Difference between revisions of "HostAP"
m |
|||
(One intermediate revision by the same user not shown) | |||
Line 419: | Line 419: | ||
==== Advanced support (dynamically added/removed PSKs) without MAC pairing: ==== |
==== Advanced support (dynamically added/removed PSKs) without MAC pairing: ==== |
||
− | cf [http://lists.shmoo.com/pipermail/hostap/2004-September/ |
+ | cf [http://lists.shmoo.com/pipermail/hostap/2004-September/008184.html this post to the hostap list] |
==== Advanced support (dynamically added/removed PSKs) with MAC pairing: ==== |
==== Advanced support (dynamically added/removed PSKs) with MAC pairing: ==== |
Latest revision as of 12:51, 8 November 2018
Converted with HTML::WikiConverter::MediaWiki from my old phpwiki site
Installation
This works best with a prism chipset, e.g. a Senao card (while new versions of hostap can work with some other chipsets, check the doc).
Instructions are given here for a (mini)PCI.
If needed, first remove Debian packages as we'll install the very last version (0.4.4)
apt-get remove hostap-modules-$(uname -r) hostap-utils hostapd wget http://hostap.epitest.fi/releases/hostap-driver-0.4.4.tar.gz tar xzf hostap-driver-0.4.4.tar.gz cd hostap-driver-0.4.4 make make install cd .. wget http://hostap.epitest.fi/releases/hostap-utils-0.4.0.tar.gz tar xzf hostap-utils-0.4.0.tar.gz cd hostap-utils-0.4.0 make make install cd .. wget http://hostap.epitest.fi/releases/hostapd-0.4.4.tar.gz tar xzf hostapd-0.4.4.tar.gz cd hostapd-0.4.4 cp defconfig .config (and edit the file if needed) make make install mkdir -p /etc/hostapd cp hostapd.accept hostapd.deny hostapd.conf hostapd.wpa_psk /etc/hostapd cd .. wget http://hostap.epitest.fi/releases/wpa_supplicant-0.4.4.tar.gz tar xzf wpa_supplicant-0.4.4.tar.gz cd wpa_supplicant-0.4.4 cp defconfig .config (and edit the file if needed) make make install mkdir -p /etc/hostapd cp wpa_supplicant.conf /etc/hostapd make wpa_gui cp wpa_gui/wpa_gui /usr/local/sbin
Typical launch of hostapd
Edit files in /etc/hostapd if needed, especially hostapd.conf
modprobe hostap_pci ifconfig wlan0 10.0.0.1 iwconfig wlan0 mode master iwconfig wlan0 essid test iwconfig wlan0 channel 1 hostapd -dd /etc/hostapd/hostapd.conf (to run in debug mode) hostapd -B /etc/hostapd/hostapd.conf (to run in background daemon mode)
To stop:
killall hostapd ifconfig wlan0 down modprobe -r hostap_pci modprobe -r hostap_crypt_wep modprobe -r hostap_crypt_tkip modprobe -r hostap_crypt_ccmp modprobe -r hostap
Typical launch of wpa_supplicant
Edit wpa_supplicant.conf in /etc/hostapd if needed, especially comment out configurations using EAP methods not compiled in wpa_supplicant (cf .config used to compile wpa_supplicant)
modprobe hostap_pci wpa_supplicant -dd -iwlan0 -w -c/etc/hostapd/wpa_supplicant.conf (to run in debug mode) wpa_supplicant -B -iwlan0 -w -c/etc/hostapd/hostapd.conf (to run in background daemon mode) pump -i wlan0
Note that for ipw2200 clients you need to add -Dipw for kernels < 2.6.13 and -Dwext fir kernels >= 2.6.13
To stop:
pump -k -i wlan0 killall wpa_supplicant ifconfig wlan0 down modprobe -r hostap_pci modprobe -r hostap_crypt_wep modprobe -r hostap_crypt_tkip modprobe -r hostap_crypt_ccmp modprobe -r hostap
Resources
- ipw2200
hostap-utils
hostap-utils contains a utility called hostap_crypt_conf
Man page
hostap_crypt_conf is a tool for configuring encryption keys to the Host AP driver. It extends the features of iwconfig by supporting individual per STA keys and support more than one encryption algorithm.
hostap_crypt_conf takes following options:
Usage: hostap_crypt_conf [-1]..[-9] [-t] [-p] <device> <addr> <alg> [key] Options: -1 .. -9 key index (for WEP); only one index per command -t set TX key index (given with -1 .. -9) -p permanent station configuration (do not expire data) device wlan# addr station hwaddr or ff:ff:ff:ff:ff:ff for default/broadcast key alg crypt algorithm (WEP, NULL, none) key key data (in hex, e.g. '0011223344', or s:string) Algorithms: WEP 40 or 104 bit WEP TKIP Temporal Key Integrity Protocol (TKIP), WEP with per-packet temporal keys and Michael MIC CCMP AES-CCM (Counter with CBC-MAC) NULL NULL encryption (i.e., do not encrypt/decrypt); used to configure no encryption for given station when using default encryption none disable encryption
IEEE 802.11 (Chap. 8.3.2) specifies that dot11WEPKeyMappings uses only one key per station address (whereas dot11WEDefaultKeys has four), but Host AP uses a more general implementation that allows four keys even with individual keys. However, to remain compliant with the standard, it is recommended to use only the first key with station-specific key mapping. In addition, it might be useful to configure default TX key to be something else than the first key to allow individual keys to be used even with stations that not explicitly support WEP key mapping.
AP configuration example
use station specific key also with broadcast RX frames to support different keys with stations that do not use WEP key mapping; if the stations allow configuration of separate key for broadcast/multicast bcrx_sta_key should be left to 0 (default)
prism2_param wlan0 bcrx_sta_key 1
set key2 as the default key (used with broadcast/multicast frames and with stations for which there is no individual key mapping)
hostap_crypt_conf -2t wlan0 ff:ff:ff:ff:ff:ff WEP s:abcde
or with iwconfig:
iwconfig wlan0 key s:abcde [2] iwconfig wlan0 key [2]
set a permanent key mapping for STA2 (hwaddr=00:11:22:33:44:55)
hostap_crypt_conf -p wlan0 00:11:22:33:44:55 WEP s:qwert
STA1 configuration example
use only the default key (i.e., no key mapping)
iwconfig wlan0 key s:abcde [2] iwconfig wlan0 key [2]
STA2 configuration example (hwaddr=00:11:22:33:44:55)
configure default key (idx 2) so that the station knows how to decrypt broadcast/multicast frames
iwconfig wlan0 key s:abcde [2]
configure individual key (idx 1) that will be used to decrypt unicast frames from the AP and to encrypt all frames to the AP
iwconfig wlan0 key s:qwert [1] iwconfig wlan0 key [1]
Example how to use WPA-PSK
On the AP
Use hostapd
Edit /etc/hostapd/hostapd.conf with:
interface=wlan0 ssid=test wpa=1 wpa_passphrase=<string of 8 to 63 chars> wpa_psk=<hex string representing 32 bytes> wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP
Launch hostapd />If both wpa_passphrase and wpa_psk are provided, passphrase is used.
On the STA
Use wpa_supplicant
At least STA firmware 1.7.0 is required to use WPA on prism chipsets, see HostApFlash for firmware upgrade.
Edit /etc/wpa_supplicant.conf with:
ctrl_interface=/var/run/wpa_supplicant network={ ssid="test" proto=WPA key_mgmt=WPA-PSK pairwise=TKIP CCMP group=TKIP CCMP psk=... ("passphrase" or hex) }
Launch wpa_supplicant
EAP
Support of WPA-Enterprise and RADIUS under GNU/Linux
RADIUS implementations
- GNU RADIUS
- freeRADIUS
- PortSlave, used by LRP
- IC-RADIUS
- Now hostap can handle some of the EAP methods without need for a RADIUS server
Open1x
- Xsupplicant
- HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant (quite old...)
- 802.1X Port-Based Authentication HOWTO
Links and security articles
- The Unofficial 802.11 Security Web Page
- RADIUS Vulnerabilities in Wireless and Wired Environments
- An Analysis of the RADIUS Authentication Protocol
Example: EAP-TLS
Setting up hostapd with FreeRADIUS
(note: now hostap can handle some of the EAP methods without need for a RADIUS server)
Installing FreeRADIUS
cd /usr/local/src wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.1.tar.gz tar zxfv freeradius-1.0.1.tar.gz cd freeradius-1.0.1 ./configure make make install
Edit /usr/local/etc/raddb/eap.conf:
default_eap_type = tls tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 }
Edit /usr/local/etc/raddb/users:
Client Auth-Type := EAP
Edit /etc/hostapd/hostapd.conf:
ieee8021x=1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=testing123 acct_server_addr=127.0.0.1 acct_server_port=1813 acct_server_shared_secret=testing123 wpa_key_mgmt=WPA-EAP
Launch FreeRADIUS
/usr/local/sbin/rc.radiusd start
Launch hostapd, cf HostApUsage
Setting up wpa_supplicant
Be sure wpa_supplicant is compiled with EAPOL and EAP-TLS
Copy certificates from the server to the client, e.g. in /etc/certs:
- The CA certificate (/usr/local/etc/raddb/certs/demoCA/cacert.pem on the server)
- The client certificate (/usr/local/etc/raddb/certs/cert-clt.pem on the server)
Edit /etc/wpa_supplicant.conf:
network={ ssid="test" proto=WPA RSN key_mgmt=WPA-EAP eap=TLS identity="Client" ca_cert="/etc/certs/cacert.pem" client_cert="/etc/certs/cert-clt.pem" private_key="/etc/certs/cert-clt.pem" private_key_passwd="whatever" }
To flash your Prism card
In order to use WPA with a Prism card you need at least v 1.7.0 of the firmware.
To check what is the current version:
hostap_diag wlan0
Follow instructions given in http://linux.junsun.net/intersil-prism/
You can flash from linux with prism_srec
You'll have to recompile and reinstall the drivers after having defined PRISM2_NON_VOLATILE_DOWNLOAD (and PRISM2_DOWNLOAD_SUPPORT) in driver/modules/hostap_config.h
We tried primary firmware 1.1.1 and STA 1.8.0 but it seems that STA 1.7.4 is more robust
Typical command: (check for your own chipset!!!)
prism2_srec -f wlan0 pk010101.hex sf010704.hex
Remark for a SMD 2632W card: its NICID is 0x8002 and is not listed nevertheless S1 firmwares can apply, e.g. s1010701.hex.
See also this story
So I could upgrade the SMD card from STAID v0.8.3 to v1.7.1
Embedded
Nimble Micorsystems
Soekris
Articles
Current version when writing: 0.4.4
Hostapd devel
Client
Hostapd comes with hostapd_cli and UNIX datagram socket communication. Emulation of hostapd_cli can be achieved with socat:
- socat STDIO UNIX-CONNECT:/var/run/hostapd/wlan0,type=2,bind=/tmp/<my_socket>
Be sure there is no /tmp/<my_socket> file prior to the call (in particular socat doesn't destroy the file afterwards)
To send commands, don't hit <ENTER> but <CTRL-D>.
To quit, hit twice <CTRL-D>.
Example: PING<CTRL-D>
- Why do we have ATTACH/DETACH? To get debug=INFO logs?
Patches
To allow optional carriage returns on the socket messages (makes life easier, no need to hit <CTRL-D> anymore)
--- hostapd-0.4.4/ctrl_iface.c 2005-06-12 20:18:50.000000000 +0200 +++ my_hostapd-0.4.4/ctrl_iface.c 2005-09-05 16:16:16.000000000 +0200 @@ -198,7 +198,7 @@ perror("recvfrom(ctrl_iface)"); return; } - buf[res] = '\0'; + buf[buf[res-1]=='\n'?res-=1:res] = '\0'; wpa_hexdump_ascii(MSG_DEBUG, "RX ctrl_iface", (u8 *) buf, res); reply = malloc(reply_size);
To be able to install wpa_gui
--- wpa_supplicant-0.4.4/Makefile 2005-08-21 21:24:43.000000000 +0200 +++ wpa_supplicant-0.4.4/Makefile 2005-09-05 21:22:49.000000000 +0200 @@ -392,6 +392,9 @@ wpa_gui: wpa_gui/Makefile $(MAKE) -C wpa_gui +wpa_gui-install: wpa_gui/Makefile + $(MAKE) -C wpa_gui install + TEST_SRC_MS_FUNCS = ms_funcs.c crypto.c sha1.c md5.c test-ms_funcs: $(TEST_SRC_MS_FUNCS) $(CC) -o test-ms_funcs -Wall -Werror $(TEST_SRC_MS_FUNCS) \ --- wpa_supplicant-0.4.4/wpa_gui/wpa_gui.pro 2005-08-21 06:34:52.000000000 +0200 +++ wpa_supplicant-0.4.4/wpa_gui/wpa_gui.pro 2005-09-05 21:01:51.000000000 +0200 @@ -25,6 +25,9 @@ UI_DIR = .ui MOC_DIR = .moc OBJECTS_DIR = .obj + INSTALLS = executables + executables.path=/usr/local/sbin + executables.files = wpa_gui } --- wpa_supplicant-0.4.4/wpa_gui-qt4/wpa_gui.pro 2005-08-21 19:36:10.000000000 +0200 +++ wpa_supplicant-0.4.4/wpa_gui-qt4/wpa_gui.pro 2005-09-05 21:03:34.000000000 +0200 @@ -30,6 +30,9 @@ UI_DIR = .ui MOC_DIR = .moc OBJECTS_DIR = .obj + INSTALLS = executables + executables.path=/usr/local/sbin + executables.files = wpa_gui }
Todo
- Remove STAs that should not be associated anymore after SIGHUP: iterate through PSK list for all associated STAs and verify their PMK is available in the new config (and PSK flag, what about EAP?), cf handle_reload()
- Prepare live PSK control
- Make the PSK list a double-linked list
- Add commands to add/remove PSKs via socket
- Add support for home/guest flags (then probably only via socket)
- (take back hostap wiki info)
Previous support for multiple WPA-PSK in hostapd
Basic support (statically loaded PSKs) with MAC pairing:
From development release 0.3.0, some mPSK support was included (but not with dynamic add/removal), cf http://hostap.epitest.fi/ and the changelog:
2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
added support for multiple WPA pre-shared keys (e.g., one for each client MAC address or keys shared by a group of clients);
new hostapd.conf field wpa_psk_file for setting path to a text file containing PSKs, see hostapd.wpa_psk for an example
Advanced support (dynamically added/removed PSKs) without MAC pairing:
cf this post to the hostap list
Advanced support (dynamically added/removed PSKs) with MAC pairing:
cf first mail to Jouni but code less clean than for the previous bullet
Tests on advanced support (dynamically added/removed PSKs) without MAC pairing
Tests performed on a 90MHz Pentium, 40Mb of RAM , with a SMC PCMCIA card (802.11b, Prism based) and a mPSK version of Hostapd with timestamps (for the timing measures).
Measures are done between reception of 2/4 handshake msg and emission of 3/4 handshake message.
- It takes 143 ms to check 100 PSKs
- It takes 1.430 ms to check 1000 PSKs
- It takes 14.200 ms to check 10.000 PSKs (actually too long for the wpa_supplicant to be authenticated the first time)
1.43ms per PSK @ 90MHz => it takes 90.10^6*1.43*10^-3 = 128.700 cycles per PSK
For info, it takes an additional 75ms to perform the entire authentication process on the 90MHz pentium.
Tests performed on a 1400MHz Pentium with an Engenius miniPCI card.
- It takes 50500 usecs to check 100 PSKs
- It takes between 70.000 and 120.000 usecs to check 1000 PSKs
- It takes between 560.000 and 640.000 usecs to check 10.000 PSKs
So sth like 84.000 cycles per PSK
Ifscheme
Create an executable script called /etc/network/wpa_mapping:
#!/bin/sh # Copyright 2006 Philippe Teuwen <phil__at__teuwen.org> # Licensed under the terms of GPL # Version 0.2 # # This script is called by ifup/down to load the network scheme # according to wlan informations returned by wpa_cli such as ssid, bssid, etc # # Arguments : # on the command line, we have the name of the interface # and on the stdin we have mapping patterns such as: # key glob scheme # key is one of the variables given by wpa_cli state # glob is a pattern applied to the corresponding variable # scheme is the scheme to return to ifup if we got a match # Note that spaces are removed from wp_cli output! # # Example of section for /etc/network/interfaces: # #mapping wlan0 # script /etc/network/wpa_mapping # map bssid 00:12:bf:13:98:ad home # map ssid MyCompany work # map ssid * any # ssid exists only once we are actually hooked to an AP so this is safe # If no match was possible, this returns wlan0-none # Take care of users calling this program directly. if [ -z "$1" ] ; then prog=$(basename $0) echo "$prog: This script is a utility for mapping interfaces." >&2 echo "$prog: See the interfaces(5) man page for more information." >&2 exit 1 fi # The real stuff begins here: #TODO: Do we need a timeout when using wpa_cli? eval $(wpa_cli -i $1 status|sed 's/ //g') || exit 1 while read key glob scheme; do case "${!key}" in "") # undefined variable, do nothing but avoid being globbed by a * next line ;; $glob) mapping="$scheme" break ;; esac done echo $1-${mapping:-none} exit
You can use the script now in /etc/network/interfaces, using the BSSID of your AP (cf iwconfig):
mapping wlan0 script /etc/network/wpa_mapping map bssid 00:12:bf:13:98:ad home map ssid MyCompany work map ssid * any iface wlan0-home inet static address 192.168.1.10 netmask 255.255.255.0 gateway 192.168.1.1 # if you use resolvconf: dns-nameservers 192.168.1.2 192.168.1.1 iface wlan0-work inet dhcp up export http_proxy=... iface wlan0-any inet dhcp
Draft notes:
apt-get install wpasupplicant addgroup wpa adduser phil wpa edit /etc/wpa_supplicant.conf: ctrl_interface_group=wpa + section for network /etc/default/wpasupplicant: ENABLED=1 OPTIONS="-w -i wlan -D wext -c /etc/wpa_supplicant.conf" /etc/default/ifplugd: INTERFACES="eth wlan" /etc/modprobe.d/ipw2200: options ipw2200 associate=0