[sp1r1t] - linux radius authentication over WLAN/EAP-TTLS

potential threats

you are here :[ -->networks--> linux radius authentication over wpa using eap-ttls ]

base || news || coding || networks || linux || stuff || contact

Linux radius authentication via WPA with EAP-TTLS

Intro

Note : If you know what you're doing and don't want to read more, my config files for wpa_supplicant are available here.

This document describes quick and dirty how to configure linux for radius authentication via WLAN over WPA access points (APs). It focuses on authentication via a username and password that is checked by the radius server - not via a pre-shared key (PSK). Checking the identity of the radius server via certificates is also described. You'll find this type of authentication on larger networks, as most people who set up a private AP for home use aren't willing to install radius servers ;-)

Some info on the hardware and wplan driver used is available here . It is assumed your wlan card is already set up properly for normal use.

Preparations

Make sure you have EAP support in your kernel and install wpasupplicant. There's a debian package available that will do fine :

apt-get install wpasupplicant

Get the server certificate.

Not all drivers for wireless adapters support wpa. Check your driver documentation. The ipw2100 and ipw2200 drivers supplied with current kernel.org-kernels will both do the job if you're using such a device. Haven't tested others. Users of the ipw2x00 drivers should have a look at these tips.

How to setup wpa_supplicant

After installing wpa_supplicant, you should find its init-script at /etc/init.d/wpasupplicant and a setup file at /etc/default/wpasupplicant. The daemon is not started by default because it is disabled in the latter, you need to enable it there (ENABLE=1). I don't want wpasupplicant to be started at boot-up so I removed all links to its init-script it in /etc/rc?.d/ via

update-rc.d -f wpasupplicant remove

You may not need to do this (depends on whether you set up the other networks you use for wpasupplicant, too). Before you try to start wpasupplicant, you need a configfile, usually at /etc/wpa_supplicant.conf. The file i currently use is shown below. Remember to replace <username> and <password> with your credentials and adapt the ssid and the certificate path. The file can also be downloaded, updated version will go there, too.

======================== start /etc/wpa_supplicant.conf ========================

# /etc/wpa_supplicant.conf
# don't forget to set your credentials (username + password),
# the ssid of the network and the location of the certificate file! 

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1

network={
	ssid="<ssid>"
	proto=WPA
	key_mgmt=WPA-EAP
	eap=TTLS
	identity="<username>"
	password="<password>"
	ca_cert="</path/to/cert>"
	phase2="auth=PAP"
	priority=4
}

======================== stop /etc/wpa_supplicant.conf ========================

Here is the startup script i use to connect to the wpa wlan. It configures the interfaces, starts wpa_supplicant and gets an ip so I don't have to type the commands over and over again. You should stop wpasupplicant when you stop using the wpa-secured wlan by typing :

/etc/init.d/wpasupplicant stop

============================= start uni-wpa.sh =============================

#!/bin/sh
# written by spirit
# connect to WPA-encrypted WLAN (i.e. FLUGHAFEN)
# remember to adapt /etc/wpa_supplicant.conf to your needs!
# you must also enable wpa_supplicant in /etc/default/wpasupplicant!


### settings -- adapt these to your needs ###
# your wireless adapter (wlan device)
DEVICE="eth1"

#other ethernet cards that should be disabled
DISABLE="eth0"

#driver name (kernel module) of your wireless adapter
DRIVER="ipw2100"

#the driver alias wpa_supplicant uses for your card
# (see "wpa_supplicant -help" for possible values)
WPADRIVERALIAS="wext"

#name of the wireless LAN you want to connect to
ESSID="FLUGHAFEN"

#your wpa_supplicant config file
WPACONF="/etc/wpa_supplicant.conf"

### programs we need ###
modprobe=$(which modprobe)
ifconfig=$(which ifconfig)
iwconfig=$(which iwconfig)
dhclient=$(which dhclient)
wpasupplicant=$(which wpa_supplicant)


### here we go ###
echo "==> configuring interfaces for $ESSID..."

# setup wlan
$modprobe $DRIVER
$ifconfig $DEVICE up
$ifconfig $DISABLE down
$iwconfig $DEVICE mode managed  
$iwconfig $DEVICE ap any      
$iwconfig $DEVICE rate auto
$iwconfig $DEVICE essid $ESSID

# enable wpa support
$wpasupplicant -i$DEVICE  -D$WPADRIVERALIAS -c $WPACONF -B


# get ip configuration from AP
$dhclient $DEVICE

# we're done
echo "==> done. don't forget to stop wpa_supplicant when you're done via :"
echo "==> /etc/init.d/wpasupplicant stop"

============================= stop uni-wpa.sh =============================

Config Files

my /etc/wpasupplicant.conf

my startup script

my /etc/init.d/wpasupplicant (not really needed, no changes)

my /etc/default/wpasupplicant (not really needed, changes trivial)

Hardware / Drivers used

Note : the config file and other stuff described here doesn't differ for other hardware, but not all drivers support WPA yet.

Tested on debian GNU/linux (sarge 3.1, stable) with an intel pro 2100 wireless adapter, driver ipw2100 (thinkpad r51 laptop). Note that setting the driveralias in wpasupplicant to "ipw" did NOT work for me, as you can see in the config file, I'm using "wext".

Stuff described in this document is known to work with the intel pro 2200 card using the ipw2200 driver if the kernel module is loaded via

modprobe ipw2200 hwcrypto=0

The driveralias for wpasupplicant should be set to "ipw" when using the ipw2200.

Drivers for both cards are included in recent linux kernels :

networking -> generic IEEE 802.11 networking stack
device drivers -> network device support -> wireless LAN -> intel pro wireless 2x00

Some system info follows :

 
root@threat:~# uname -a
Linux threat 2.6.13.4 #3 Fri Oct 21 00:06:50 CEST 2005 i686 GNU/Linux
root@threat:~# iwconfig eth1
Warning: Driver for device eth1 has been compiled with version 18
of Wireless Extension, while this program supports up to version 17.
Some things may be broken...

eth1      IEEE 802.11b  ESSID:"nodewlan"  Nickname:"ipw2100"
          Mode:Managed  Frequency:2.462 GHz  Access Point: 00:12:17:CB:FE:CC
          Bit Rate=1 Mb/s   Tx-Power:off
          Retry min limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=30/100  Signal level=-88 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:3   Missed beacon:72

root@threat:~# lsmod
Module                  Size  Used by
vmnet                  35940  13
vmmon                 107116  0
snd_intel8x0m          15364  0
snd_intel8x0           29568  0
snd_ac97_codec         83324  2 snd_intel8x0m,snd_intel8x0
i2c_i801                7756  0
ipw2100               144164  0
ieee80211              43496  1 ipw2100
ieee80211_crypt         5124  1 ieee80211

Links and References

- a nice wpa howto for debian : http://faq.pathfinderteam.org/index.php/WPA

- wikipedia has some info on wpa : http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

- the website of the wpasupplicant project has a config file with lots of examples : http://hostap.epitest.fi/wpa_supplicant/

- the net configuration at debcon5 was similar : http://wiki.debian.org/?DebConf5WirelessHowto

base || news || coding || networks || linux || stuff || contact