HostAP
Converted with HTML::WikiConverter::MediaWiki from my old phpwiki site
Installation
This works best with a prism chipset, e.g. a Senao card (while new versions of hostap can work with some other chipsets, check the doc).
Instructions are given here for a (mini)PCI.
If needed, first remove Debian packages as we'll install the very last version (0.4.4)
apt-get remove hostap-modules-$(uname -r) hostap-utils hostapd wget http://hostap.epitest.fi/releases/hostap-driver-0.4.4.tar.gz tar xzf hostap-driver-0.4.4.tar.gz cd hostap-driver-0.4.4 make make install cd .. wget http://hostap.epitest.fi/releases/hostap-utils-0.4.0.tar.gz tar xzf hostap-utils-0.4.0.tar.gz cd hostap-utils-0.4.0 make make install cd .. wget http://hostap.epitest.fi/releases/hostapd-0.4.4.tar.gz tar xzf hostapd-0.4.4.tar.gz cd hostapd-0.4.4 cp defconfig .config (and edit the file if needed) make make install mkdir -p /etc/hostapd cp hostapd.accept hostapd.deny hostapd.conf hostapd.wpa_psk /etc/hostapd cd .. wget http://hostap.epitest.fi/releases/wpa_supplicant-0.4.4.tar.gz tar xzf wpa_supplicant-0.4.4.tar.gz cd wpa_supplicant-0.4.4 cp defconfig .config (and edit the file if needed) make make install mkdir -p /etc/hostapd cp wpa_supplicant.conf /etc/hostapd make wpa_gui cp wpa_gui/wpa_gui /usr/local/sbin
Typical launch of hostapd
Edit files in /etc/hostapd if needed, especially hostapd.conf
modprobe hostap_pci ifconfig wlan0 10.0.0.1 iwconfig wlan0 mode master iwconfig wlan0 essid test iwconfig wlan0 channel 1 hostapd -dd /etc/hostapd/hostapd.conf (to run in debug mode) hostapd -B /etc/hostapd/hostapd.conf (to run in background daemon mode)
To stop:
killall hostapd ifconfig wlan0 down modprobe -r hostap_pci modprobe -r hostap_crypt_wep modprobe -r hostap_crypt_tkip modprobe -r hostap_crypt_ccmp modprobe -r hostap
Typical launch of wpa_supplicant
Edit wpa_supplicant.conf in /etc/hostapd if needed, especially comment out configurations using EAP methods not compiled in wpa_supplicant (cf .config used to compile wpa_supplicant)
modprobe hostap_pci wpa_supplicant -dd -iwlan0 -w -c/etc/hostapd/wpa_supplicant.conf (to run in debug mode) wpa_supplicant -B -iwlan0 -w -c/etc/hostapd/hostapd.conf (to run in background daemon mode) pump -i wlan0
Note that for ipw2200 clients you need to add -Dipw for kernels < 2.6.13 and -Dwext fir kernels >= 2.6.13
To stop:
pump -k -i wlan0 killall wpa_supplicant ifconfig wlan0 down modprobe -r hostap_pci modprobe -r hostap_crypt_wep modprobe -r hostap_crypt_tkip modprobe -r hostap_crypt_ccmp modprobe -r hostap
Resources
- ipw2200
hostap-utils
hostap-utils contains a utility called hostap_crypt_conf
Man page
hostap_crypt_conf is a tool for configuring encryption keys to the Host AP driver. It extends the features of iwconfig by supporting individual per STA keys and support more than one encryption algorithm.
hostap_crypt_conf takes following options:
Usage: hostap_crypt_conf [-1]..[-9] [-t] [-p] <device> <addr> <alg> [key] Options: -1 .. -9 key index (for WEP); only one index per command -t set TX key index (given with -1 .. -9) -p permanent station configuration (do not expire data) device wlan# addr station hwaddr or ff:ff:ff:ff:ff:ff for default/broadcast key alg crypt algorithm (WEP, NULL, none) key key data (in hex, e.g. '0011223344', or s:string) Algorithms: WEP 40 or 104 bit WEP TKIP Temporal Key Integrity Protocol (TKIP), WEP with per-packet temporal keys and Michael MIC CCMP AES-CCM (Counter with CBC-MAC) NULL NULL encryption (i.e., do not encrypt/decrypt); used to configure no encryption for given station when using default encryption none disable encryption
IEEE 802.11 (Chap. 8.3.2) specifies that dot11WEPKeyMappings uses only one key per station address (whereas dot11WEDefaultKeys has four), but Host AP uses a more general implementation that allows four keys even with individual keys. However, to remain compliant with the standard, it is recommended to use only the first key with station-specific key mapping. In addition, it might be useful to configure default TX key to be something else than the first key to allow individual keys to be used even with stations that not explicitly support WEP key mapping.
AP configuration example
use station specific key also with broadcast RX frames to support different keys with stations that do not use WEP key mapping; if the stations allow configuration of separate key for broadcast/multicast bcrx_sta_key should be left to 0 (default)
prism2_param wlan0 bcrx_sta_key 1
set key2 as the default key (used with broadcast/multicast frames and with stations for which there is no individual key mapping)
hostap_crypt_conf -2t wlan0 ff:ff:ff:ff:ff:ff WEP s:abcde
or with iwconfig:
iwconfig wlan0 key s:abcde [2] iwconfig wlan0 key [2]
set a permanent key mapping for STA2 (hwaddr=00:11:22:33:44:55)
hostap_crypt_conf -p wlan0 00:11:22:33:44:55 WEP s:qwert
STA1 configuration example
use only the default key (i.e., no key mapping)
iwconfig wlan0 key s:abcde [2] iwconfig wlan0 key [2]
STA2 configuration example (hwaddr=00:11:22:33:44:55)
configure default key (idx 2) so that the station knows how to decrypt broadcast/multicast frames
iwconfig wlan0 key s:abcde [2]
configure individual key (idx 1) that will be used to decrypt unicast frames from the AP and to encrypt all frames to the AP
iwconfig wlan0 key s:qwert [1] iwconfig wlan0 key [1]
Example how to use WPA-PSK
On the AP
Use hostapd
Edit /etc/hostapd/hostapd.conf with:
interface=wlan0 ssid=test wpa=1 wpa_passphrase=<string of 8 to 63 chars> wpa_psk=<hex string representing 32 bytes> wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP
Launch hostapd />If both wpa_passphrase and wpa_psk are provided, passphrase is used.
On the STA
Use wpa_supplicant
At least STA firmware 1.7.0 is required to use WPA on prism chipsets, see HostApFlash for firmware upgrade.
Edit /etc/wpa_supplicant.conf with:
ctrl_interface=/var/run/wpa_supplicant network={ ssid="test" proto=WPA key_mgmt=WPA-PSK pairwise=TKIP CCMP group=TKIP CCMP psk=... ("passphrase" or hex) }
Launch wpa_supplicant
EAP
Support of WPA-Enterprise and RADIUS under GNU/Linux
RADIUS implementations
- GNU RADIUS
- freeRADIUS
- PortSlave, used by LRP
- IC-RADIUS
- Now hostap can handle some of the EAP methods without need for a RADIUS server
Open1x
- Xsupplicant
- HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant (quite old...)
- 802.1X Port-Based Authentication HOWTO
Links and security articles
- The Unofficial 802.11 Security Web Page
- RADIUS Vulnerabilities in Wireless and Wired Environments
- An Analysis of the RADIUS Authentication Protocol
Example: EAP-TLS
Setting up hostapd with FreeRADIUS
(note: now hostap can handle some of the EAP methods without need for a RADIUS server)
Installing FreeRADIUS
cd /usr/local/src wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.1.tar.gz tar zxfv freeradius-1.0.1.tar.gz cd freeradius-1.0.1 ./configure make make install
Edit /usr/local/etc/raddb/eap.conf:
default_eap_type = tls tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 }
Edit /usr/local/etc/raddb/users:
Client Auth-Type := EAP
Edit /etc/hostapd/hostapd.conf:
ieee8021x=1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=testing123 acct_server_addr=127.0.0.1 acct_server_port=1813 acct_server_shared_secret=testing123 wpa_key_mgmt=WPA-EAP
Launch FreeRADIUS
/usr/local/sbin/rc.radiusd start
Launch hostapd, cf HostApUsage
Setting up wpa_supplicant
Be sure wpa_supplicant is compiled with EAPOL and EAP-TLS
Copy certificates from the server to the client, e.g. in /etc/certs:
- The CA certificate (/usr/local/etc/raddb/certs/demoCA/cacert.pem on the server)
- The client certificate (/usr/local/etc/raddb/certs/cert-clt.pem on the server)
Edit /etc/wpa_supplicant.conf:
network={ ssid="test" proto=WPA RSN key_mgmt=WPA-EAP eap=TLS identity="Client" ca_cert="/etc/certs/cacert.pem" client_cert="/etc/certs/cert-clt.pem" private_key="/etc/certs/cert-clt.pem" private_key_passwd="whatever" }
To flash your Prism card
In order to use WPA with a Prism card you need at least v 1.7.0 of the firmware.
To check what is the current version:
hostap_diag wlan0
Follow instructions given in http://linux.junsun.net/intersil-prism/
You can flash from linux with prism_srec
You'll have to recompile and reinstall the drivers after having defined PRISM2_NON_VOLATILE_DOWNLOAD (and PRISM2_DOWNLOAD_SUPPORT) in driver/modules/hostap_config.h
We tried primary firmware 1.1.1 and STA 1.8.0 but it seems that STA 1.7.4 is more robust
Typical command: (check for your own chipset!!!)
prism2_srec -f wlan0 pk010101.hex sf010704.hex
Remark for a SMD 2632W card: its NICID is 0x8002 and is not listed nevertheless S1 firmwares can apply, e.g. s1010701.hex.
See also this story
So I could upgrade the SMD card from STAID v0.8.3 to v1.7.1