EAP-TTLS/MSCHAP

(A). EAP-TTLS/MSCHAP:

MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. MS-CHAPv1 and MS-CHAPv2 are used as one authentication option in Microsoft’s implementation of the PPTP protocol for virtual private networks. It also used as authentication option with RADIUS servers.

The following is a resprestaion of EAP-TTLS/MSCHAP handshake

Radius Server                        Hostapd(AP)                     wpa_supplicant(station)

|                                    |<<----------------Auth_Req---------------|

|                                    |------------------Auth_Resp------------>>|

|                                    |<<---------------Assoc_Req---------------|

|                                    |----------------Assoc_Resp------------->>|

|                                    |--------------EAP_Req_Identity--------->>|

|                                    |<<------------EAP_Resp_Identity----------|

|<<--------EAP_Resp_Identity---------|

|-----------EAP_Req_EAP_TTLS------->>|

|                                    |----------EAP_Req_EAP_TTLS(FWRD)----- ->>|

|                                    |<<------------TLS.1.2_CLI_HELLO--- ------|

|<<------TLS.1.2_CLI_HELLO(FWRD)-----|

|----------EAP_Req_EAP_TTLS-------->>|

|                                    |----------EAP_Req_EAP_TTLS(FWRD)------->>|

|                                    |<<-------------EAP_Resp_EAP_TLS----------|

|<<------EAP_Resp_EAP_TTLS(FRWD)-----|

|------------EAP_Req_EAP_TTLS------>>|

|                                    |----------EAP_Req_EAP_TTLS(FWRD)------->>|

|                                    |<<------------EAP_Resp_EAP_TTLS-----  ---|

|<<-----EAP_Resp_EAP_TTLS(FRWD)------|

|-------TLSv1.2_SERV_CERT_KEY_EXG--->|

|                                    |-----TLSv1.2_SERV_CERT_KEY_EXG(FWRD)--->>|

|                                    |<<--------TLSv1.2CLI__CERT_KEY_EXG-------|

|<<---TLSv1.2CLI_CERT_KEY_EXG(FWRD)--|

|------TLSv1.2CHG_CHPR_SPEC-------->>|

|                                    |------TLSv1.2CHG_CHPR_SPEC(FRWD)------->>|

|                                    |<<--------TLSv1.2_APPLICATION_DATA-------|

|<---TLSv1.2_APPLICATION_DATA(FRWD)--|

|----------TLSv1.2_SUCCESS--------->>|

|                                    |----------TLSv1.2SUCCESS(FRWD)--------->>|

|                                    |-----------------EAPOL-M1-------------->>|

|                                    |<<---------------EAPOL-M2----------------|

|                                    |-----------------EAPOL-M3-------------->>|

|                                    |<<---------------EAPOL-M4----------------|

Test bed

Inorder to execute below practical example, two Linux machines are needed with ubuntu version >= 16.04.

  • Check the Ubuntu version on your machine. Ubuntu version used for in this site is 20.04
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.2 LTS
    Release:	20.04
    Codename:	focal
    

wpa_supplicant compilation

The daemon process that runs in the client stations. It implements WPA key negotiation with a WPA Authenticator and EAP authentication with Authentication Server. In addition, it controls the roaming and IEEE 802.11 authentication/association of the wireless LAN driver. Following are the steps to download and compiling wpa_supplicant from source code

  1. Download latest wpa_supplicant
    $ wget https://w1.fi/releases/wpa_supplicant-2.9.tar.gz
    
  2. Install required packages
    $ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev
    
    below messages indicate that packages are installed successfully
    The following NEW packages will be installed:
      libdbus-glib-1-dev libdbus-glib-1-dev-bin libnl-3-dev libnl-genl-3-dev
    0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded.
    Need to get 212 kB of archives.
    After this operation, 1,235 kB of additional disk space will be used.
    Do you want to continue? [Y/n] 
    Get:1 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev-bin amd64 0.110-5fakssync1 [39.5 kB]
    Get:2 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev amd64 0.110-5fakssync1 [69.2 kB]
    Get:3 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-3-dev amd64 3.4.0-1 [92.2 kB]
    Get:4 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-genl-3-dev amd64 3.4.0-1 [10.7 kB]
    Fetched 212 kB in 1s (293 kB/s)             
    Selecting previously unselected package libdbus-glib-1-dev-bin.
    (Reading database ... 385264 files and directories currently installed.)
    Preparing to unpack .../libdbus-glib-1-dev-bin_0.110-5fakssync1_amd64.deb ...
    Unpacking libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
    Selecting previously unselected package libdbus-glib-1-dev:amd64.
    Preparing to unpack .../libdbus-glib-1-dev_0.110-5fakssync1_amd64.deb ...
    Unpacking libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
    Selecting previously unselected package libnl-3-dev:amd64.
    Preparing to unpack .../libnl-3-dev_3.4.0-1_amd64.deb ...
    Unpacking libnl-3-dev:amd64 (3.4.0-1) ...
    Selecting previously unselected package libnl-genl-3-dev:amd64.
    Preparing to unpack .../libnl-genl-3-dev_3.4.0-1_amd64.deb ...
    Unpacking libnl-genl-3-dev:amd64 (3.4.0-1) ...
    Setting up libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
    Setting up libnl-3-dev:amd64 (3.4.0-1) ...
    Setting up libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
    Setting up libnl-genl-3-dev:amd64 (3.4.0-1) ...
    Processing triggers for man-db (2.9.1-1) ...
    
    
  3. Extract the tar file
    $ tar -xvf wpa_supplicant-2.9.tar.gz
    
  4. Go to wpa_supplicant directory
    $ cd wpa_supplicant-2.9/wpa_supplicant
    
  5. Copy the default configuration into .conf file
    $ cp defconfig .config
    
  6. Enable below configs in .config
    $ vim .config
    
    CONFIG_DRIVER_NL80211=y
    CONFIG_RADIUS_SERVER=y
    CONFIG_TLS=openssl
    CONFIG_EAP=y
    CONFIG_TLSV11=y
    CONFIG_TLSV12=y
    CONFIG_EAP_TLS=y
    CONFIG_EAP_MSCHAPV2=y
    CONFIG_EAP_PEAP=y
    CONFIG_EAP_MD5=y
    CONFIG_EAP_GTC=y
    
  7. Build the wpa_supplicant
    $ make
    

    Below is the list of files compiled based on the features enabled in “.config”

      CC  config.c
      CC  notify.c
      CC  bss.c
      CC  eap_register.c
      CC  ../src/utils/common.c
      CC  ../src/utils/wpa_debug.c
      CC  ../src/utils/wpabuf.c
      CC  ../src/utils/bitfield.c
      CC  op_classes.c
      CC  rrm.c
      CC  wmm_ac.c
      CC  ../src/utils/os_unix.c
      CC  ../src/utils/eloop.c
      CC  config_file.c
      CC  ../src/rsn_supp/wpa_ft.c
      CC  ../src/common/sae.c
      CC  ../src/common/dpp.c
      CC  dpp_supplicant.c
      CC  ../src/rsn_supp/wpa.c
      CC  ../src/rsn_supp/preauth.c
      CC  ../src/rsn_supp/pmksa_cache.c
      CC  ../src/rsn_supp/wpa_ie.c
      CC  ../src/common/wpa_common.c
      CC  ibss_rsn.c
      CC  p2p_supplicant.c
      CC  p2p_supplicant_sd.c
      CC  ../src/p2p/p2p.c
      CC  ../src/p2p/p2p_utils.c
      CC  ../src/p2p/p2p_parse.c
      CC  ../src/p2p/p2p_build.c
      CC  ../src/p2p/p2p_go_neg.c
      CC  ../src/p2p/p2p_sd.c
      CC  ../src/p2p/p2p_pd.c
      CC  ../src/p2p/p2p_invitation.c
      CC  ../src/p2p/p2p_dev_disc.c
      CC  ../src/p2p/p2p_group.c
      CC  ../src/ap/p2p_hostapd.c
      CC  wifi_display.c
      CC  hs20_supplicant.c
      CC  interworking.c
      CC  ../src/eap_peer/eap_tls.c
      CC  ../src/eap_peer/eap_peap.c
      CC  ../src/eap_common/eap_peap_common.c
      CC  ../src/eap_peer/eap_ttls.c
      CC  ../src/eap_peer/eap_md5.c
      CC  ../src/eap_peer/eap_mschapv2.c
      CC  ../src/eap_peer/mschapv2.c
      CC  ../src/eap_peer/eap_gtc.c
      CC  ../src/eap_peer/eap_otp.c
      CC  ../src/eap_peer/eap_leap.c
      CC  ../src/eap_peer/eap_fast.c
      CC  ../src/eap_peer/eap_fast_pac.c
      CC  ../src/eap_common/eap_fast_common.c
      CC  ../src/eap_peer/eap_pax.c
      CC  ../src/eap_common/eap_pax_common.c
      CC  ../src/eap_peer/eap_sake.c
      CC  ../src/eap_common/eap_sake_common.c
      CC  ../src/eap_peer/eap_gpsk.c
      CC  ../src/eap_common/eap_gpsk_common.c
      CC  ../src/eap_peer/eap_pwd.c
      CC  ../src/eap_common/eap_pwd_common.c
      CC  wps_supplicant.c
      CC  ../src/utils/uuid.c
      CC  ../src/eap_peer/eap_wsc.c
      CC  ../src/eap_common/eap_wsc_common.c
      CC  ../src/wps/wps.c
      CC  ../src/wps/wps_common.c
      CC  ../src/wps/wps_attr_parse.c
      CC  ../src/wps/wps_attr_build.c
      CC  ../src/wps/wps_attr_process.c
      CC  ../src/wps/wps_dev_attr.c
      CC  ../src/wps/wps_enrollee.c
      CC  ../src/wps/wps_registrar.c
      CC  ../src/eap_peer/eap_ikev2.c
      CC  ../src/eap_peer/ikev2.c
      CC  ../src/eap_common/eap_ikev2_common.c
      CC  ../src/eap_common/ikev2_common.c
      CC  ../src/eap_peer/eap_tnc.c
      CC  ../src/eap_peer/tncc.c
      CC  ../src/eapol_supp/eapol_supp_sm.c
      CC  ../src/eap_peer/eap.c
      CC  ../src/eap_peer/eap_methods.c
      CC  ap.c
      CC  ../src/ap/hostapd.c
      CC  ../src/ap/wpa_auth_glue.c
      CC  ../src/ap/utils.c
      CC  ../src/ap/authsrv.c
      CC  ../src/ap/ap_config.c
      CC  ../src/utils/ip_addr.c
      CC  ../src/ap/sta_info.c
      CC  ../src/ap/tkip_countermeasures.c
      CC  ../src/ap/ap_mlme.c
      CC  ../src/ap/ieee802_1x.c
      CC  ../src/eapol_auth/eapol_auth_sm.c
      CC  ../src/ap/ieee802_11_auth.c
      CC  ../src/ap/ieee802_11_shared.c
      CC  ../src/ap/drv_callbacks.c
      CC  ../src/ap/ap_drv_ops.c
      CC  ../src/ap/beacon.c
      CC  ../src/ap/bss_load.c
      CC  ../src/ap/eap_user_db.c
      CC  ../src/ap/neighbor_db.c
      CC  ../src/ap/rrm.c
      CC  ../src/ap/ieee802_11_ht.c
      CC  ../src/ap/ieee802_11_vht.c
      CC  ../src/ap/ctrl_iface_ap.c
      CC  ../src/eap_server/eap_server.c
      CC  ../src/eap_server/eap_server_identity.c
      CC  ../src/eap_server/eap_server_methods.c
      CC  ../src/ap/wmm.c
      CC  ../src/ap/ap_list.c
      CC  ../src/ap/ieee802_11.c
      CC  ../src/ap/hw_features.c
      CC  ../src/ap/dfs.c
      CC  ../src/ap/wps_hostapd.c
      CC  ../src/eap_server/eap_server_wsc.c
      CC  ../src/ap/dpp_hostapd.c
      CC  ../src/ap/gas_query_ap.c
      CC  ../src/ap/gas_serv.c
      CC  ../src/ap/hs20.c
      CC  ../src/ap/wpa_auth.c
      CC  ../src/ap/wpa_auth_ie.c
      CC  ../src/ap/pmksa_cache_auth.c
      CC  ../src/common/dragonfly.c
      CC  ../src/crypto/ms_funcs.c
      CC  ../src/eap_common/chap.c
      CC  ../src/eap_peer/eap_tls_common.c
      CC  ../src/crypto/tls_openssl.c
      CC  ../src/crypto/tls_openssl_ocsp.c
      CC  ../src/crypto/crypto_openssl.c
      CC  ../src/crypto/aes-siv.c
      CC  ../src/crypto/aes-ctr.c
      CC  ../src/crypto/aes-omac1.c
      CC  ../src/crypto/sha256-kdf.c
      CC  ../src/crypto/sha384-kdf.c
      CC  ../src/crypto/sha512-kdf.c
      CC  ../src/crypto/sha256-prf.c
      CC  ../src/crypto/sha256-tlsprf.c
      CC  ../src/crypto/sha384-prf.c
      CC  ../src/crypto/sha512-prf.c
      CC  ../src/crypto/dh_groups.c
      CC  ../src/crypto/random.c
      CC  ../src/common/ctrl_iface_common.c
      CC  ctrl_iface.c
      CC  ctrl_iface_unix.c
      CC  dbus/dbus_dict_helpers.c
      CC  dbus/dbus_new_helpers.c
    dbus/dbus_new.c: In function ‘wpas_dbus_unregister_p2p_group’:
    dbus/dbus_new.c:4793:3: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
     4793 |   wpa_printf(MSG_DEBUG,
          |   ^~~~~~~~~~~~~~~~~~~~~
     4794 |       "%s: Group object '%s' already unregistered",
          |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     4795 |       __func__, wpa_s->dbus_groupobj_path);
          |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      CC  dbus/dbus_new.c
      CC  dbus/dbus_new_handlers.c
      CC  dbus/dbus_common.c
      CC  dbus/dbus_new_handlers_wps.c
      CC  dbus/dbus_new_handlers_p2p.c
      CC  dbus/dbus_new_introspect.c
      CC  ../src/utils/base64.c
      CC  sme.c
      CC  ../src/common/ieee802_11_common.c
      CC  ../src/common/hw_features_common.c
      CC  ../src/eap_common/eap_common.c
      CC  ../src/crypto/sha1-prf.c
      CC  ../src/crypto/sha1-tprf.c
      CC  ../src/crypto/sha1-tlsprf.c
      CC  bgscan_simple.c
      CC  bgscan.c
      CC  ../src/common/gas_server.c
      CC  ../src/common/gas.c
      CC  gas_query.c
      CC  offchannel.c
      CC  ../src/utils/json.c
      CC  ../src/drivers/driver_common.c
      CC  wpa_supplicant.c
      CC  events.c
      CC  blacklist.c
      CC  wpas_glue.c
      CC  scan.c
      CC  main.c
      CC  ../src/drivers/driver_wired.c
      CC  ../src/drivers/driver_wired_common.c
      CC  ../src/drivers/driver_nl80211.c
      CC  ../src/drivers/driver_nl80211_capa.c
      CC  ../src/drivers/driver_nl80211_event.c
      CC  ../src/drivers/driver_nl80211_monitor.c
      CC  ../src/drivers/driver_nl80211_scan.c
      CC  ../src/drivers/netlink.c
      CC  ../src/drivers/linux_ioctl.c
      CC  ../src/drivers/rfkill.c
      CC  ../src/utils/radiotap.c
      CC  ../src/drivers/driver_wext.c
      CC  ../src/drivers/drivers.c
      CC  ../src/l2_packet/l2_packet_linux.c
      LD  wpa_supplicant
      CC  wpa_cli.c
      CC  ../src/common/wpa_ctrl.c
      CC  ../src/common/cli.c
      CC  ../src/utils/edit_simple.c
      LD  wpa_cli
      CC  wpa_passphrase.c
      LD  wpa_passphrase
    
  8. Install the compiled commands (optional)
    $ make install
    

hostapd compilation

The hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. Following are the steps to download and compiling hostapd from source code

  1. Download latest hostapd
    $ wget http://w1.fi/releases/hostapd-2.9.tar.gz
    
  2. Install required packages
    $ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev
    
    below messages indicate that packages are installed successfully
    The following NEW packages will be installed:
      libdbus-glib-1-dev libdbus-glib-1-dev-bin libnl-3-dev libnl-genl-3-dev
    0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded.
    Need to get 212 kB of archives.
    After this operation, 1,235 kB of additional disk space will be used.
    Do you want to continue? [Y/n] 
    Get:1 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev-bin amd64 0.110-5fakssync1 [39.5 kB]
    Get:2 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev amd64 0.110-5fakssync1 [69.2 kB]
    Get:3 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-3-dev amd64 3.4.0-1 [92.2 kB]
    Get:4 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-genl-3-dev amd64 3.4.0-1 [10.7 kB]
    Fetched 212 kB in 1s (293 kB/s)             
    Selecting previously unselected package libdbus-glib-1-dev-bin.
    (Reading database ... 385264 files and directories currently installed.)
    Preparing to unpack .../libdbus-glib-1-dev-bin_0.110-5fakssync1_amd64.deb ...
    Unpacking libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
    Selecting previously unselected package libdbus-glib-1-dev:amd64.
    Preparing to unpack .../libdbus-glib-1-dev_0.110-5fakssync1_amd64.deb ...
    Unpacking libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
    Selecting previously unselected package libnl-3-dev:amd64.
    Preparing to unpack .../libnl-3-dev_3.4.0-1_amd64.deb ...
    Unpacking libnl-3-dev:amd64 (3.4.0-1) ...
    Selecting previously unselected package libnl-genl-3-dev:amd64.
    Preparing to unpack .../libnl-genl-3-dev_3.4.0-1_amd64.deb ...
    Unpacking libnl-genl-3-dev:amd64 (3.4.0-1) ...
    Setting up libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
    Setting up libnl-3-dev:amd64 (3.4.0-1) ...
    Setting up libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
    Setting up libnl-genl-3-dev:amd64 (3.4.0-1) ...
    Processing triggers for man-db (2.9.1-1) ...
    
    
  3. Extract the tar file
    $ tar -xzvf hostapd-2.9.tar.gz
    
  4. Go to Hostapd directory
    $ cd hostapd-2.9/hostapd
    
  5. Copy the default configuration into .conf file
    $ cp defconfig .config
    
  6. Enable below configs in .config
    $ vim .config
    
    CONFIG_DRIVER_NL80211=y
    CONFIG_RADIUS_SERVER=y
    CONFIG_TLS=openssl
    CONFIG_EAP=y
    CONFIG_TLSV11=y
    CONFIG_TLSV12=y
    CONFIG_EAP_TLS=y
    CONFIG_EAP_MSCHAPV2=y
    CONFIG_EAP_PEAP=y
    CONFIG_EAP_MD5=y
    CONFIG_EAP_GTC=y
    
  7. Build the Hostapd
    $ make
    

    Below is the list of files compiled based on the features enabled in “.config”

      CC  main.c
      CC  config_file.c
      CC  ../src/ap/hostapd.c
      CC  ../src/ap/wpa_auth_glue.c
      CC  ../src/ap/drv_callbacks.c
      CC  ../src/ap/ap_drv_ops.c
      CC  ../src/ap/utils.c
      CC  ../src/ap/authsrv.c
      CC  ../src/ap/ieee802_1x.c
      CC  ../src/ap/ap_config.c
      CC  ../src/ap/eap_user_db.c
      CC  ../src/ap/ieee802_11_auth.c
      CC  ../src/ap/sta_info.c
      CC  ../src/ap/wpa_auth.c
      CC  ../src/ap/tkip_countermeasures.c
      CC  ../src/ap/ap_mlme.c
      CC  ../src/ap/wpa_auth_ie.c
      CC  ../src/ap/preauth_auth.c
      CC  ../src/ap/pmksa_cache_auth.c
      CC  ../src/ap/ieee802_11_shared.c
      CC  ../src/ap/beacon.c
      CC  ../src/ap/bss_load.c
      CC  ../src/ap/neighbor_db.c
      CC  ../src/ap/rrm.c
      CC  ../src/drivers/drivers.c
      CC  ../src/utils/eloop.c
      CC  ../src/utils/common.c
      CC  ../src/utils/wpa_debug.c
      CC  ../src/utils/wpabuf.c
      CC  ../src/utils/os_unix.c
      CC  ../src/utils/ip_addr.c
      CC  ../src/common/ieee802_11_common.c
      CC  ../src/common/wpa_common.c
      CC  ../src/common/hw_features_common.c
      CC  ../src/eapol_auth/eapol_auth_sm.c
      CC  ../src/eapol_auth/eapol_auth_dump.c
      CC  ../src/radius/radius.c
      CC  ../src/radius/radius_client.c
      CC  ../src/radius/radius_das.c
      CC  ../src/ap/accounting.c
      CC  ../src/ap/vlan_init.c
      CC  ../src/ap/vlan_ifconfig.c
      CC  ../src/ap/vlan.c
      CC  ../src/common/ctrl_iface_common.c
      CC  ctrl_iface.c
      CC  ../src/ap/ctrl_iface_ap.c
      CC  ../src/ap/iapp.c
      CC  ../src/drivers/driver_hostap.c
      CC  ../src/drivers/driver_nl80211.c
      CC  ../src/drivers/driver_nl80211_capa.c
      CC  ../src/drivers/driver_nl80211_event.c
      CC  ../src/drivers/driver_nl80211_monitor.c
      CC  ../src/drivers/driver_nl80211_scan.c
      CC  ../src/drivers/netlink.c
      CC  ../src/drivers/linux_ioctl.c
      CC  ../src/drivers/rfkill.c
      CC  ../src/utils/radiotap.c
      CC  ../src/l2_packet/l2_packet_linux.c
      CC  ../src/eap_server/eap_server_md5.c
      CC  ../src/eap_server/eap_server_tls.c
      CC  ../src/eap_server/eap_server_peap.c
      CC  ../src/eap_common/eap_peap_common.c
      CC  ../src/eap_server/eap_server_ttls.c
      CC  ../src/eap_server/eap_server_mschapv2.c
      CC  ../src/eap_server/eap_server_gtc.c
      CC  eap_register.c
      CC  ../src/eap_server/eap_server.c
      CC  ../src/eap_common/eap_common.c
      CC  ../src/eap_server/eap_server_methods.c
      CC  ../src/eap_server/eap_server_identity.c
      CC  ../src/crypto/ms_funcs.c
      CC  ../src/eap_common/chap.c
      CC  ../src/eap_server/eap_server_tls_common.c
      CC  ../src/crypto/tls_openssl.c
      CC  ../src/crypto/tls_openssl_ocsp.c
      CC  ../src/crypto/crypto_openssl.c
      CC  ../src/crypto/aes-omac1.c
      CC  ../src/crypto/sha1-prf.c
      CC  ../src/crypto/sha1-tlsprf.c
      CC  ../src/crypto/sha256-prf.c
      CC  ../src/crypto/sha256-tlsprf.c
      CC  ../src/crypto/sha256-kdf.c
      CC  ../src/crypto/random.c
      CC  ../src/ap/wmm.c
      CC  ../src/ap/ap_list.c
      CC  ../src/ap/ieee802_11.c
      CC  ../src/ap/hw_features.c
      CC  ../src/ap/dfs.c
      CC  ../src/drivers/driver_common.c
      LD  hostapd
      CC  hostapd_cli.c
      CC  ../src/common/wpa_ctrl.c
      CC  ../src/common/cli.c
      CC  ../src/utils/edit_simple.c
      LD  hostapd_cli
    
    
  8. Install the compiled commands (optional)
    $ make install
    

Radius server compilation

  1. Download latest freeradius source code
    $ wget https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.tar.gz
    
  2. Extract the tar file
    $ tar -zxf freeradius-server-3.0.tar.gz
    
  3. Go to Radius server directory
    $ cd freeradius-server-3.0/
    
  4. Open debian/rules, add this line “–without-rml_sql_iodbc ” above this line “–without-rlm_eap_ikev2 ”
    $ vim debian/rules
    
    ...
    
    --without-rml_sql_iodbc \
    --without-rlm_eap_ikev2 \
    
    ...
    
  5. Configure for compilation
    $ ./configure
    
  6. Install requeired packages as suggested by the result of step 5

  7. Build the Radius server
    $ make
    
  8. Install the compiled commands (optional)
    $ make install
    
  9. Go to Raddb folder (all radius server/client files, certificates and keys will be generated here)
    $ cd /usr/local/etc/raddb
    
  10. open client.conf file and verify localhost client is presnet else add your own client like bellow
    $ sudo vim client.conf
    
    client localhost {
    	ipaddr = 127.0.0.1
    	proto = *
    	secret = testing123
    	require_message_authenticator = no
    	nas_type = other
    	limit {
    		max_connections = 16
    		lifetime = 0
    		idle_timeout = 30
    	}
    }
    
    For External Hostapd create a new client in client.conf like shown in bellow
    
    client 192.168.3.11 {
    	ipaddr = 192.168.3.11
    	secret = AuthPassword
    }
    
  11. open users file and uncomment bellow two lines
    $ sudo vim users
    
    bob   Cleartext-Password := "testing123"
    Reply-Message := "Hello, %{User-Name}"
    
  12. set default_eap_type=tls in eap file located in /usr/local/etc/raddb/mods-enabled/
    $ sudo vim /usr/local/etc/raddb/mods-enabled/eap
    
    default_eap_type=ttls
    
  13. Start radius server
    $ sudo radiusd -X
    

Running hostapd

  1. Check if wifi interface with the name “wlan0” is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually

    $ iwconfig 
    wlan0     IEEE 802.11  ESSID:off/any  
              Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
              Retry short limit:7   RTS thr:off   Fragment thr:off
              Power Management:on
    
    $ iw dev 
    phy#1
    	Interface wlan0
    		ifindex 5
    		wdev 0x100000001
    		addr 02:00:00:00:00:00
    		type managed
    		txpower 20.00 dBm
    
  2. Create a hostapd.conf file in /etc/hostapd/ folder with below content
    $ sudo vim /etc/hostapd/hostapd.conf
    

    Copy below content

    interface=wlan0
    driver=nl80211
    ssid=test_eap_ttls_mschap
    ieee80211n=1
    macaddr_acl=0
    channel=6
    disassoc_low_ack=1
    wmm_enabled=1
    wpa=1
    wpa_key_mgmt=WPA-EAP
    wpa_pairwise=CCMP
    rsn_pairwise=CCMP
    ieee8021x=1
    eap_server=0
    eap_user_file=/etc/hostapd/eap_user
    auth_algs=1
    auth_server_addr=127.0.0.1
    auth_server_port=1812
    auth_server_shared_secret=testing123
    
    #Cerfificates of radius server configuration
    ca_cert=/usr/local/etc/raddb/certs/ca.pem
    server_cert=/usr/local/etc/raddb/certs/server.crt
    private_key=/usr/local/etc/raddb/certs/server.p12
    private_key_passwd=whatever # default password
    
    1. Create a file eap_user in /etc/hostapd/ folder with below content

    $ sudo vim /etc/hostapd/eap_user
    
    # Wildcard for all other identities
    "user"        PEAP
    "tls_user"    TLS
    "gtc"         GTC                     "password"
    "ttls"        TTLS
    *             PEAP,TTLS,TLS
    # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
    "md5"         MD5                     "password"     [2]
    "chap"        MSCHAPV2                "password"     [2]
    #"t-gtc"      GTC                     "password"     [2]
    "peap"        MSCHAPV2                "password"     [2]
    "gtc"         GTC                     "password"     [2]
    "ttls-MSCHAP" MSCHAP                  "password"     [2]
    "user"        MD5,GTC,MSCHAPV2        "p"            [2]
    "ttls"        TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2    "p"     [2]
    
    1. Make sure that radius server is already running (radiusd -X)

  1. Go to hostapd directory
    $ cd hostapd-2.9/hostapd
    
  2. Run hostapd by issuing follwing command
    $ sudo ./hostapd /etc/hostapd/hostapd.conf
    

    Below log messages are seen on console after running hostapd

    Configuration file: /etc/hostapd/hostapd.conf
    Using interface wlan0 with hwaddr 02:00:00:00:00:00 and ssid "test_eap_ttls_mschap"
    wlan0: interface state UNINITIALIZED->ENABLED
    wlan0: AP-ENABLED 
    
    
    
  3. Mode of “wlan0” interface is now assigned as “AP/Master”. Check this by querying information via iwconfig/iw command

    $ iwconfig 
    wlan0     IEEE 802.11  Mode:Master  Tx-Power=20 dBm   
              Retry short limit:7   RTS thr:off   Fragment thr:off
              Power Management:on
    
    $ iw dev
    phy#1
    	Interface wlan0
    		ifindex 5
    		wdev 0x100000001
    		addr 02:00:00:00:00:00
    		ssid test_eap_ttls_mschapv2
    		type AP
    		channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
    		txpower 20.00 dBm
    

Running wpa_supplicant

METHOD 1: With Network Block in wpa_supplicant.conf file

  1. Check if wifi interface with the name “wlan1” is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually
    $ iwconfig 
    wlan1     IEEE 802.11  ESSID:off/any  
              Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
              Retry short limit:7   RTS thr:off   Fragment thr:off
              Power Management:on
    
    $ iw dev
    phy#2
    	Interface wlan1
    		ifindex 6
    		wdev 0x200000001
    		addr 02:00:00:00:01:00
    		type managed
    		txpower 20.00 dBm
    
  2. Go to wpa_supplicant directory
    $ cd wpa_supplicant-2.9/wpa_supplicant
    
  3. Create wpa_supplicant.conf file with following network block contents

    delete all existing content and copy below content

    ctrl_interface=/run/wpa_supplicant
    update_config=1
    
    network={
    	ssid="test_eap_ttls_mschap"
    	key_mgmt=WPA-EAP
    	proto=WPA
    	eap=TTLS
    	pairwise=CCMP
    	phase2="auth=MSCHAP"
    	identity="bob"
    	password="testing123"
    }
    
  4. Run wpa_supplicant
    $ sudo ./wpa_supplicant -Dnl80211 -i wlan1 -c wpa_supplicant.conf
    

    Below log messages are seen on console after running wpa_supplicant

    Successfully initialized wpa_supplicant
    wlan1: SME: Trying to authenticate with 02:00:00:00:00:00 (SSID='test_eap_ttls_mschap' freq=2437 MHz)
    wlan1: Trying to associate with 02:00:00:00:00:00 (SSID='test_eap_ttls_mschap' freq=2437 MHz)
    wlan1: Associated with 02:00:00:00:00:00
    wlan1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
    wlan1: WPA: Key negotiation completed with 02:00:00:00:00:00 [PTK=CCMP GTK=CCMP]
    wlan1: CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:00:00 completed [id=0 id_str=]
    

    Message “CTRL-EVENT-CONNECTED” indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully

  5. Run wpa_cli and check status in wpa_cli prompt
    $ sudo ./wpa_cli -i wlan1
    >
    > status
    > bssid=02:00:00:00:00:00
    freq=2437
    ssid=test_eap_ttls_mschap
    id=0
    mode=station
    pairwise_cipher=CCMP
    group_cipher=CCMP
    key_mgmt=WPA/IEEE 802.1X/EAP
    wpa_state=COMPLETED
    address=02:00:00:00:01:00
    Supplicant PAE state=AUTHENTICATED
    suppPortStatus=Authorized
    EAP state=SUCCESS
    selectedMethod=21 (EAP-TTLS)
    eap_tls_version=TLSv1.2
    EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384
    tls_session_reused=0
    EAP-TTLSv0 Phase2 method=MSCHAP
    eap_session_id=1520f38fdef0e9b674740f2527e5ecb8efc2ed10e238e6f45186d3d990b43815335401e2bb418cb3c50cc2578c229483bbfc3d344319678a30c8d20a7788bf64c6
    uuid=572cf82f-c957-5653-9b16-b5cfb298abf1
    

    Message “wpa_state=COMPLETE” indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully

  6. Mode of “wlan1” interface is now assigned as “Managed” with ssid “test_eap_ttls_mschap”. Check this by querying information via iwconfig/iw command
    $ iwconfig 
    wlan1     IEEE 802.11  ESSID:"test_eap_ttls_mschap"
              Mode:Managed  Frequency:2.437 GHz  Access Point: 02:00:00:00:00:00   
              Bit Rate:54 Mb/s   Tx-Power=20 dBm   
              Retry short limit:7   RTS thr:off   Fragment thr:off
              Power Management:on
              Link Quality=70/70  Signal level=-30 dBm  
              Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
              Tx excessive retries:0  Invalid misc:0   Missed beacon:0
    
    
    
    $ iw dev
    phy#2
    	Interface wlan1
    		ifindex 6
    		wdev 0x200000001
    		addr 02:00:00:00:01:00
    		ssid test_eap_ttls_mschap
    		type managed
    		channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
    		txpower 20.00 dBm
    

METHOD 2: Without Network Block in wpa_supplicant.conf file

  1. Go to wpa_supplicant directory
    $ cd wpa_supplicant-2.9/wpa_supplicant
    
  2. Create wpa_supplicant.conf file without a network block
    $ vim wpa_supplicant.conf  # add the following contents
    ctrl_interface=/run/wpa_supplicant
    update_config=1
    
  3. Run wpa_supplicant without network block in wpa_supplicant.conf file
    $ sudo ./wpa_supplicant -Dnl80211 -i wlan1 -c wpa_supplicant.conf
    
  4. Run wpa_cli to connect to WPA2 network
    $ sudo ./wpa_cli -i wlan1
    >
    > scan
    > scan_result
    > add_network
    > set_network 0 ssid "test_eap_ttls_mschap"
    > set_network 0 key_mgmt WPA-EAP
    > set_network 0 proto WPA
    > set_network 0 eap TTLS
    > set_network 0 phase2 "auth=MSCHAP"
    > set_network 0 identity "bob"
    > set_network 0 password "testing123"
    > enable_network 0
    > status
    > bssid=02:00:00:00:00:00
    freq=2437
    ssid=test_eap_ttls_mschap
    id=0
    mode=station
    pairwise_cipher=CCMP
    group_cipher=CCMP
    key_mgmt=WPA/IEEE 802.1X/EAP
    wpa_state=COMPLETED
    address=02:00:00:00:01:00
    Supplicant PAE state=AUTHENTICATED
    suppPortStatus=Authorized
    EAP state=SUCCESS
    selectedMethod=21 (EAP-TTLS)
    eap_tls_version=TLSv1.2
    EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384
    tls_session_reused=0
    EAP-TTLSv0 Phase2 method=MSCHAP
    eap_session_id=1520f38fdef0e9b674740f2527e5ecb8efc2ed10e238e6f45186d3d990b43815335401e2bb418cb3c50cc2578c229483bbfc3d344319678a30c8d20a7788bf64c6
    uuid=572cf82f-c957-5653-9b16-b5cfb298abf1
    

Prerequisite for Hostapd:

  1. eap_user_file is created in section E step 2

  2. ca_cert, server_cert, private_key and private_key_passwd is generated after compiling radius server in section D (RADIUS SERVER compilation step 8)

  3. use above certificate and keys in hostapd.conf

  4. verify that AKM is set to WPA-ENTERPRISE ie “Beacon->Wireless_Managment->tagged_parameter” should not contain RNS INFO field

Prerequisite for WPA_SUPPLICANT:

  1. The identity and password differs from EAP-TLS to EAP-TTLS/MSCHAP

  2. Identity and password is given as part of credentials to radius server (Section D step 11)

Run data traffic

Steps

AP

Station

Step 1 : Assign IP address

$ ifconfig wlan0 192.168.3.1 up
$ ifconfig wlan1 192.168.3.10 up

Step 2 : Check IP address

$ ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.1  netmask 255.255.255.0  broadcast 192.168.3.255
        ether 02:00:00:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 61  bytes 11085 (11.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 130  bytes 25688 (25.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
$ ifconfig wlan1
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.10  netmask 255.255.255.0  broadcast 192.168.3.255
        ether 02:00:00:00:01:00  txqueuelen 1000  (Ethernet)
        RX packets 73  bytes 13119 (13.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 65  bytes 13111 (13.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Step 3 : Check ping

$ ping 192.168.3.10
PING 192.168.3.10 (192.168.3.10) 56(84) bytes of data.
64 bytes from 192.168.3.10: icmp_seq=1 ttl=64 time=0.092 ms
64 bytes from 192.168.3.10: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 192.168.3.10: icmp_seq=3 ttl=64 time=0.094 ms
64 bytes from 192.168.3.10: icmp_seq=4 ttl=64 time=0.105 ms
64 bytes from 192.168.3.10: icmp_seq=5 ttl=64 time=0.094 ms

$ ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from 192.168.3.1: icmp_seq=2 ttl=64 time=0.091 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=64 time=0.090 ms
64 bytes from 192.168.3.1: icmp_seq=4 ttl=64 time=0.097 ms
64 bytes from 192.168.3.1: icmp_seq=5 ttl=64 time=0.243 ms

Step 4 : Run iperf TCP DL

$ iperf -c 192.168.3.10 -i 1 -t 5
$ iperf -s -i 1

Step 5 : Run iperf TCP UL

$ iperf -s -i 1
$ iperf -c 192.168.3.1 -i 1 -t 5

Step 6 : Run iperf UDP DL

$ iperf -c 192.168.3.10 -u -b 1000M -i 1 -t 5
$ iperf -s -u -i 1 

Step 7 : Run iperf UDP UL

$ iperf -s -u -i 1
$ iperf -c 192.168.3.1 -u -b 1000M -i 1 -t 5