HostAP

Converted with HTML::WikiConverter::MediaWiki from my old phpwiki site

---

Installation

This works best with a prism chipset, e.g. a Senao card (while new versions of hostap can work with some other chipsets, check the doc).
Instructions are given here for a (mini)PCI.
If needed, first remove Debian packages as we'll install the very last version (0.4.4)

apt-get remove hostap-modules-$(uname -r) hostap-utils hostapd
wget http://hostap.epitest.fi/releases/hostap-driver-0.4.4.tar.gz
tar xzf hostap-driver-0.4.4.tar.gz
cd hostap-driver-0.4.4
make
make install
cd ..
wget http://hostap.epitest.fi/releases/hostap-utils-0.4.0.tar.gz
tar xzf hostap-utils-0.4.0.tar.gz
cd hostap-utils-0.4.0
make
make install
cd ..
wget http://hostap.epitest.fi/releases/hostapd-0.4.4.tar.gz
tar xzf hostapd-0.4.4.tar.gz
cd hostapd-0.4.4
cp defconfig .config (and edit the file if needed)
make
make install
mkdir -p /etc/hostapd
cp hostapd.accept hostapd.deny hostapd.conf hostapd.wpa_psk /etc/hostapd
cd ..
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.4.4.tar.gz
tar xzf wpa_supplicant-0.4.4.tar.gz
cd wpa_supplicant-0.4.4
cp defconfig .config (and edit the file if needed)
make
make install
mkdir -p /etc/hostapd
cp wpa_supplicant.conf /etc/hostapd
make wpa_gui
cp wpa_gui/wpa_gui /usr/local/sbin

Typical launch of hostapd

Edit files in /etc/hostapd if needed, especially hostapd.conf

modprobe hostap_pci
ifconfig wlan0 10.0.0.1
iwconfig wlan0 mode master
iwconfig wlan0 essid test
iwconfig wlan0 channel 1
hostapd -dd /etc/hostapd/hostapd.conf (to run in debug mode)
hostapd -B /etc/hostapd/hostapd.conf (to run in background daemon mode)

To stop:

killall hostapd
ifconfig wlan0 down
modprobe -r hostap_pci
modprobe -r hostap_crypt_wep
modprobe -r hostap_crypt_tkip
modprobe -r hostap_crypt_ccmp
modprobe -r hostap

Typical launch of wpa_supplicant

Edit wpa_supplicant.conf in /etc/hostapd if needed, especially comment out configurations using EAP methods not compiled in wpa_supplicant (cf .config used to compile wpa_supplicant)

modprobe hostap_pci
wpa_supplicant -dd -iwlan0 -w -c/etc/hostapd/wpa_supplicant.conf (to run in debug mode)
wpa_supplicant -B -iwlan0 -w -c/etc/hostapd/hostapd.conf (to run in background daemon mode)
pump -i wlan0

Note that for ipw2200 clients you need to add -Dipw for kernels < 2.6.13 and -Dwext fir kernels >= 2.6.13

To stop:

pump -k -i wlan0
killall wpa_supplicant
ifconfig wlan0 down
modprobe -r hostap_pci
modprobe -r hostap_crypt_wep
modprobe -r hostap_crypt_tkip
modprobe -r hostap_crypt_ccmp
modprobe -r hostap

Resources

• ipw2200
  • http://ubuntuforums.org/showthread.php?t=26623
  • http://www.enseirb.fr/kadionik/linux/wifi.sh.txt
  • http://www.cure.nom.fr/article.php?theme=Linux&id_fic=22
  • http://tvilda.tigbis.lt/dokuwiki/doku.php?id=ubuntu__intel_pro_wireless_2200bg__wpa_mini-howto_fr

hostap-utils

hostap-utils contains a utility called hostap_crypt_conf

Man page

hostap_crypt_conf is a tool for configuring encryption keys to the Host AP driver. It extends the features of iwconfig by supporting individual per STA keys and support more than one encryption algorithm.

hostap_crypt_conf takes following options:

Usage: hostap_crypt_conf [-1]..[-9] [-t] [-p] <device> <addr> <alg> [key]
Options:
  -1 .. -9   key index (for WEP); only one index per command
  -t         set TX key index (given with -1 .. -9)
  -p         permanent station configuration (do not expire data)
  device     wlan#
  addr       station hwaddr or ff:ff:ff:ff:ff:ff for default/broadcast key
  alg        crypt algorithm (WEP, NULL, none)
  key        key data (in hex, e.g. '0011223344', or s:string)

Algorithms:
  WEP        40 or 104 bit WEP
  TKIP       Temporal Key Integrity Protocol (TKIP), WEP with per-packet temporal keys and Michael MIC
  CCMP       AES-CCM (Counter with CBC-MAC)
  NULL       NULL encryption (i.e., do not encrypt/decrypt);
             used to configure no encryption for given station when using default encryption
  none       disable encryption

IEEE 802.11 (Chap. 8.3.2) specifies that dot11WEPKeyMappings uses only one key per station address (whereas dot11WEDefaultKeys has four), but Host AP uses a more general implementation that allows four keys even with individual keys. However, to remain compliant with the standard, it is recommended to use only the first key with station-specific key mapping. In addition, it might be useful to configure default TX key to be something else than the first key to allow individual keys to be used even with stations that not explicitly support WEP key mapping.

AP configuration example

use station specific key also with broadcast RX frames to support different keys with stations that do not use WEP key mapping; if the stations allow configuration of separate key for broadcast/multicast bcrx_sta_key should be left to 0 (default)

prism2_param wlan0 bcrx_sta_key 1

set key2 as the default key (used with broadcast/multicast frames and with stations for which there is no individual key mapping)

hostap_crypt_conf -2t wlan0 ff:ff:ff:ff:ff:ff WEP s:abcde

or with iwconfig:

iwconfig wlan0 key s:abcde [2]
iwconfig wlan0 key [2]

set a permanent key mapping for STA2 (hwaddr=00:11:22:33:44:55)

hostap_crypt_conf -p wlan0 00:11:22:33:44:55 WEP s:qwert

STA1 configuration example

use only the default key (i.e., no key mapping)

iwconfig wlan0 key s:abcde [2]
iwconfig wlan0 key [2]

STA2 configuration example (hwaddr=00:11:22:33:44:55)

configure default key (idx 2) so that the station knows how to decrypt broadcast/multicast frames

iwconfig wlan0 key s:abcde [2]

configure individual key (idx 1) that will be used to decrypt unicast frames from the AP and to encrypt all frames to the AP

iwconfig wlan0 key s:qwert [1]
iwconfig wlan0 key [1]

Example how to use WPA-PSK

On the AP

Use hostapd
Edit /etc/hostapd/hostapd.conf with:

interface=wlan0
ssid=test
wpa=1
wpa_passphrase=<string of 8 to 63 chars>
wpa_psk=<hex string representing 32 bytes>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP

Launch hostapd />If both wpa_passphrase and wpa_psk are provided, passphrase is used.

On the STA

Use wpa_supplicant
At least STA firmware 1.7.0 is required to use WPA on prism chipsets, see HostApFlash for firmware upgrade.
Edit /etc/wpa_supplicant.conf with:

ctrl_interface=/var/run/wpa_supplicant
network={
  ssid="test"
  proto=WPA
  key_mgmt=WPA-PSK
  pairwise=TKIP CCMP
  group=TKIP CCMP
  psk=... ("passphrase" or hex)
}

Launch wpa_supplicant

EAP

Support of WPA-Enterprise and RADIUS under GNU/Linux

• Host AP driver for Intersil Prism2/2.5/3 and WPA Supplicant
• AEGIS client
• Summary by OS

RADIUS implementations

• GNU RADIUS
• freeRADIUS
• PortSlave, used by LRP
• IC-RADIUS
• Now hostap can handle some of the EAP methods without need for a RADIUS server

Open1x

• Xsupplicant
• HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant (quite old...)
• 802.1X Port-Based Authentication HOWTO

Links and security articles

• The Unofficial 802.11 Security Web Page
• RADIUS Vulnerabilities in Wireless and Wired Environments
• An Analysis of the RADIUS Authentication Protocol

Example: EAP-TLS

Setting up hostapd with FreeRADIUS

(note: now hostap can handle some of the EAP methods without need for a RADIUS server)

Installing FreeRADIUS

cd /usr/local/src
wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.1.tar.gz
tar zxfv freeradius-1.0.1.tar.gz
cd freeradius-1.0.1
./configure
make
make install

Edit /usr/local/etc/raddb/eap.conf:

default_eap_type = tls
tls {
   private_key_password = whatever
   private_key_file = ${raddbdir}/certs/cert-srv.pem
   certificate_file = ${raddbdir}/certs/cert-srv.pem
   CA_file = ${raddbdir}/certs/demoCA/cacert.pem
   dh_file = ${raddbdir}/certs/dh
   random_file = ${raddbdir}/certs/random
   fragment_size = 1024
}

Edit /usr/local/etc/raddb/users:

Client     Auth-Type := EAP

Edit /etc/hostapd/hostapd.conf:

ieee8021x=1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=testing123
wpa_key_mgmt=WPA-EAP

Launch FreeRADIUS

/usr/local/sbin/rc.radiusd start

Launch hostapd, cf HostApUsage

Setting up wpa_supplicant

Be sure wpa_supplicant is compiled with EAPOL and EAP-TLS

Copy certificates from the server to the client, e.g. in /etc/certs:

• The CA certificate (/usr/local/etc/raddb/certs/demoCA/cacert.pem on the server)
• The client certificate (/usr/local/etc/raddb/certs/cert-clt.pem on the server)

Edit /etc/wpa_supplicant.conf:

network={
    ssid="test"
    proto=WPA RSN
    key_mgmt=WPA-EAP
    eap=TLS
    identity="Client"
    ca_cert="/etc/certs/cacert.pem"
    client_cert="/etc/certs/cert-clt.pem"
    private_key="/etc/certs/cert-clt.pem"
    private_key_passwd="whatever"
}

To flash your Prism card

In order to use WPA with a Prism card you need at least v 1.7.0 of the firmware.

To check what is the current version:

hostap_diag wlan0

Follow instructions given in http://linux.junsun.net/intersil-prism/
You can flash from linux with prism_srec
You'll have to recompile and reinstall the drivers after having defined PRISM2_NON_VOLATILE_DOWNLOAD (and PRISM2_DOWNLOAD_SUPPORT) in driver/modules/hostap_config.h
We tried primary firmware 1.1.1 and STA 1.8.0 but it seems that STA 1.7.4 is more robust
Typical command: (check for your own chipset!!!)

prism2_srec -f wlan0 pk010101.hex sf010704.hex

Remark for a SMD 2632W card: its NICID is 0x8002 and is not listed nevertheless S1 firmwares can apply, e.g. s1010701.hex.
See also this story
So I could upgrade the SMD card from STAID v0.8.3 to v1.7.1

Embedded

Nimble Micorsystems

• NetEngine NP51R
• Article on TNP-51R

Soekris

Articles

• Building a wireless access point with Linux
• Linux-based gateways, servers, wireless access points