundan (ift ynl) dogrulamaya ihtiya duyuyorsa,

Istemci serti-fikalarna da erisebilmelidir.

Bir sertifika dizini olusturun ve sertifikalar onun iine tasyn:

# mkdir p /usr/local/etc/1x/certs

# cp root.pem /usr/local/etc/1x/certs/

# (seimlik istemci sertifikalarn ayn dizine kopyalayn)

2. Yaplandrma dosyasn an ve dzenleyin:

# startup_command: Xsupplicant ilk baslatlrken alstrlacak komut.

# Bu komut, kartn ag ile kusursuz iliskilendirilmesi iin yaplandrlmas

# gibi seyleri yapabilir.

startup_command = /usr/local/etc/1x/startup.sh

startup.sh abucak olusturulacak.

http://belgeler.org/http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236http://www.open1x.org/

7/31/2019 p8021x Howto

14/29


3. Istemcinin kimlik dogrulamas olunca, bir DHCP istegi iletecektir veya elle bir IP adresi atayacaktr. Burada,Istemci kendi IP adresini startup2.sh dosyasnda elle ayarlyor:

# first_auth_command: Xsupplicant telsiz bir aga kimlik dogrulamas

# yapacag zaman alstrlacak ilk komut. Bu genellikle

# bir DHCP istemci srecini baslatmak iin kullanlr.

#first_auth_command = dhclient %i

first_auth_command=/usr/local/etc/1x/startup2.sh

4. i sadece hata ayklama amacyla (gelistiricilere gre bu seenek karlabilir) kullanlabilecegi iin,allow_interfaces ayarlanmal:

allow_interfaces = eth0

deny_interfaces = eth1

5. Sonra, NETWORK SECTIONn altnda, PEAPi yaplandracagz:

# PEAPi kullanyor olacagz

allow_types = eap_peap

# Ilk asamada (sifrelenmemis asama) kullanc adn

# grenmek iin kulak misafiri olmak isteyenleri istemiyoruz,

# bu nedenle identity hiding kullanlr

# (sahte bir kullanc ad kullanlr).

identity = anonymous

eappeap {

# tlsde oldugu gibi ya bir root sertifikas ya da

# root sertifikalarr ieren bir dizin tanmlayn.

root_cert = /usr/local/etc/1x/certs/root.pem

#root_dir = /path/to/root/certificate/dir

#crl_dir = /path/to/dir/with/crlchunk_size = 1398

random_file = /dev/urandom

#cncheck = myradius.radius.com # Sunucu sertifikasnn CN alannda

# bu degere sahip oldugundan emin olun.

#cnexact = yes # Tam bir eslesme olmal m?

session_resume = yes

# Su an all sadece mschapv2.

# Eger hi allow_types tanmlanmamssa all ntanmldr.

#allow_types = all # burada all = MSCHAPv2, MD5, OTP, GTC, SIM

allow_types = eap_mschapv2

# Simdi, PEAPte bu yntemlerden her hangi birini uygulayabilirsiniz:

eapmschapv2 {

username = testuser

password = Secret149

}

}

6. Istemci ilk olarak erisim noktas ile iliskilendirilmeli. startup.sh betigi o isi yapar. O ayn zamandaXsupplicantn alstrdg ilk komuttur.

Bilgi

iwconfige verdigimiz sahte anahtara dikkat edin (enc 000000000)! Bu anahtar srcye sifrelikipte alsmasn syler. Anahtar, basarl kimlik kantlamann ardndan baskasyla degistirilir. Eger


7/31/2019 p8021x Howto

15/29


sifreleme APde (deneme amacyla) kapalysa bu enc offa ayarlanabilir.

startup.sh ve startup2.sh, her ikisi de /usr/local/etc/1x/ altnda olmal.

#!/bin/bash

echo "$0: islem baslatlyor"

# Arayz devreds brakn (eger alsyor ise)/sbin/ifconfig eth0 down

# Rotalarn bosaltldgndan emin olmak iin

sleep 1

# Arayz sahte bir anahtarla yaplandrn

/sbin/iwconfig eth0 mode managed essid testnet enc 000000000

# Arayz baslatn ve oga gnderim paketlerini dinlediginden emin olun

/sbin/ifconfig eth0 allmulti up

echo "$0: islem tamam"

7. Sonraki dosya IP adresini statik olarak ayarlamak iin kullanlr. Eger bir DHCP sunucusu varsa (birokerisim noktasnda genellikle vardr), bu dosya olmayabilir.

#!/bin/bashecho "$0: islem baslatlyor"

# IP adresinin atanmas

/sbin/ifconfig eth0 192.168.1.5 netmask 255.255.255.0

echo "$0: islem tamam"

5. Kimlik Kantlayc: Kimlik Kantlaycnn Kurulmas (Erisim Nok-

tas)Kimlik kantlama islemi sresince Kimlik Kantlayc sadece Istemci ve Kimlik Kantlama Sunucusu (RADIUS)

arasndaki iletileri tasr. Istemci ile Kimlik Kantlayc arasnda EAPOL ve Kimlik Kantlayc ile Kimlik KantlamaSunucusu arasnda UDP kullanlr.

5.1. Erisim Noktas

Birok erisim noktas 802.1X (ve RADIUS) kimlik kantlamas iin destege sahiptir. nce 802.1X kimlikkantlamas kullanabilmesi iin yaplandrlmaldr.

Bilgi

ENde 802.1Xi yaplandrma ve ayarlama islemleri satclar arasnda farkllk gsterebilir. Asagda Cisco

AP350yi alstrmak iin gereken ayarlar listelenmistir. TIKP, CCMP vs. gibi diger ayarlar da ayrcayaplabilir.

AP, ESSIDi deneme agna ayarlanmal ve etkinlestirilmeli:

Sekil 5. Cisco AP350 RADIUS yaplandrma ekran


7/31/2019 p8021x Howto

16/29


Cisco AP350 iin RADIUS yaplandrma ekran

802.1X2001:802.1X Protokol srmnn "802.1X2001" e ayarlandgndan emin olun. Baz eski ErisimNoktalar 802.1X standartnn sadece taslak srmn destekler (ve bu nedenle alsmayabilir).

RADIUS Sunucu: RADIUS sunucunun isim/IP adresi ve RADIUS sunucu ile Erisim Noktas arasndapaylaslan sr (ki bu belgede "SharedSecret99" olarak geer). Cisco AP350 RADIUS yaplandrma ekran(sayfa: 15)e baknz.

EAP Kimlik Kantlama:RADIUS sunucu EAP kimlik kantlamas iin kullanlmaldr.

Sekil 6. Cisco AP350 Sifreleme yaplandrma ekran

Cisco AP350 iin Sifreleme yaplandrma ekran

Sadece sifreli aksa izin vermek iin Tam Sifrelemekullanlr. 802.1Xin sifrelemesiz kullanlabileceginedikkat edin.

Sifreleme anahtarlar gelmeden nce Istemci ile Erisim Noktasn iliskilendirmek iin Ak Kimlik Kantlamakullanlr. Iliskilendirme yaplr yaplmaz Istemci, EAP kimlik kantlamasna baslayabilir.

"Ak Kimlik Kantlama" iin EAPye ihtiya duyulur. Bu, sadece kimlik kantlamas yaplms kullanclarnaga girmesine izin verilmesini saglar.

5.2. Linux Kimlik KantlaycSradan bir Linux dgm bir telsiz Erisim Noktas ve Kimlik Kantlayc gibi davranacak sekilde ayarlanabilir.Linuxun AP olarak nasl kurulup kullanlacag bu belgenin kapsam dsndadr. Simon AndersonunLinux Wireless Access Point HOWTO(B36) belgesi size klavuzluk edebilir.

6. Deneme Ag

6.1. Deneme Sistemi

Sekil 7. Deneme Sistemi

http://belgeler.org/http://oob.freeshell.org/nzwireless/LWAP-HOWTO.html

7/31/2019 p8021x Howto

17/29


Telsiz bir dgm kimlik dogrulamas isteginde bulunuyor.

Bizim deneme sistemimiz iki dgm ve bir Erisim Noktasndan (AP) olusur. Bir dgm Istemci (WN) gibi, digeriRADIUS (AS) alstran artalan Kimlik Kantlama Sunucusu gibi davranr. Erisim Noktas Kimlik Kantlaycdr.Aklama iin Deneme Sistemi(sayfa: 16)ye baknz

nemli

Erisim Noktasnn Kimlik Kantlama Sunucusuna erisebilmesi (ping) ve tam tersi son derece nemlidir!

6.2. Baz denemeler

Ynerge 5. baz denemeler

1. RADIUS sunucu hata ayklama kipinde baslatlr. Bu ok miktarda hata ayklama bilgisi retir. nemlinoktalar asagdadr:

# radiusd X

Starting reading configuration files ...

reread_config: radiusd.confu okuyor

Config: including file: /usr/local/etc/raddb/proxy.conf

Config: including file: /usr/local/etc/raddb/clients.conf

Config: including file: /usr/local/etc/raddb/snmp.conf

Config: including file: /usr/local/etc/raddb/eap.conf

Config: including file: /usr/local/etc/raddb/sql.conf

......

Module: Loaded MSCHAP

mschap: use_mppe = yes

mschap: require_encryption = no

mschap: require_strong = no

mschap: with_ntdomain_hack = no

mschap: passwd = "(null)"

mschap: authtype = "MSCHAP"

mschap: ntlm_auth = "(null)"

Module: Instantiated mschap (mschap)


7/31/2019 p8021x Howto

18/29


......

Module: Loaded eap

eap: default_eap_type = "peap" 1

eap: timer_expire = 60

eap: ignore_unknown_eap_types = no

eap: cisco_accounting_username_bug = no

rlm_eap: Loaded and initialized type md5

tls: rsa_key_exchange = no 2

tls: dh_key_exchange = yes

tls: rsa_key_length = 512

tls: dh_key_length = 512

tls: verify_depth = 0

tls: CA_path = "(null)"

tls: pem_file_type = yes

tls: private_key_file = "/usr/local/etc/raddb/certs/certsrv.pem"

tls: certificate_file = "/usr/local/etc/raddb/certs/certsrv.pem"

tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"

tls: private_key_password = "SecretKeyPass77"

tls: dh_file = "/usr/local/etc/raddb/certs/dh"

tls: random_file = "/usr/local/etc/raddb/certs/random"

tls: fragment_size = 1024

tls: include_length = yes

tls: check_crl = no

tls: check_cert_cn = "(null)"

rlm_eap: Loaded and initialized type tls

peap: default_eap_type = "mschapv2" 3

peap: copy_request_to_tunnel = no

peap: use_tunneled_reply = no

peap: proxy_tunneled_request_as_eap = yes

rlm_eap: Loaded and initialized type peap

mschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2

Module: Instantiated eap (eap)

......

Module: Loaded files

files: usersfile = "/usr/local/etc/raddb/users" 4

......

Module: Instantiated radutmp (radutmp)

Listening on authentication *:1812

Listening on accounting *:1813

Istekleri islemek iin hazr. 5

1 Varsaylan EAP tr PEAPe ayarlanmstr.2 RADIUSun TLS ayarlar burada ilklendirilir. Sertifika tr, yer ve parola burada listelenir.

3 PEAP tnelinin iinde MSCHAPv2 kullanlr.

4 Kullanc ad/parola bilgisi users dosyasnda bulunur.

5 RADIUS sunucu basarl bir sekilde baslad. Gelen istekler iin bekliyor.

Radius sunucu istekleri islemek iin artk hazr!

En ilgin kt yukarda gsterilmistir. Eger en son satrn yerine her hangi bir hata iletisi alyorsanzyaplandrmaya (yukarda) dikkatli bir sekilde bakn.

2. Simdi Istemci kimlik dogrulamas iin hazr. Xsupplicant hata ayklama kipinde baslatn. Iki baslatmabetigi tarafndan retilen kty grecegimize dikkat edin: startup.sh ve startup2.sh.


7/31/2019 p8021x Howto

19/29


# xsupplicant c /usr/local/etc/1x/1x.conf i eth0 d 6

/etc/1x/startup.sh: islem baslatlyor

/etc/1x/startup.sh: islem tamam

/etc/1x/startup2.sh: islem baslatlyor

/etc/1x/startup2.sh: islem tamam

3. Ayn zamanda RADIUS sunucu da ok miktarda kt retiyor olacak. Baslca bilgiler asagda gsterilmistir:

......

rlm_eap: Request found, released from the list

rlm_eap: EAP/peap

rlm_eap: processing type peap

rlm_eap_peap: Authenticate

rlm_eap_tls: processing TLS 1

eaptls_verify returned 7

rlm_eap_tls: Done initial handshake

eaptls_process returned 7

rlm_eap_peap: EAPTLS_OK 2rlm_eap_peap: Session established. Decoding tunneled attributes.

rlm_eap_peap: Received EAPTLV response.

rlm_eap_peap: Tunneled data is valid.

rlm_eap_peap: Success

rlm_eap: Freeing handler

modcall[authenticate]: module "eap" returns ok for request 8

modcall: group authenticate returns ok for request 8

Login OK: [testuser/] (from client testnet port

37 cli 0002a56fa08a)

Sending AccessAccept of id 8 to 192.168.2.1:1032 3

MSMPPERecvKey = 0xf21757b96f52ddaefe084c343778d0082c2c8e12ce18ae10

a79c550ae61a5206 4

MSMPPESendKey = 0x5e1321e06a45f7ac9f78fb9d398cab5556bff6c9d003cdf8

161683bfb7e7af18

EAPMessage = 0x030a0004

MessageAuthenticator = 0x00000000000000000000000000000000

UserName = "testuser"

1 TLS oturumu baslatlyor. TLS el sksmas yaplyor.

2 TLS oturumu (PEAPsifreli tnel) alsyor.

3 Istemcinin RADIUS sunucu tarafndan basaryla kimlik kantlamas yaplmstr. "AccessAccept"iletisi gnderilir.

4 MSMPPERecvKey [RFC2548(B38) blm 2.4.3], Kimlik Kantlaycya (erisim noktas) ynelmis,MPPE Protokolyle [RFC3078(B39)] sifrelenmis Kimlik Kantlayc ve Kimlik Kantlama Sunucusuarasnda paylaslan srr anahtar olarak kullanan Ana Oturum Anahtarn (PMK) ierir. IstemciAnahtar Ynetimi(sayfa: 6) blmnde tanmlandg gibi MKden ayn PMKyi tretir.

4. Kimlik Kantlayc (erisim noktas) buna benzer gnlk kaytlar gsterebilir:

00:02:16 (Info): Station 0002a56fa08a Associated

00:02:17 (Info): Station=0002a56fa08a User="testuser" EAPAuthenticated

Iste bu! Istemicini artk Erisim Noktasn kullanmas iin kimlik dogrulamas yaplms oldu!

7. Xsupplicant ve Src destegi hakknda

http://belgeler.org/http://www.ietf.org/rfc/rfc3078.txthttp://www.ietf.org/rfc/rfc2548.txt

7/31/2019 p8021x Howto

20/29


Anahtar Ynetimi (sayfa: 6) blmnde aklandg gibi 802.1X ile Dynamic WEP/802.11i kullanmann bykavantajlarndan biri oturum anahtarlar iin destektir. Her bir oturum iin yeni bir sifreleme anahtar retilir.

Xsupplicant bu belge yazlrken sadece "Dynamic WEP" i destekliyordu. WPA ve RSN/WPA2 iin destek(802.11i) zerinde alslyor ve Chris Hessinge (Xsupplicants gelistiricilerinden biri) gre 2004/2005 so-

nuna kadar desteklenecegi tahmin ediliyor.Tm telsiz rnler dynamic WEPi veya WPAy desteklemez. RSNyi (WPA) kullanmak iin donanmda yenidestege dahi gereksinim duyulabilir. Birok eski src agda her hangi bir zamanda tek bir WEP anahtarkullanlacagn farzeder. Anahtar degistirildiginde yeni anahtarn etkinlesmesi iin kart yeniden baslatlr. Buyeni bir kimlik kantlamay tetikler ve hi bitmeyen bir dng vardr.

Yazm srasnda temel Linux ekirdegindeki telsiz srclerin ogu dynamic WEP/WPAnn alsmas iinyamalanmaya gereksinim duyuyordu. Zamanla bu yeni zellikleri destekleyecek sekilde gncelleneceklerdir.Bununla birlikte ekirdegin dsnda gelistirilen birok src dynamic WEP iin destege sahiptir; HostAP, mad-wifi, Orinoco ve atmel sorunsuz alsmaldr.

Xsupplicant kullanmak yerine, wpa_supplicant(B42) kullanlabilir. Hem WPA hem RSN (WPA2) hem de genisapta EAP kimlik kantlama yntemleri iin destegi vardr.

8. SSSFreeRADIUS(B43) (mutlaka tavsiye edilir!) ve Xsupplicant(B44) Web sitelerinin SSS blmlerine bakmay unut-mayn.

8.1. Global bir yaplandrma dosyas yerine kullancya zel Xsupplicant yaplandrmasna izin vermekmmkn m?8.2. PEAPi kullanmak istemiyorum; Onun yerine EAPTTLS veya EAPTLSyi kullanabilir miyim?

8.3. GNU/Linux yerine bir Windows Supplicant (istemci) kullanabilir miyim?8.4. Kullanc kimlik kantlamalar iin bir Active Directory kullanabilir miyim?8.5. Hi Windows Supplicant istemcisi var m?

8.1. Global bir yaplandrma dosyas yerine kullancya zel Xsupplicant yaplandrmasna izin vermekmmkn m?

Hayr, su an degil.

8.2. PEAPi kullanmak istemiyorum; Onun yerine EAPTTLS veya EAPTLSyi kullanabilir miyim?Evet. EAPTTLSyi kullanmak iin bu belgede kullanlan yaplandrmaya sadece ufak degisiklikler yap-manz gerekir. EAPTLSyi kullanmak iin istemci sertifikalar kullanlmaldr.

8.3. GNU/Linux yerine bir Windows Supplicant (istemci) kullanabilir miyim?Evet. Windows XP SP1/Windows 2000 SP3 PEAP MSCHAPv2 iin destege sahip (bu belgede kullanld).Bir Windows NASIL burada bulunabilir: FreeRADIUS/WinXP Authentication Setup(B45)

8.4. Kullanc kimlik kantlamalar iin bir Active Directory kullanabilir miyim?Evet. FreeRADIUS "ntlm_auth"u kullanarak ADden kullanc kimlik kantlamalarn yapabilir.

8.5. Hi Windows Supplicant istemcisi var m?Evet. Windows XP SP1 veya Windows 2000 SP3 ile WPA (PEAP/MSCHAPv2) iin destek mevcuttur.Diger istemciler (denenmedi) Secure W2(B46) (ticari olmayan kullanm iin bedavadr) ve WIRE1X(B47)

ierir. Funk Software(B48)

de ticari bir istemciye sahiptir.

http://belgeler.org/http://www.funk.com/http://wire.cs.nthu.edu.tw/wire1x/http://www.securew2.com/http://text.dslreports.com/forum/remark,9286052~mode=flathttp://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236#ch7http://www.freeradius.org/faq/http://hostap.epitest.fi/wpa_supplicant/

7/31/2019 p8021x Howto

21/29


9. Faydal KaynaklarGenel olarak sadece 12 aydan daha eski olan IEEE standartlar halka aktr (su bagdan "IEEE 802 Pro-gramn Aln"(B49)). Dolaysyla yeni 802.11i ve 802.1X2004 standartlarnn belgeleri mevcut degildir. Gelisimsrecindeki her hangi bir taslak/is ile alakal makalelere erismek iin IEEE katlmcs olmalsnz (ki bu gerekten

hi de zor degildir sadece bir eposta listesine katln ve ilgili oldugunuzu syleyin).1. FreeRADIUS Sunucu Projesi

http://www.freeradius.org/

2. P Open1x: IEEE 802.1Xin Ak Kaynak Uygulamas (Xsupplicant)http://www.open1x.org/

3. Open1x Kullanc Klavuzuhttp://sourceforge.net/docman/display_doc.php?docid=23371\&group_id=

60236

4. PortTabanl Ag Erisim Denetimi (802.1X2001)http://standards.ieee.org/getieee802/download/802.1X-2001.pdf

5. RFC2246: TLS Protokol Srm 1.0http://www.ietf.org/rfc/rfc2246.txt

6. RFC2459: Internet X.509 Ak Anahtar Altyap Sistemi Sertifika ve CRL Profilihttp://www.ietf.org/rfc/rfc2459.txt

7. RFC2548: Microsoft Satcya zel RADIUS zelliklerihttp://www.ietf.org/rfc/rfc2548.txt

8. RFC2716: PPP EAP TLS Kimlik Kantlama Protokolhttp://www.ietf.org/rfc/rfc2716.txt

9. RFC2865: Uzaktan Aramal Kullanc Kimlik Kantlama Hizmeti (RADIUS)

http://www.ietf.org/rfc/rfc2865.txt10. RFC3079: Microsoft NoktadanNoktaya Sifreleme (MPPE) ile kullanmak iin Anahtarlar Tretmek

http://www.ietf.org/rfc/rfc3079.txt

11. RFC3579: EAP iin RADIUS destegihttp://www.ietf.org/rfc/rfc3579.txt

12. RFC3580: IEEE 802.1X RADIUS Kullanm Ynergelerihttp://www.ietf.org/rfc/rfc3580.txt

13. RFC3588: ap Tabanl ProtokolP http://www.ietf.org/rfc/rfc3588.txt

14. RFC3610: CBCMAC (CCM) ile Sayahttp://www.ietf.org/rfc/rfc3610.txt

15. RFC3748: Genisleyebilir Kimlik Kantlama Protokol (Extensible Authentication Protocol) (EAP)http://www.ietf.org/rfc/rfc3748.txt

16. Linux Telsiz Erisim Noktas NASILhttp://oob.freeshell.org/nzwireless/LWAP-HOWTO.html

17. SSL Sertifikalar NASILhttp://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/

18. OpenSSL: x509(1)http://www.openssl.org/docs/apps/x509.html

http://belgeler.org/http://www.openssl.org/docs/apps/x509.htmlhttp://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/http://oob.freeshell.org/nzwireless/LWAP-HOWTO.htmlhttp://www.ietf.org/rfc/rfc3748.txthttp://www.ietf.org/rfc/rfc3610.txthttp://www.ietf.org/rfc/rfc3588.txthttp://www.ietf.org/rfc/rfc3580.txthttp://www.ietf.org/rfc/rfc3579.txthttp://www.ietf.org/rfc/rfc3079.txthttp://www.ietf.org/rfc/rfc2865.txthttp://www.ietf.org/rfc/rfc2716.txthttp://www.ietf.org/rfc/rfc2548.txthttp://www.ietf.org/rfc/rfc2459.txthttp://www.ietf.org/rfc/rfc2246.txthttp://standards.ieee.org/getieee802/download/802.1X-2001.pdfhttp://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236http://www.open1x.org/http://www.freeradius.org/http://standards.ieee.org/getieee802/http://standards.ieee.org/getieee802/

7/31/2019 p8021x Howto

22/29


10. Tesekkr vs.

10.1. Bu belge nasl retildi?

Bu belge Emacs kullanlarak DocBook XML olarak yazld.

10.2. Geri bildirim

neriler, dzeltmeler ve eklemelere agm. Katkda bulunmak isteyenler benimle iletisime geebilirler.Ykcelestiriler istemiyorum.

Bana adresinden her zaman ulasabilirsiniz.

Ana sayfa: http://www.gnist.org/~lars/

10.3. Tesekkr

Andreas Hafslunda ve Thales Communicationa desteklerinden tr tesekkr ederim.

Degerleri katklar iin Artur Heckere , Chris Hessinge , JouniMalinene ve Terry Simonsa da tesekkr ederim!

Dil gzden geirmesi iin Rick Moene tesekkr ederim!

GNU Free Documentation License

Version 1.2, November 2002

Copyright 2000,2001,2002 Free Software Foundation, Inc.

59 Temple Place, Suite 330, Boston, MA 021111307, USA

Everyone is permitted to copy and distribute verbatim copies

of this license document, but changing it is not allowed.

1. PREAMBLE

The purpose of this License is to make a manual, textbook, or other functional and useful document freeinthe sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or withoutmodifying it, either commercially or noncommercially. Secondarily, this License preserves for the authorand publisher a way to get credit for their work, while not being considered responsible for modifications

made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselvesbe free in the same sense. It complements the GNU General Public License, which is a copyleft licensedesigned for free software.

We have designed this License in order to use it for manuals for free software, because free softwareneeds free documentation: a free program should come with manuals providing the same freedoms thatthe software does. But this License is not limited to software manuals; it can be used for any textual work,regardless of subject matter or whether it is published as a printed book. We recommend this Licenseprincipally for works whose purpose is instruction or reference.

2. APPLICABILITY AND DEFINITIONS

http://belgeler.org/http://www.gnist.org/~lars/

7/31/2019 p8021x Howto

23/29


This License applies to any manual or other work, in any medium, that contains a notice placed by thecopyright holder saying it can be distributed under the terms of this License. Such a notice grants a worldwide, royaltyfree license, unlimited in duration, to use that work under the conditions stated herein. The"Document", below, refers to any such manual or work. Any member of the public is a licensee, and isaddressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring

permission under copyright law.

A "Modified Version" of the Document means any work containing the Document or a portion of it, eithercopied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a frontmatter section of the Document that deals exclu-sively with the relationship of the publishers or authors of the Document to the Documents overall subject(or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if theDocument is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.)The relationship could be a matter of historical connection with the subject or with related matters, or oflegal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those ofInvariant Sections, in the notice that says that the Document is released under this License. If a sectiondoes not fit the above definition of Secondary then it is not allowed to be designated as Invariant. TheDocument may contain zero Invariant Sections. If the Document does not identify any Invariant Sectionsthen there are none.

The "Cover Texts" are certain short passages of text that are listed, as FrontCover Texts or BackCoverTexts, in the notice that says that the Document is released under this License. A FrontCover Text maybe at most 5 words, and a BackCover Text may be at most 25 words.

A "Transparent" copy of the Document means a machinereadable copy, represented in a format whosespecification is available to the general public, that is suitable for revising the document straightforwardlywith generic text editors or (for images composed of pixels) generic paint programs or (for drawings) somewidely available drawing editor, and that is suitable for input to text formatters or for automatic translationto a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent fileformat whose markup, or absence of markup, has been arranged to thwart or discourage subsequentmodification by readers is not Transparent. An image format is not Transparent if used for any substantialamount of text. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ascii without markup, Texinfo inputformat, LaTeX input format, SGML or XML using a publicly available DTD, and standardconforming simple

HTML, PostScript or PDF designed for human modification. Examples of transparent image formats includePNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only byproprietary word processors, SGML or XML for which the DTD and/or processing tools are not generallyavailable, and the machinegenerated HTML, PostScript or PDF produced by some word processors foroutput purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are neededto hold, legibly, the material this License requires to appear in the title page. For works in formats whichdo not have any title page as such, "Title Page" means the text near the most prominent appearance ofthe works title, preceding the beginning of the body of the text.

A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ orcontains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands fora specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements",


7/31/2019 p8021x Howto

24/29


or "History".) To "Preserve the Title" of such a section when you modify the Document means that itremains a section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License appliesto the Document. These Warranty Disclaimers are considered to be included by reference in this License,

but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers mayhave is void and has no effect on the meaning of this License.

3. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially,provided that this License, the copyright notices, and the license notice saying this License applies to theDocument are reproduced in all copies, and that you add no other conditions whatsoever to those of thisLicense. You may not use technical measures to obstruct or control the reading or further copying of thecopies you make or distribute. However, you may accept compensation in exchange for copies. If youdistribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.4. COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have printed covers) of the Document,numbering more than 100, and the Documents license notice requires Cover Texts, you must enclosethe copies in covers that carry, clearly and legibly, all these Cover Texts: FrontCover Texts on the frontcover, and BackCover Texts on the back cover. Both covers must also clearly and legibly identify you asthe publisher of these copies. The front cover must present the full title with all words of the title equallyprominent and visible. You may add other material on the covers in addition. Copying with changes limitedto the covers, as long as they preserve the title of the Document and satisfy these conditions, can betreated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (asmany as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must eitherinclude a machinereadable Transparent copy along with each Opaque copy, or state in or with eachOpaque copy a computernetwork location from which the general networkusing public has access todownload using publicstandard network protocols a complete Transparent copy of the Document, freeof added material. If you use the latter option, you must take reasonably prudent steps, when you begindistribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessibleat the stated location until at least one year after the last time you distribute an Opaque copy (directly or

through your agents or retailers) of that edition to the public.It is requested, but not required, that you contact the authors of the Document well before redistributing anylarge number of copies, to give them a chance to provide you with an updated version of the Document.

5. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and3 above, provided that you release the Modified Version under precisely this License, with the ModifiedVersion filling the role of the Document, thus licensing distribution and modification of the Modified Versionto whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from

those of previous versions (which should, if there were any, be listed in the History section of theDocument). You may use the same title as a previous version if the original publisher of that versiongives permission.


7/31/2019 p8021x Howto

25/29


B. List on the Title Page, as authors, one or more persons or entities responsible for authorship ofthe modifications in the Modified Version, together with at least five of the principal authors of theDocument (all of its principal authors, if it has fewer than five), unless they release you from thisrequirement.

C. State on the Title page the name of the publisher of the Modified Version, as the publisher.

D. Preserve all the copyright notices of the Document.

E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

F. Include, immediately after the copyright notices, a license notice giving the public permission to usethe Modified Version under the terms of this License, in the form shown in the Addendum below.

G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given inthe Documents license notice.

H. Include an unaltered copy of this License.I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the

title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is nosection Entitled "History" in the Document, create one stating the title, year, authors, and publisherof the Document as given on its Title Page, then add an item describing the Modified Version asstated in the previous sentence.

J. Preserve the network location, if any, given in the Document for public access to a Transparent copyof the Document, and likewise the network locations given in the Document for previous versions itwas based on. These may be placed in the "History" section. You may omit a network location for awork that was published at least four years before the Document itself, or if the original publisher ofthe version it refers to gives permission.

K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section,and preserve in the section all the substance and tone of each of the contributor acknowledgementsand/or dedications given therein.

L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Sectionnumbers or the equivalent are not considered part of the section titles.

M. Delete any section Entitled "Endorsements". Such a section may not be included in the ModifiedVersion.

N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any InvariantSection.

O. Preserve any Warranty Disclaimers.

If the Modified Version includes new frontmatter sections or appendices that qualify as Secondary Sec-tions and contain no material copied from the Document, you may at your option designate some or allof these sections as invariant. To do this, add their titles to the list of Invariant Sections in the ModifiedVersions license notice. These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your

Modified Version by various parties-for example, statements of peer review or that the text has beenapproved by an organization as the authoritative definition of a standard.


7/31/2019 p8021x Howto

26/29


You may add a passage of up to five words as a FrontCover Text, and a passage of up to 25 words asa BackCover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage ofFrontCover Text and one of BackCover Text may be added by (or through arrangements made by) anyone entity. If the Document already includes a cover text for the same cover, previously added by you orby arrangement made by the same entity you are acting on behalf of, you may not add another; but you

may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their namesfor publicity for or to assert or imply endorsement of any Modified Version.

6. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the termsdefined in section 4 above for modified versions, provided that you include in the combination all of theInvariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections ofyour combined work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sectionsmay be replaced with a single copy. If there are multiple Invariant Sections with the same name but differentcontents, make the title of each such section unique by adding at the end of it, in parentheses, the nameof the original author or publisher of that section if known, or else a unique number. Make the sameadjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History" in the various original documents,forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", andany sections Entitled "Dedications". You must delete all sections Entitled "Endorsements."

7. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License,and replace the individual copies of this License in the various documents with a single copy that isincluded in the collection, provided that you follow the rules of this License for verbatim copying of eachof the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License,provided you insert a copy of this License into the extracted document, and follow this License in all otherrespects regarding verbatim copying of that document.

8. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works,in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting fromthe compilation is not used to limit the legal rights of the compilations users beyond what the individualworks permit. When the Document is included an aggregate, this License does not apply to the otherworks in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if theDocument is less than one half of the entire aggregate, the Documents Cover Texts may be placedon covers that bracket the Document within the aggregate, or the electronic equivalent of covers if theDocument is in electronic form. Otherwise they must appear on printed covers that bracket the wholeaggregate.

9. TRANSLATION


7/31/2019 p8021x Howto

27/29


Translation is considered a kind of modification, so you may distribute translations of the Document underthe terms of section 4. Replacing Invariant Sections with translations requires special permission fromtheir copyright holders, but you may include translations of some or all Invariant Sections in addition tothe original versions of these Invariant Sections. You may include a translation of this License, and all thelicense notices in the Document, and any Warranty Disclaimers, provided that you also include the original

English version of this License and the original versions of those notices and disclaimers. In case of adisagreement between the translation and the original version of this License or a notice or disclaimer,the original version will prevail.

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement(section 4) to Preserve its Title (section 1) will typically require changing the actual title.

10. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for underthis License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and willautomatically terminate your rights under this License. However, parties who have received copies, orrights, from you under this License will not have their licenses terminated so long as such parties remainin full compliance.

11. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation Licensefrom time to time. Such new versions will be similar in spirit to the present version, but may differ in detailto address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that aparticular numbered version of this License "or any later version" applies to it, you have the option of

following the terms and conditions either of that specified version or of any later version that has beenpublished (not as a draft) by the Free Software Foundation. If the Document does not specify a versionnumber of this License, you may choose any version ever published (not as a draft) by the Free SoftwareFoundation.

ADDENDUM: How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put thefollowing copyright and license notices just after the title page:

Copyright (C) year your name.Permission is granted to copy, distribute and/or modify this document

under the terms of the GNU Free Documentation License, Version 1.2

or any later version published by the Free Software Foundation;

with no Invariant Sections, no FrontCover Texts, and no BackCover Texts.

A copy of the license is included in the section entitled GNU

Free Documentation License.

If you have Invariant Sections, FrontCover Texts and BackCover Texts, replace the "with...Texts." line with this:

with the Invariant Sections being list their titles, withthe FrontCover Texts being list, and with the BackCover Textsbeing list.

If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those twoalternatives to suit the situation.


7/31/2019 p8021x Howto

28/29


If your document contains nontrivial examples of program code, we recommend releasing these examples inparallel under your choice of free software license, such as the GNU General Public License, to permit their usein free software.

NotlarBelge iinde dipnotlar ve ds baglantlar varsa, bunlarla ilgili bilgiler bulunduklar sayfann sonunda dipnot olarakverilmeyip, hepsi toplu olarak burada listelenmis olacaktr.

(B1) http://www.freeradius.org

(B2) http://www.open1x.org

(B3) http://standards.ieee.org/getieee802/download/802.1X-2001.pdf

(B6) http://www.open1x.org

(B7) http://www.freeradius.org

(B8) http://standards.ieee.org/getieee802/download/802.1X-2001.pdf

(B9) http://www.ietf.org/rfc/rfc1994.txt

(B13) http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html


(B15) http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf


(B18) http://www.wi-fi.org/



(B22) http://lists.cistron.nl/pipermail/cistron-radius/2001-September/

002042.html

(B23)

http://www.ietf.org/rfc/rfc2716.txt(B24) http://www.ietf.org/rfc/rfc2759.txt



(B27) http://www.ietf.org/html.charters/aaa-charter.html


(B29)

http://www.tldp.org/HOWTO/SSL-

Certificates-

HOWTO/

(B31) http://www.freeradius.org/faq/

http://belgeler.org/http://www.freeradius.org/faq/http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/http://www.ietf.org/rfc/rfc2459.txthttp://www.ietf.org/html.charters/aaa-charter.htmlhttp://www.ietf.org/rfc/rfc3588.txthttp://www.ietf.org/rfc/rfc2865.txthttp://www.ietf.org/rfc/rfc2759.txthttp://www.ietf.org/rfc/rfc2716.txthttp://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.htmlhttp://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.htmlhttp://www.ietf.org/rfc/rfc1994.txthttp://www.ietf.org/rfc/rfc3748.txthttp://www.wi-fi.org/http://www.ietf.org/rfc/rfc2898.txthttp://csrc.nist.gov/publications/fips/fips197/fips-197.pdfhttp://www.ietf.org/rfc/rfc3610.txthttp://www.isaac.cs.berkeley.edu/isaac/wep-faq.htmlhttp://www.ietf.org/rfc/rfc1994.txthttp://standards.ieee.org/getieee802/download/802.1X-2001.pdfhttp://www.freeradius.org/http://www.open1x.org/http://standards.ieee.org/getieee802/download/802.1X-2001.pdfhttp://www.open1x.org/http://www.freeradius.org/

7/31/2019 p8021x Howto

29/29



(B34) http://sourceforge.net/docman/display_doc.php?docid=23371\&group_id=

60236

(B36)

http://oob.freeshell.org/nzwireless/LWAP-

HOWTO.html



(B42) http://hostap.epitest.fi/wpa_supplicant/

(B43) http://www.freeradius.org/faq/

(B44) http://sourceforge.net/docman/display_doc.php?docid=23371\&group_id=

60236#ch7

(B45) http://text.dslreports.com/forum/remark,9286052~mode=flat

(B46) http://www.securew2.com

(B47) http://wire.cs.nthu.edu.tw/wire1x/

(B48) http://www.funk.com

(B49) http://standards.ieee.org/getieee802/

Bu dosya (p8021x-howto.pdf), belgenin XML biiminin

TEXLive ve belgeler-xsl paketlerindeki aralar kullanlarak

PDF biimine dnstrlmesiyle elde edilmistir.

23 Ocak 2007
http://standards.ieee.org/getieee802/http://www.funk.com/http://wire.cs.nthu.edu.tw/wire1x/http://www.securew2.com/http://text.dslreports.com/forum/remark,9286052~mode=flathttp://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236#ch7http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236#ch7http://www.freeradius.org/faq/http://hostap.epitest.fi/wpa_supplicant/http://www.ietf.org/rfc/rfc3078.txthttp://www.ietf.org/rfc/rfc2548.txthttp://oob.freeshell.org/nzwireless/LWAP-HOWTO.htmlhttp://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236http://sourceforge.net/docman/display_doc.php?docid=23371&group_id=60236http://www.ietf.org/rfc/rfc3078.txt