WARNING

The wpa+eap(radius) part of this lab is not finished yet but should be finished 2007-06-27 17:00 o'clock. You can continue with MAC filters & Packet handling so far. I'm sorry for that ;P

2007-06-28 14:47 tried all day but there are still problems, I'll remove this if it's working or let you know

2007-06-29 00:36 it's working now. The problem was the version of wpa_supplicant and hostapd and if both are installed in version::0.6.0 there seems no problem using WPA-EAP with TLS. Please stay tuned, I will fix this part of the lab tomorrow Friday 2007-06-29 and with some luck you can start with this part on 2007-06-30.

WARNING

PS: may the wireshark be with you:
                         __
      o                 /' ) 
                      /'   (                          ,
                  __/'     )                        .' `;
   o      _.-~~~~'          ``---..__             .'   ;
     _.--'  b)                       ``--...____.'   .'
    (     _.      )).      `-._                     <
     `\|\|\|\|)-.....___.-     `-.         __...--'-.'.
 jgs   `---......____...---`.___.'----... .'         `.;
                                        `-`           `

Good documentation about WPA2+EAP can be obtained here:

• http://www.missl.cs.umd.edu/wireless/eaptls/
• http://www.rinta-aho.org/docs/wlan/wlan.html
• http://tldp.org/HOWTO/html_single/8021X-HOWTO/

Motivation: What is FreeRADIUS and what is it supposed to do:
The FreeRADIUS Server is a daemon for unix and unix like operating systems which allows one to set up a radius protocol server, which can be used for Authentication and Accounting various types of network access. To use the server, you also need a correctly setup client which will talk to it, including terminal servers, Ethernet Switches, Wireless Access Points or a PC with appropriate software which emulates it (PortSlave, radiusclient etc).

First we will have a look at how secure the host 2 host connections are and how secure the radius to ap communication is. Later we have a look at the WPA-EAP roaming feature.

        pc3 (AP1)  ~ ~~ ~ ~~~~ ~ ~ ~ ~ ~ ~ Linux1 Client  
     br0 |      ~ ~~ ~ ~ ~~ ~  ~~ Linux2 Client
         |                                
         |-- pc2 (free!radius)
         |  eth0
     br0 |                       |      Cable* link
        pc4 (AP2)                ~ ~ ~~ Wireless link    

    for ip configuration:
       PC2 radius server    eth0: 10.0.1.2/24 
       PC3 ACCESS POINT 1    br0: 10.0.1.3/24 
       PC4 ACCESS POINT 2    br0: 10.0.1.4/24
       PC5 CLIENT 1         ath0: 10.0.1.5/24 
       PC6 CLIENT 2         ath0: 10.0.1.6/24 

    * the bad news, we need cables ;P    

Configure all PCs. You find all necessary configuration files for the configuration below. Perform the tests to see if everything is alright. In case of an emergency bind a towel around your head and jump out of the window next to you.

We will use:

• EAP authentication utilizing PEAP with TLS
• but with username and certificate on supplicant side
• with ssid and password on hostapd side

There are also others but we won't focus on pros/cons of this.

• EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
• EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
• EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)
• EAP-TTLS/EAP-MD5-Challenge
• EAP-TTLS/EAP-GTC
• EAP-TTLS/EAP-MSCHAPv2
• EAP-TTLS/MSCHAPv2
• EAP-TTLS/MSCHAP
• EAP-TTLS/PAP
• EAP-TTLS/CHAP
• EAP-SIM
• EAP-AKA
• EAP-PAX
• EAP-PSK
• EAP-SAKE
• EAP-FAST
• EAP-GPSK (experimental)

bridge setup on pc3 | pc4

 pc3 # brctl addbr br0 
 pc3 # brctl addif br0 eth0
 pc3 # # use wlanconfig to set ath0 as AP not STA!!
 pc3 # brctl addif br0 ath0
 pc3 # # now do the ip configuration
 do the same for pc4 as well

hostapd config file

# Cleaned up example, see original hostapd.conf for comments.
# based on http://www.rinta-aho.org/docs/wlan/hostapd.conf

interface=ath0
driver=bsd
bridge=br0

logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
debug=3
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd

##### IEEE 802.11 related configuration #######################################

ssid=nlab1
macaddr_acl=0
auth_algs=1

##### IEEE 802.1X-REV related configuration ###################################

ieee8021x=1

##### RADIUS client configuration #############################################

own_ip_addr=10.0.1.5

auth_server_addr=10.0.1.2
auth_server_port=1812
auth_server_shared_secret=pw4radius

##### WPA/IEEE 802.11i configuration ##########################################

wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
rsn_preauth=1
#rsn_preauth_interfaces=br0

wpa_supplicant config file

# Cleaned up example, see original wpa_supplicant.conf for comments.
# based on http://www.rinta-aho.org/docs/wlan/wpa_supplicant.conf

ctrl_interface=/var/run/wpa_supplicant

eapol_version=1
ap_scan=1
fast_reauth=1

network={
        ssid="nlab1"
        scan_ssid=0
        mode=0
        proto=RSN
        key_mgmt=WPA-EAP
        auth_alg=OPEN
        eap=TLS
        identity="teemu"
        ca_cert="/etc/wpa_supplicant/cacert.pem"
        client_cert="/etc/wpa_supplicant/clientcert.pem"
        private_key="/etc/wpa_supplicant/clientkey.pem"
        private_key_passwd="pw4client" 
}

freeradius configuration files

=================== eap.conf =====================
#
# $Id: eap.conf,v 1.1 2005/05/18 13:58:26 teemu Exp $
#
# Cleaned up EAP example. See original eap.conf for comments.
#
        eap {
                default_eap_type = tls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                
                md5 {
                }

                leap {
                }

                gtc {
                        auth_type = PAP
                }

                tls {
                        private_key_password = pw4server
                        private_key_file = ${raddbdir}/certs/serverkey.pem
                        certificate_file = ${raddbdir}/certs/servercert.pem
                        CA_file = ${raddbdir}/certs/cacert.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
                        fragment_size = 1024
                }

                mschapv2 {
                }
        }

=================== users =====================
#
# Cleaned up example, see original users file for comments.
#

teemu   Auth-Type := EAP

=================== clients.conf =====================
#
# Cleaned up example, see original clients.conf for comments.
#

# WLAN Access Points in 10.0.0.0/8 network
client 10.0.0.0/8 {
    secret      = pw4radius
    shortname   = nlab1
}

starting the daemons + testing setup

 pc1 # sniffer alright?
 pc2 # /etc/init.d/radiusd start
 pc3 # hostapd /etc/hostapd/hostapd.conf
 pc4 # (nothing yet!)
 pc5 # wpa_supplicant -dd -K -t -i ath0 -c /etc/wpa_supplicant/wpa_supplicant.conf

Now test the setup using ping.

• can linux1 ping pc2?
• can linux2 ping pc2 as well?
• can pc4 ping pc2?

• pc2 # tell wireshark bite the cable
• pc5 # killall wpa_supplicant
• pc5 # restart wpa_supplicant
• watch pc1 + pc2:
  • pc1 # what happens between pc4 and linux1?
  • pc2 # what does wireshark reveal about hostapd <-> radius communication

• disable linux2 wpa_supplicant
• start a ping from linux1 to pc2
• pc2 # tell wireshark bite the cable
• pc4 # start hostapd as you did for pc3 already
• pc5 # pray that pc5 wants to roam to pc4 or use the aluminum
• watch pc1 + pc2:
  • pc1 # what happens between pc4 and linux1?
  • pc2 # what does wireshark reveal about hostapd <-> radius communication