PhilippeTeuwen: /* Advanced support (dynamically added/removed PSKs) without MAC pairing: */

2018-11-08T11:51:32Z

Advanced support (dynamically added/removed PSKs) without MAC pairing:

← Older revision		Revision as of 11:51, 8 November 2018
Line 419:		Line 419:
	==== Advanced support (dynamically added/removed PSKs) without MAC pairing: ====		==== Advanced support (dynamically added/removed PSKs) without MAC pairing: ====

	cf [http://lists.shmoo.com/pipermail/hostap/2004-September/~~008037~~.html this post to the hostap list]		cf [http://lists.shmoo.com/pipermail/hostap/2004-September/008184.html this post to the hostap list]

	==== Advanced support (dynamically added/removed PSKs) with MAC pairing: ====		==== Advanced support (dynamically added/removed PSKs) with MAC pairing: ====

PhilippeTeuwen: Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen

2010-11-24T20:32:59Z

Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen

Can't load revision 6799

at 00:27, 24 November 2010

2010-11-24T00:27:06Z

Can't load revision 6641

PhilippeTeuwen at 00:00, 2 March 2008

2008-03-02T00:00:26Z

Show changes

PhilippeTeuwen at 23:57, 1 March 2008

2008-03-01T23:57:19Z

New page

''Converted with [[MediaWiki#HTML-WikiConverter|HTML::WikiConverter::MediaWiki]] from my old phpwiki site''
----
=== Installation ===

This works best with a prism chipset, e.g. a Senao card (while new versions of hostap can work with some other chipsets, check the doc). Instructions are given here for a (mini)PCI. If needed, first remove Debian packages as we'll install the very last version (0.4.4)

apt-get remove hostap-modules-$(uname -r) hostap-utils hostapd
wget http://hostap.epitest.fi/releases/hostap-driver-0.4.4.tar.gz
tar xzf hostap-driver-0.4.4.tar.gz
cd hostap-driver-0.4.4
make
make install
cd ..
wget http://hostap.epitest.fi/releases/hostap-utils-0.4.0.tar.gz
tar xzf hostap-utils-0.4.0.tar.gz
cd hostap-utils-0.4.0
make
make install
cd ..
wget http://hostap.epitest.fi/releases/hostapd-0.4.4.tar.gz
tar xzf hostapd-0.4.4.tar.gz
cd hostapd-0.4.4
cp defconfig .config (and edit the file if needed)
make
make install
mkdir -p /etc/hostapd
cp hostapd.accept hostapd.deny hostapd.conf hostapd.wpa_psk /etc/hostapd
cd ..
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.4.4.tar.gz
tar xzf wpa_supplicant-0.4.4.tar.gz
cd wpa_supplicant-0.4.4
cp defconfig .config (and edit the file if needed)
make
make install
mkdir -p /etc/hostapd
cp wpa_supplicant.conf /etc/hostapd
make wpa_gui
cp wpa_gui/wpa_gui /usr/local/sbin
=== Typical launch of hostapd ===

Edit files in /etc/hostapd if needed, especially hostapd.conf

modprobe hostap_pci
ifconfig wlan0 10.0.0.1
iwconfig wlan0 mode master
iwconfig wlan0 essid test
iwconfig wlan0 channel 1
hostapd -dd /etc/hostapd/hostapd.conf (to run in debug mode)
hostapd -B /etc/hostapd/hostapd.conf (to run in background daemon mode)

To stop:

killall hostapd
ifconfig wlan0 down
modprobe -r hostap_pci
modprobe -r hostap_crypt_wep
modprobe -r hostap_crypt_tkip
modprobe -r hostap_crypt_ccmp
modprobe -r hostap

=== Typical launch of wpa_supplicant ===

Edit wpa_supplicant.conf in /etc/hostapd if needed, especially comment out configurations using EAP methods not compiled in wpa_supplicant (cf .config used to compile wpa_supplicant)

modprobe hostap_pci
wpa_supplicant -dd -iwlan0 -w -c/etc/hostapd/wpa_supplicant.conf (to run in debug mode)
wpa_supplicant -B -iwlan0 -w -c/etc/hostapd/hostapd.conf (to run in background daemon mode)
pump -i wlan0

Note that for ipw2200 clients you need to add -Dipw for kernels < 2.6.13 and -Dwext fir kernels >= 2.6.13

To stop:

pump -k -i wlan0
killall wpa_supplicant
ifconfig wlan0 down
modprobe -r hostap_pci
modprobe -r hostap_crypt_wep
modprobe -r hostap_crypt_tkip
modprobe -r hostap_crypt_ccmp
modprobe -r hostap

=== Resources ===

* ipw2200
** http://ubuntuforums.org/showthread.php?t=26623
** http://www.enseirb.fr/kadionik/linux/wifi.sh.txt
** [http://www.cure.nom.fr/article.php?theme=Linux&id_fic=22 http://www.cure.nom.fr/article.php?theme=Linux&id_fic=22]
** http://tvilda.tigbis.lt/dokuwiki/doku.php?id=ubuntu__intel_pro_wireless_2200bg__wpa_mini-howto_fr

=== hostap-utils ===
hostap-utils contains a utility called '''hostap_crypt_conf'''
====Man page====
hostap_crypt_conf is a tool for configuring encryption keys to the Host AP driver. It extends the features of iwconfig by '''''supporting individual per STA keys''''' and support more than one encryption algorithm.

hostap_crypt_conf takes following options:

Usage: hostap_crypt_conf [-1]..[-9] [-t] [-p] <device> <addr> <alg> [key]
Options:
-1 .. -9 key index (for WEP); only one index per command
-t set TX key index (given with -1 .. -9)
-p permanent station configuration (do not expire data)
device wlan#
addr station hwaddr or ff:ff:ff:ff:ff:ff for default/broadcast key
alg crypt algorithm (WEP, NULL, none)
key key data (in hex, e.g. '0011223344', or s:string)

Algorithms:
WEP 40 or 104 bit WEP
TKIP Temporal Key Integrity Protocol (TKIP), WEP with per-packet temporal keys and Michael MIC
CCMP AES-CCM (Counter with CBC-MAC)
NULL NULL encryption (i.e., do not encrypt/decrypt);
used to configure no encryption for given station when using default encryption
none disable encryption

IEEE 802.11 (Chap. 8.3.2) specifies that dot11WEPKeyMappings uses only one key per station address (whereas dot11WEDefaultKeys has four), but Host AP uses a more general implementation that allows four keys even with individual keys. However, to remain compliant with the standard, it is recommended to use only the first key with station-specific key mapping. In addition, it might be useful to configure default TX key to be something else than the first key to allow individual keys to be used even with stations that not explicitly support WEP key mapping.

==== AP configuration example ====

use station specific key also with broadcast RX frames to support different keys with stations that do not use WEP key mapping; if the stations allow configuration of separate key for broadcast/multicast bcrx_sta_key should be left to 0 (default)

prism2_param wlan0 bcrx_sta_key 1

set key2 as the default key (used with broadcast/multicast frames and with stations for which there is no individual key mapping)

hostap_crypt_conf -2t wlan0 ff:ff:ff:ff:ff:ff WEP s:abcde

or with iwconfig:

iwconfig wlan0 key s:abcde [2]
iwconfig wlan0 key [2]

set a permanent key mapping for STA2 (hwaddr=00:11:22:33:44:55)

hostap_crypt_conf -p wlan0 00:11:22:33:44:55 WEP s:qwert

==== STA1 configuration example ====

use only the default key (i.e., no key mapping)

iwconfig wlan0 key s:abcde [2]
iwconfig wlan0 key [2]

==== STA2 configuration example (hwaddr=00:11:22:33:44:55) ====

configure default key (idx 2) so that the station knows how to decrypt broadcast/multicast frames

iwconfig wlan0 key s:abcde [2]

configure individual key (idx 1) that will be used to decrypt unicast frames from the AP and to encrypt all frames to the AP

iwconfig wlan0 key s:qwert [1]
iwconfig wlan0 key [1]
=== Example how to use WPA-PSK ===

==== On the AP ====

Use hostapd Edit /etc/hostapd/hostapd.conf with:

interface=wlan0
ssid=test
wpa=1
wpa_passphrase=<string of 8 to 63 chars>
wpa_psk=<hex string representing 32 bytes>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP

Launch hostapd />If both wpa_passphrase and wpa_psk are provided, passphrase is used.

==== On the STA ====

Use wpa_supplicant At least STA firmware 1.7.0 is required to use WPA on prism chipsets, see HostApFlash for firmware upgrade. Edit /etc/wpa_supplicant.conf with:

ctrl_interface=/var/run/wpa_supplicant
network={
ssid="test"
proto=WPA
key_mgmt=WPA-PSK
pairwise=TKIP CCMP
group=TKIP CCMP
psk=... ("passphrase" or hex)
}

Launch wpa_supplicant

===EAP===
==== Support of WPA-Enterprise and RADIUS under GNU/Linux ====

* [http://hostap.epitest.fi/ Host AP driver for Intersil Prism2/2.5/3 and WPA Supplicant]
* [http://www.mtghouse.com/products/aegisclient/index.shtml AEGIS client]
* [http://www.missl.cs.umd.edu/Projects/wireless/8021x/ Summary by OS]

==== RADIUS implementations ====

* [http://www.gnu.org/software/radius/ GNU RADIUS]
* [http://www.freeradius.org/ freeRADIUS]
* [http://sourceforge.net/projects/portslave/ PortSlave], used by [http://www.linuxrouter.org/ LRP]
* [http://radius.innercite.com/ IC-RADIUS]
* Now hostap can handle some of the EAP methods without need for a RADIUS server

==== Open1x ====

* [http://www.open1x.org Xsupplicant]
* [http://www.missl.cs.umd.edu/wireless/eaptls/ HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant] (quite old...)
* [http://tldp.org/HOWTO/8021X-HOWTO/intro.html 802.1X Port-Based Authentication HOWTO]

==== Links and security articles ====

* [http://www.drizzle.com/aboba/IEEE/ The Unofficial 802.11 Security Web Page]
* [http://www.drizzle.com/aboba/RADEXT/radius_vuln_00.txt RADIUS Vulnerabilities in Wireless and Wired Environments]
* [http://www.untruth.org/josh/security/radius/radius-auth.html An Analysis of the RADIUS Authentication Protocol]

==== Example: EAP-TLS ====

Setting up hostapd with FreeRADIUS

(note: now hostap can handle some of the EAP methods without need for a RADIUS server)

==== Installing FreeRADIUS ====

cd /usr/local/src
wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.1.tar.gz
tar zxfv freeradius-1.0.1.tar.gz
cd freeradius-1.0.1
./configure
make
make install

Edit /usr/local/etc/raddb/eap.conf:

default_eap_type = tls
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
}

Edit /usr/local/etc/raddb/users:

Client Auth-Type := EAP

Edit /etc/hostapd/hostapd.conf:

ieee8021x=1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=testing123
wpa_key_mgmt=WPA-EAP

Launch FreeRADIUS

/usr/local/sbin/rc.radiusd start

Launch hostapd, cf HostApUsage

==== Setting up wpa_supplicant ====

Be sure wpa_supplicant is compiled with EAPOL and EAP-TLS

Copy certificates from the server to the client, e.g. in /etc/certs:

* The CA certificate (/usr/local/etc/raddb/certs/demoCA/cacert.pem on the server)
* The client certificate (/usr/local/etc/raddb/certs/cert-clt.pem on the server)

Edit /etc/wpa_supplicant.conf:

network={
ssid="test"
proto=WPA RSN
key_mgmt=WPA-EAP
eap=TLS
identity="Client"
ca_cert="/etc/certs/cacert.pem"
client_cert="/etc/certs/cert-clt.pem"
private_key="/etc/certs/cert-clt.pem"
private_key_passwd="whatever"
}
=== To flash your Prism card ===

In order to use WPA with a Prism card you need at least v 1.7.0 of the firmware.

To check what is the current version:

hostap_diag wlan0

Follow instructions given in http://linux.junsun.net/intersil-prism/ You can flash from linux with prism_srec You'll have to recompile and reinstall the drivers after having defined PRISM2_NON_VOLATILE_DOWNLOAD (and PRISM2_DOWNLOAD_SUPPORT) in driver/modules/hostap_config.h We tried primary firmware 1.1.1 and STA 1.8.0 but it seems that STA 1.7.4 is more robust Typical command: (check for your own chipset!!!)

prism2_srec -f wlan0 pk010101.hex sf010704.hex

Remark for a SMD 2632W card: its NICID is 0x8002 and is not listed nevertheless S1 firmwares can apply, e.g. [http://linux.junsun.net/intersil-prism/firmware/1.7.1/s1010701.hex s1010701.hex]. See also [http://linux.junsun.net/intersil-prism/stories/20040212_Andrew_Chapman_SMC2632W_NICID_8002.txt this story] So I could upgrade the SMD card from STAID v0.8.3 to v1.7.1
===Embedded===
==== [http://www.nimblemicro.com/ Nimble Micorsystems] ====

* [http://www.nimblemicro.com/products/netengine.htm NetEngine NP51R]
* [http://www.linuxdevices.com/news/NS3382169752.html Article on TNP-51R]

==== [http://www.soekris.com/ Soekris] ====

==== Articles ====

* [http://www.linuxdevices.com/articles/AT2334725255.html Building a wireless access point with Linux]
* [http://www.linuxdevices.com/articles/AT2005548492.html Linux-based gateways, servers, wireless access points]

HostAP - Revision history

PhilippeTeuwen: /* Advanced support (dynamically added/removed PSKs) without MAC pairing: */

PhilippeTeuwen: Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen

at 00:27, 24 November 2010

PhilippeTeuwen at 00:00, 2 March 2008

PhilippeTeuwen at 23:57, 1 March 2008