Difference between revisions of "HostAP"

Revision as of 01:00, 2 March 2008

Converted with HTML::WikiConverter::MediaWiki from my old phpwiki site

Installation

This works best with a prism chipset, e.g. a Senao card (while new versions of hostap can work with some other chipsets, check the doc).
Instructions are given here for a (mini)PCI.
If needed, first remove Debian packages as we'll install the very last version (0.4.4)

apt-get remove hostap-modules-$(uname -r) hostap-utils hostapd
wget http://hostap.epitest.fi/releases/hostap-driver-0.4.4.tar.gz
tar xzf hostap-driver-0.4.4.tar.gz
cd hostap-driver-0.4.4
make
make install
cd ..
wget http://hostap.epitest.fi/releases/hostap-utils-0.4.0.tar.gz
tar xzf hostap-utils-0.4.0.tar.gz
cd hostap-utils-0.4.0
make
make install
cd ..
wget http://hostap.epitest.fi/releases/hostapd-0.4.4.tar.gz
tar xzf hostapd-0.4.4.tar.gz
cd hostapd-0.4.4
cp defconfig .config (and edit the file if needed)
make
make install
mkdir -p /etc/hostapd
cp hostapd.accept hostapd.deny hostapd.conf hostapd.wpa_psk /etc/hostapd
cd ..
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.4.4.tar.gz
tar xzf wpa_supplicant-0.4.4.tar.gz
cd wpa_supplicant-0.4.4
cp defconfig .config (and edit the file if needed)
make
make install
mkdir -p /etc/hostapd
cp wpa_supplicant.conf /etc/hostapd
make wpa_gui
cp wpa_gui/wpa_gui /usr/local/sbin

Typical launch of hostapd

Edit files in /etc/hostapd if needed, especially hostapd.conf

modprobe hostap_pci
ifconfig wlan0 10.0.0.1
iwconfig wlan0 mode master
iwconfig wlan0 essid test
iwconfig wlan0 channel 1
hostapd -dd /etc/hostapd/hostapd.conf (to run in debug mode)
hostapd -B /etc/hostapd/hostapd.conf (to run in background daemon mode)

To stop:

killall hostapd
ifconfig wlan0 down
modprobe -r hostap_pci
modprobe -r hostap_crypt_wep
modprobe -r hostap_crypt_tkip
modprobe -r hostap_crypt_ccmp
modprobe -r hostap

Typical launch of wpa_supplicant

Edit wpa_supplicant.conf in /etc/hostapd if needed, especially comment out configurations using EAP methods not compiled in wpa_supplicant (cf .config used to compile wpa_supplicant)

modprobe hostap_pci
wpa_supplicant -dd -iwlan0 -w -c/etc/hostapd/wpa_supplicant.conf (to run in debug mode)
wpa_supplicant -B -iwlan0 -w -c/etc/hostapd/hostapd.conf (to run in background daemon mode)
pump -i wlan0

Note that for ipw2200 clients you need to add -Dipw for kernels < 2.6.13 and -Dwext fir kernels >= 2.6.13

To stop:

pump -k -i wlan0
killall wpa_supplicant
ifconfig wlan0 down
modprobe -r hostap_pci
modprobe -r hostap_crypt_wep
modprobe -r hostap_crypt_tkip
modprobe -r hostap_crypt_ccmp
modprobe -r hostap

Resources

ipw2200

hostap-utils

hostap-utils contains a utility called hostap_crypt_conf

Man page

hostap_crypt_conf is a tool for configuring encryption keys to the Host AP driver. It extends the features of iwconfig by supporting individual per STA keys and support more than one encryption algorithm.

hostap_crypt_conf takes following options:

Usage: hostap_crypt_conf [-1]..[-9] [-t] [-p] <device> <addr> <alg> [key]
Options:
  -1 .. -9   key index (for WEP); only one index per command
  -t         set TX key index (given with -1 .. -9)
  -p         permanent station configuration (do not expire data)
  device     wlan#
  addr       station hwaddr or ff:ff:ff:ff:ff:ff for default/broadcast key
  alg        crypt algorithm (WEP, NULL, none)
  key        key data (in hex, e.g. '0011223344', or s:string)

Algorithms:
  WEP        40 or 104 bit WEP
  TKIP       Temporal Key Integrity Protocol (TKIP), WEP with per-packet temporal keys and Michael MIC
  CCMP       AES-CCM (Counter with CBC-MAC)
  NULL       NULL encryption (i.e., do not encrypt/decrypt);
             used to configure no encryption for given station when using default encryption
  none       disable encryption

IEEE 802.11 (Chap. 8.3.2) specifies that dot11WEPKeyMappings uses only one key per station address (whereas dot11WEDefaultKeys has four), but Host AP uses a more general implementation that allows four keys even with individual keys. However, to remain compliant with the standard, it is recommended to use only the first key with station-specific key mapping. In addition, it might be useful to configure default TX key to be something else than the first key to allow individual keys to be used even with stations that not explicitly support WEP key mapping.

AP configuration example

use station specific key also with broadcast RX frames to support different keys with stations that do not use WEP key mapping; if the stations allow configuration of separate key for broadcast/multicast bcrx_sta_key should be left to 0 (default)

prism2_param wlan0 bcrx_sta_key 1

set key2 as the default key (used with broadcast/multicast frames and with stations for which there is no individual key mapping)

hostap_crypt_conf -2t wlan0 ff:ff:ff:ff:ff:ff WEP s:abcde

or with iwconfig:

iwconfig wlan0 key s:abcde [2]
iwconfig wlan0 key [2]

set a permanent key mapping for STA2 (hwaddr=00:11:22:33:44:55)

hostap_crypt_conf -p wlan0 00:11:22:33:44:55 WEP s:qwert

STA1 configuration example

use only the default key (i.e., no key mapping)

iwconfig wlan0 key s:abcde [2]
iwconfig wlan0 key [2]

STA2 configuration example (hwaddr=00:11:22:33:44:55)

configure default key (idx 2) so that the station knows how to decrypt broadcast/multicast frames

iwconfig wlan0 key s:abcde [2]

configure individual key (idx 1) that will be used to decrypt unicast frames from the AP and to encrypt all frames to the AP

iwconfig wlan0 key s:qwert [1]
iwconfig wlan0 key [1]

Example how to use WPA-PSK

On the AP

Use hostapd
Edit /etc/hostapd/hostapd.conf with:

interface=wlan0
ssid=test
wpa=1
wpa_passphrase=<string of 8 to 63 chars>
wpa_psk=<hex string representing 32 bytes>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP

Launch hostapd />If both wpa_passphrase and wpa_psk are provided, passphrase is used.

On the STA

Use wpa_supplicant
At least STA firmware 1.7.0 is required to use WPA on prism chipsets, see HostApFlash for firmware upgrade.
Edit /etc/wpa_supplicant.conf with:

ctrl_interface=/var/run/wpa_supplicant
network={
  ssid="test"
  proto=WPA
  key_mgmt=WPA-PSK
  pairwise=TKIP CCMP
  group=TKIP CCMP
  psk=... ("passphrase" or hex)
}

Launch wpa_supplicant

EAP

Support of WPA-Enterprise and RADIUS under GNU/Linux

RADIUS implementations

GNU RADIUS
freeRADIUS
PortSlave, used by LRP
IC-RADIUS
Now hostap can handle some of the EAP methods without need for a RADIUS server

Open1x

Links and security articles

Example: EAP-TLS

Setting up hostapd with FreeRADIUS

(note: now hostap can handle some of the EAP methods without need for a RADIUS server)

Installing FreeRADIUS

cd /usr/local/src
wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.1.tar.gz
tar zxfv freeradius-1.0.1.tar.gz
cd freeradius-1.0.1
./configure
make
make install

Edit /usr/local/etc/raddb/eap.conf:

default_eap_type = tls
tls {
   private_key_password = whatever
   private_key_file = ${raddbdir}/certs/cert-srv.pem
   certificate_file = ${raddbdir}/certs/cert-srv.pem
   CA_file = ${raddbdir}/certs/demoCA/cacert.pem
   dh_file = ${raddbdir}/certs/dh
   random_file = ${raddbdir}/certs/random
   fragment_size = 1024
}

Edit /usr/local/etc/raddb/users:

Client     Auth-Type := EAP

Edit /etc/hostapd/hostapd.conf:

ieee8021x=1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=testing123
wpa_key_mgmt=WPA-EAP

Launch FreeRADIUS

/usr/local/sbin/rc.radiusd start

Launch hostapd, cf HostApUsage

Setting up wpa_supplicant

Be sure wpa_supplicant is compiled with EAPOL and EAP-TLS

Copy certificates from the server to the client, e.g. in /etc/certs:

The CA certificate (/usr/local/etc/raddb/certs/demoCA/cacert.pem on the server)
The client certificate (/usr/local/etc/raddb/certs/cert-clt.pem on the server)

Edit /etc/wpa_supplicant.conf:

network={
    ssid="test"
    proto=WPA RSN
    key_mgmt=WPA-EAP
    eap=TLS
    identity="Client"
    ca_cert="/etc/certs/cacert.pem"
    client_cert="/etc/certs/cert-clt.pem"
    private_key="/etc/certs/cert-clt.pem"
    private_key_passwd="whatever"
}

To flash your Prism card

In order to use WPA with a Prism card you need at least v 1.7.0 of the firmware.

To check what is the current version:

hostap_diag wlan0

Follow instructions given in http://linux.junsun.net/intersil-prism/
You can flash from linux with prism_srec
You'll have to recompile and reinstall the drivers after having defined PRISM2_NON_VOLATILE_DOWNLOAD (and PRISM2_DOWNLOAD_SUPPORT) in driver/modules/hostap_config.h
We tried primary firmware 1.1.1 and STA 1.8.0 but it seems that STA 1.7.4 is more robust
Typical command: (check for your own chipset!!!)

prism2_srec -f wlan0 pk010101.hex sf010704.hex

Remark for a SMD 2632W card: its NICID is 0x8002 and is not listed nevertheless S1 firmwares can apply, e.g. s1010701.hex.
See also this story
So I could upgrade the SMD card from STAID v0.8.3 to v1.7.1

Embedded

Nimble Micorsystems

Soekris

Articles

Current version when writing: 0.4.4

Hostapd devel

Client

Hostapd comes with hostapd_cli and UNIX datagram socket communication. Emulation of hostapd_cli can be achieved with socat:

socat STDIO UNIX-CONNECT:/var/run/hostapd/wlan0,type=2,bind=/tmp/<my_socket>

Be sure there is no /tmp/<my_socket> file prior to the call (in particular socat doesn't destroy the file afterwards)
To send commands, don't hit <ENTER> but <CTRL-D>.
To quit, hit twice <CTRL-D>.
Example: PING<CTRL-D>

Why do we have ATTACH/DETACH? To get debug=INFO logs?

Patches

To allow optional carriage returns on the socket messages (makes life easier, no need to hit <CTRL-D> anymore)

--- hostapd-0.4.4/ctrl_iface.c  2005-06-12 20:18:50.000000000 +0200
+++ my_hostapd-0.4.4/ctrl_iface.c       2005-09-05 16:16:16.000000000 +0200
@@ -198,7 +198,7 @@
                perror("recvfrom(ctrl_iface)");
                return;
        }
-       buf[res] = '\0';
+       buf[buf[res-1]=='\n'?res-=1:res] = '\0';
        wpa_hexdump_ascii(MSG_DEBUG, "RX ctrl_iface", (u8 *) buf, res);

        reply = malloc(reply_size);

To be able to install wpa_gui

--- wpa_supplicant-0.4.4/Makefile       2005-08-21 21:24:43.000000000 +0200
+++ wpa_supplicant-0.4.4/Makefile       2005-09-05 21:22:49.000000000 +0200
@@ -392,6 +392,9 @@
 wpa_gui: wpa_gui/Makefile
        $(MAKE) -C wpa_gui

+wpa_gui-install: wpa_gui/Makefile
+       $(MAKE) -C wpa_gui install
+
 TEST_SRC_MS_FUNCS = ms_funcs.c crypto.c sha1.c md5.c
 test-ms_funcs: $(TEST_SRC_MS_FUNCS)
        $(CC) -o test-ms_funcs -Wall -Werror $(TEST_SRC_MS_FUNCS) \
--- wpa_supplicant-0.4.4/wpa_gui/wpa_gui.pro    2005-08-21 06:34:52.000000000 +0200
+++ wpa_supplicant-0.4.4/wpa_gui/wpa_gui.pro    2005-09-05 21:01:51.000000000 +0200
@@ -25,6 +25,9 @@
   UI_DIR = .ui
   MOC_DIR = .moc
   OBJECTS_DIR = .obj
+  INSTALLS = executables
+  executables.path=/usr/local/sbin
+  executables.files = wpa_gui
 }


--- wpa_supplicant-0.4.4/wpa_gui-qt4/wpa_gui.pro        2005-08-21 19:36:10.000000000 +0200
+++ wpa_supplicant-0.4.4/wpa_gui-qt4/wpa_gui.pro        2005-09-05 21:03:34.000000000 +0200
@@ -30,6 +30,9 @@
   UI_DIR = .ui
   MOC_DIR = .moc
   OBJECTS_DIR = .obj
+  INSTALLS = executables
+  executables.path=/usr/local/sbin
+  executables.files = wpa_gui
 }

Todo

Remove STAs that should not be associated anymore after SIGHUP: iterate through PSK list for all associated STAs and verify their PMK is available in the new config (and PSK flag, what about EAP?), cf handle_reload()
Prepare live PSK control
- Make the PSK list a double-linked list
- Add commands to add/remove PSKs via socket
- Add support for home/guest flags (then probably only via socket)
(take back hostap wiki info)

Previous support for multiple WPA-PSK in hostapd

Basic support (statically loaded PSKs) with MAC pairing:

From development release 0.3.0, some mPSK support was included (but not with dynamic add/removal), cf http://hostap.epitest.fi/ and the changelog:
2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
added support for multiple WPA pre-shared keys (e.g., one for each client MAC address or keys shared by a group of clients);
new hostapd.conf field wpa_psk_file for setting path to a text file containing PSKs, see hostapd.wpa_psk for an example

Advanced support (dynamically added/removed PSKs) without MAC pairing:

cf this post to the hostap list

Advanced support (dynamically added/removed PSKs) with MAC pairing:

cf first mail to Jouni but code less clean than for the previous bullet

Tests on advanced support (dynamically added/removed PSKs) without MAC pairing

Tests performed on a 90MHz Pentium, 40Mb of RAM , with a SMC PCMCIA card (802.11b, Prism based) and a mPSK version of Hostapd with timestamps (for the timing measures).
Measures are done between reception of 2/4 handshake msg and emission of 3/4 handshake message.

It takes 143 ms to check 100 PSKs
It takes 1.430 ms to check 1000 PSKs
It takes 14.200 ms to check 10.000 PSKs (actually too long for the wpa_supplicant to be authenticated the first time)

1.43ms per PSK @ 90MHz => it takes 90.10^6*1.43*10^-3 = 128.700 cycles per PSK
For info, it takes an additional 75ms to perform the entire authentication process on the 90MHz pentium.

Tests performed on a 1400MHz Pentium with an Engenius miniPCI card.

It takes 50500 usecs to check 100 PSKs
It takes between 70.000 and 120.000 usecs to check 1000 PSKs
It takes between 560.000 and 640.000 usecs to check 10.000 PSKs

So sth like 84.000 cycles per PSK

Ifscheme

Create an executable script called /etc/network/wpa_mapping:

 #!/bin/sh
 
 # Copyright 2006 Philippe Teuwen <phil__at__teuwen.org>
 # Licensed under the terms of GPL
 # Version 0.2
 #
 # This script is called by ifup/down to load the network scheme
 # according to wlan informations returned by wpa_cli such as ssid, bssid, etc
 #
 # Arguments :
 # on the command line, we have the name of the interface
 # and on the stdin we have mapping patterns such as:
 # key glob scheme
 #   key    is one of the variables given by wpa_cli state
 #   glob   is a pattern applied to the corresponding variable
 #   scheme is the scheme to return to ifup if we got a match
 # Note that spaces are removed from wp_cli output!
 #
 # Example of section for /etc/network/interfaces:
 #
 #mapping wlan0
 #    script /etc/network/wpa_mapping
 #    map bssid 00:12:bf:13:98:ad home
 #    map ssid MyCompany work
 #    map ssid * any
 # ssid exists only once we are actually hooked to an AP so this is safe
 # If no match was possible, this returns wlan0-none
 
 # Take care of users calling this program directly.
 if [ -z "$1" ] ; then
         prog=$(basename $0)
         echo "$prog: This script is a utility for mapping interfaces." >&2
         echo "$prog: See the interfaces(5) man page for more information." >&2
         exit 1
 fi
 
 # The real stuff begins here:
 #TODO: Do we need a timeout when using wpa_cli?
 eval $(wpa_cli -i $1 status|sed 's/ //g') || exit 1
 while read key glob scheme; do
         case "${!key}" in
                 "")
 # undefined variable, do nothing but avoid being globbed by a * next line
                 ;;
                 $glob)
                         mapping="$scheme"
                         break
                 ;;
         esac
 done
 echo $1-${mapping:-none}
 exit

You can use the script now in /etc/network/interfaces, using the BSSID of your AP (cf iwconfig):

mapping wlan0
    script /etc/network/wpa_mapping
    map bssid 00:12:bf:13:98:ad home
    map ssid MyCompany work
    map ssid * any

iface wlan0-home inet static
    address 192.168.1.10
    netmask 255.255.255.0
    gateway 192.168.1.1
    # if you use resolvconf:
    dns-nameservers 192.168.1.2 192.168.1.1

iface wlan0-work inet dhcp
    up export http_proxy=...

iface wlan0-any inet dhcp

Draft notes:

apt-get install wpasupplicant
addgroup wpa
adduser phil wpa
edit /etc/wpa_supplicant.conf: ctrl_interface_group=wpa
+ section for network

/etc/default/wpasupplicant:
ENABLED=1
OPTIONS="-w -i wlan -D wext -c /etc/wpa_supplicant.conf"

/etc/default/ifplugd:

INTERFACES="eth wlan"

/etc/modprobe.d/ipw2200:
options ipw2200 associate=0