EAP-TTLS/MSCHAP
- (A). EAP-TTLS/MSCHAP:
MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. MS-CHAPv1 and MS-CHAPv2 are used as one authentication option in Microsoft’s implementation of the PPTP protocol for virtual private networks. It also used as authentication option with RADIUS servers.
The following is a resprestaion of EAP-TTLS/MSCHAP handshake
Radius Server Hostapd(AP) wpa_supplicant(station)
| |<<----------------Auth_Req---------------|
| |------------------Auth_Resp------------>>|
| |<<---------------Assoc_Req---------------|
| |----------------Assoc_Resp------------->>|
| |--------------EAP_Req_Identity--------->>|
| |<<------------EAP_Resp_Identity----------|
|<<--------EAP_Resp_Identity---------|
|-----------EAP_Req_EAP_TTLS------->>|
| |----------EAP_Req_EAP_TTLS(FWRD)----- ->>|
| |<<------------TLS.1.2_CLI_HELLO--- ------|
|<<------TLS.1.2_CLI_HELLO(FWRD)-----|
|----------EAP_Req_EAP_TTLS-------->>|
| |----------EAP_Req_EAP_TTLS(FWRD)------->>|
| |<<-------------EAP_Resp_EAP_TLS----------|
|<<------EAP_Resp_EAP_TTLS(FRWD)-----|
|------------EAP_Req_EAP_TTLS------>>|
| |----------EAP_Req_EAP_TTLS(FWRD)------->>|
| |<<------------EAP_Resp_EAP_TTLS----- ---|
|<<-----EAP_Resp_EAP_TTLS(FRWD)------|
|-------TLSv1.2_SERV_CERT_KEY_EXG--->|
| |-----TLSv1.2_SERV_CERT_KEY_EXG(FWRD)--->>|
| |<<--------TLSv1.2CLI__CERT_KEY_EXG-------|
|<<---TLSv1.2CLI_CERT_KEY_EXG(FWRD)--|
|------TLSv1.2CHG_CHPR_SPEC-------->>|
| |------TLSv1.2CHG_CHPR_SPEC(FRWD)------->>|
| |<<--------TLSv1.2_APPLICATION_DATA-------|
|<---TLSv1.2_APPLICATION_DATA(FRWD)--|
|----------TLSv1.2_SUCCESS--------->>|
| |----------TLSv1.2SUCCESS(FRWD)--------->>|
| |-----------------EAPOL-M1-------------->>|
| |<<---------------EAPOL-M2----------------|
| |-----------------EAPOL-M3-------------->>|
| |<<---------------EAPOL-M4----------------|
Test bed
Inorder to execute below practical example, two Linux machines are needed with ubuntu version >= 16.04.
- Check the Ubuntu version on your machine. Ubuntu version used for in this site is 20.04
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal
wpa_supplicant compilation
The daemon process that runs in the client stations. It implements WPA key negotiation with a WPA Authenticator and EAP authentication with Authentication Server. In addition, it controls the roaming and IEEE 802.11 authentication/association of the wireless LAN driver. Following are the steps to download and compiling wpa_supplicant from source code
- Download latest wpa_supplicant
$ wget https://w1.fi/releases/wpa_supplicant-2.9.tar.gz
- Install required packages
$ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev- below messages indicate that packages are installed successfully
The following NEW packages will be installed: libdbus-glib-1-dev libdbus-glib-1-dev-bin libnl-3-dev libnl-genl-3-dev 0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded. Need to get 212 kB of archives. After this operation, 1,235 kB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev-bin amd64 0.110-5fakssync1 [39.5 kB] Get:2 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev amd64 0.110-5fakssync1 [69.2 kB] Get:3 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-3-dev amd64 3.4.0-1 [92.2 kB] Get:4 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-genl-3-dev amd64 3.4.0-1 [10.7 kB] Fetched 212 kB in 1s (293 kB/s) Selecting previously unselected package libdbus-glib-1-dev-bin. (Reading database ... 385264 files and directories currently installed.) Preparing to unpack .../libdbus-glib-1-dev-bin_0.110-5fakssync1_amd64.deb ... Unpacking libdbus-glib-1-dev-bin (0.110-5fakssync1) ... Selecting previously unselected package libdbus-glib-1-dev:amd64. Preparing to unpack .../libdbus-glib-1-dev_0.110-5fakssync1_amd64.deb ... Unpacking libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ... Selecting previously unselected package libnl-3-dev:amd64. Preparing to unpack .../libnl-3-dev_3.4.0-1_amd64.deb ... Unpacking libnl-3-dev:amd64 (3.4.0-1) ... Selecting previously unselected package libnl-genl-3-dev:amd64. Preparing to unpack .../libnl-genl-3-dev_3.4.0-1_amd64.deb ... Unpacking libnl-genl-3-dev:amd64 (3.4.0-1) ... Setting up libdbus-glib-1-dev-bin (0.110-5fakssync1) ... Setting up libnl-3-dev:amd64 (3.4.0-1) ... Setting up libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ... Setting up libnl-genl-3-dev:amd64 (3.4.0-1) ... Processing triggers for man-db (2.9.1-1) ...
- Extract the tar file
$ tar -xvf wpa_supplicant-2.9.tar.gz
- Go to wpa_supplicant directory
$ cd wpa_supplicant-2.9/wpa_supplicant
- Copy the default configuration into .conf file
$ cp defconfig .config
- Enable below configs in .config
$ vim .config CONFIG_DRIVER_NL80211=y CONFIG_RADIUS_SERVER=y CONFIG_TLS=openssl CONFIG_EAP=y CONFIG_TLSV11=y CONFIG_TLSV12=y CONFIG_EAP_TLS=y CONFIG_EAP_MSCHAPV2=y CONFIG_EAP_PEAP=y CONFIG_EAP_MD5=y CONFIG_EAP_GTC=y
- Build the wpa_supplicant
$ makeBelow is the list of files compiled based on the features enabled in “.config”
CC config.c CC notify.c CC bss.c CC eap_register.c CC ../src/utils/common.c CC ../src/utils/wpa_debug.c CC ../src/utils/wpabuf.c CC ../src/utils/bitfield.c CC op_classes.c CC rrm.c CC wmm_ac.c CC ../src/utils/os_unix.c CC ../src/utils/eloop.c CC config_file.c CC ../src/rsn_supp/wpa_ft.c CC ../src/common/sae.c CC ../src/common/dpp.c CC dpp_supplicant.c CC ../src/rsn_supp/wpa.c CC ../src/rsn_supp/preauth.c CC ../src/rsn_supp/pmksa_cache.c CC ../src/rsn_supp/wpa_ie.c CC ../src/common/wpa_common.c CC ibss_rsn.c CC p2p_supplicant.c CC p2p_supplicant_sd.c CC ../src/p2p/p2p.c CC ../src/p2p/p2p_utils.c CC ../src/p2p/p2p_parse.c CC ../src/p2p/p2p_build.c CC ../src/p2p/p2p_go_neg.c CC ../src/p2p/p2p_sd.c CC ../src/p2p/p2p_pd.c CC ../src/p2p/p2p_invitation.c CC ../src/p2p/p2p_dev_disc.c CC ../src/p2p/p2p_group.c CC ../src/ap/p2p_hostapd.c CC wifi_display.c CC hs20_supplicant.c CC interworking.c CC ../src/eap_peer/eap_tls.c CC ../src/eap_peer/eap_peap.c CC ../src/eap_common/eap_peap_common.c CC ../src/eap_peer/eap_ttls.c CC ../src/eap_peer/eap_md5.c CC ../src/eap_peer/eap_mschapv2.c CC ../src/eap_peer/mschapv2.c CC ../src/eap_peer/eap_gtc.c CC ../src/eap_peer/eap_otp.c CC ../src/eap_peer/eap_leap.c CC ../src/eap_peer/eap_fast.c CC ../src/eap_peer/eap_fast_pac.c CC ../src/eap_common/eap_fast_common.c CC ../src/eap_peer/eap_pax.c CC ../src/eap_common/eap_pax_common.c CC ../src/eap_peer/eap_sake.c CC ../src/eap_common/eap_sake_common.c CC ../src/eap_peer/eap_gpsk.c CC ../src/eap_common/eap_gpsk_common.c CC ../src/eap_peer/eap_pwd.c CC ../src/eap_common/eap_pwd_common.c CC wps_supplicant.c CC ../src/utils/uuid.c CC ../src/eap_peer/eap_wsc.c CC ../src/eap_common/eap_wsc_common.c CC ../src/wps/wps.c CC ../src/wps/wps_common.c CC ../src/wps/wps_attr_parse.c CC ../src/wps/wps_attr_build.c CC ../src/wps/wps_attr_process.c CC ../src/wps/wps_dev_attr.c CC ../src/wps/wps_enrollee.c CC ../src/wps/wps_registrar.c CC ../src/eap_peer/eap_ikev2.c CC ../src/eap_peer/ikev2.c CC ../src/eap_common/eap_ikev2_common.c CC ../src/eap_common/ikev2_common.c CC ../src/eap_peer/eap_tnc.c CC ../src/eap_peer/tncc.c CC ../src/eapol_supp/eapol_supp_sm.c CC ../src/eap_peer/eap.c CC ../src/eap_peer/eap_methods.c CC ap.c CC ../src/ap/hostapd.c CC ../src/ap/wpa_auth_glue.c CC ../src/ap/utils.c CC ../src/ap/authsrv.c CC ../src/ap/ap_config.c CC ../src/utils/ip_addr.c CC ../src/ap/sta_info.c CC ../src/ap/tkip_countermeasures.c CC ../src/ap/ap_mlme.c CC ../src/ap/ieee802_1x.c CC ../src/eapol_auth/eapol_auth_sm.c CC ../src/ap/ieee802_11_auth.c CC ../src/ap/ieee802_11_shared.c CC ../src/ap/drv_callbacks.c CC ../src/ap/ap_drv_ops.c CC ../src/ap/beacon.c CC ../src/ap/bss_load.c CC ../src/ap/eap_user_db.c CC ../src/ap/neighbor_db.c CC ../src/ap/rrm.c CC ../src/ap/ieee802_11_ht.c CC ../src/ap/ieee802_11_vht.c CC ../src/ap/ctrl_iface_ap.c CC ../src/eap_server/eap_server.c CC ../src/eap_server/eap_server_identity.c CC ../src/eap_server/eap_server_methods.c CC ../src/ap/wmm.c CC ../src/ap/ap_list.c CC ../src/ap/ieee802_11.c CC ../src/ap/hw_features.c CC ../src/ap/dfs.c CC ../src/ap/wps_hostapd.c CC ../src/eap_server/eap_server_wsc.c CC ../src/ap/dpp_hostapd.c CC ../src/ap/gas_query_ap.c CC ../src/ap/gas_serv.c CC ../src/ap/hs20.c CC ../src/ap/wpa_auth.c CC ../src/ap/wpa_auth_ie.c CC ../src/ap/pmksa_cache_auth.c CC ../src/common/dragonfly.c CC ../src/crypto/ms_funcs.c CC ../src/eap_common/chap.c CC ../src/eap_peer/eap_tls_common.c CC ../src/crypto/tls_openssl.c CC ../src/crypto/tls_openssl_ocsp.c CC ../src/crypto/crypto_openssl.c CC ../src/crypto/aes-siv.c CC ../src/crypto/aes-ctr.c CC ../src/crypto/aes-omac1.c CC ../src/crypto/sha256-kdf.c CC ../src/crypto/sha384-kdf.c CC ../src/crypto/sha512-kdf.c CC ../src/crypto/sha256-prf.c CC ../src/crypto/sha256-tlsprf.c CC ../src/crypto/sha384-prf.c CC ../src/crypto/sha512-prf.c CC ../src/crypto/dh_groups.c CC ../src/crypto/random.c CC ../src/common/ctrl_iface_common.c CC ctrl_iface.c CC ctrl_iface_unix.c CC dbus/dbus_dict_helpers.c CC dbus/dbus_new_helpers.c dbus/dbus_new.c: In function ‘wpas_dbus_unregister_p2p_group’: dbus/dbus_new.c:4793:3: warning: ‘%s’ directive argument is null [-Wformat-overflow=] 4793 | wpa_printf(MSG_DEBUG, | ^~~~~~~~~~~~~~~~~~~~~ 4794 | "%s: Group object '%s' already unregistered", | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 4795 | __func__, wpa_s->dbus_groupobj_path); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CC dbus/dbus_new.c CC dbus/dbus_new_handlers.c CC dbus/dbus_common.c CC dbus/dbus_new_handlers_wps.c CC dbus/dbus_new_handlers_p2p.c CC dbus/dbus_new_introspect.c CC ../src/utils/base64.c CC sme.c CC ../src/common/ieee802_11_common.c CC ../src/common/hw_features_common.c CC ../src/eap_common/eap_common.c CC ../src/crypto/sha1-prf.c CC ../src/crypto/sha1-tprf.c CC ../src/crypto/sha1-tlsprf.c CC bgscan_simple.c CC bgscan.c CC ../src/common/gas_server.c CC ../src/common/gas.c CC gas_query.c CC offchannel.c CC ../src/utils/json.c CC ../src/drivers/driver_common.c CC wpa_supplicant.c CC events.c CC blacklist.c CC wpas_glue.c CC scan.c CC main.c CC ../src/drivers/driver_wired.c CC ../src/drivers/driver_wired_common.c CC ../src/drivers/driver_nl80211.c CC ../src/drivers/driver_nl80211_capa.c CC ../src/drivers/driver_nl80211_event.c CC ../src/drivers/driver_nl80211_monitor.c CC ../src/drivers/driver_nl80211_scan.c CC ../src/drivers/netlink.c CC ../src/drivers/linux_ioctl.c CC ../src/drivers/rfkill.c CC ../src/utils/radiotap.c CC ../src/drivers/driver_wext.c CC ../src/drivers/drivers.c CC ../src/l2_packet/l2_packet_linux.c LD wpa_supplicant CC wpa_cli.c CC ../src/common/wpa_ctrl.c CC ../src/common/cli.c CC ../src/utils/edit_simple.c LD wpa_cli CC wpa_passphrase.c LD wpa_passphrase
- Install the compiled commands (optional)
$ make install
hostapd compilation
The hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. Following are the steps to download and compiling hostapd from source code
- Download latest hostapd
$ wget http://w1.fi/releases/hostapd-2.9.tar.gz
- Install required packages
$ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev- below messages indicate that packages are installed successfully
The following NEW packages will be installed: libdbus-glib-1-dev libdbus-glib-1-dev-bin libnl-3-dev libnl-genl-3-dev 0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded. Need to get 212 kB of archives. After this operation, 1,235 kB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev-bin amd64 0.110-5fakssync1 [39.5 kB] Get:2 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev amd64 0.110-5fakssync1 [69.2 kB] Get:3 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-3-dev amd64 3.4.0-1 [92.2 kB] Get:4 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-genl-3-dev amd64 3.4.0-1 [10.7 kB] Fetched 212 kB in 1s (293 kB/s) Selecting previously unselected package libdbus-glib-1-dev-bin. (Reading database ... 385264 files and directories currently installed.) Preparing to unpack .../libdbus-glib-1-dev-bin_0.110-5fakssync1_amd64.deb ... Unpacking libdbus-glib-1-dev-bin (0.110-5fakssync1) ... Selecting previously unselected package libdbus-glib-1-dev:amd64. Preparing to unpack .../libdbus-glib-1-dev_0.110-5fakssync1_amd64.deb ... Unpacking libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ... Selecting previously unselected package libnl-3-dev:amd64. Preparing to unpack .../libnl-3-dev_3.4.0-1_amd64.deb ... Unpacking libnl-3-dev:amd64 (3.4.0-1) ... Selecting previously unselected package libnl-genl-3-dev:amd64. Preparing to unpack .../libnl-genl-3-dev_3.4.0-1_amd64.deb ... Unpacking libnl-genl-3-dev:amd64 (3.4.0-1) ... Setting up libdbus-glib-1-dev-bin (0.110-5fakssync1) ... Setting up libnl-3-dev:amd64 (3.4.0-1) ... Setting up libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ... Setting up libnl-genl-3-dev:amd64 (3.4.0-1) ... Processing triggers for man-db (2.9.1-1) ...
- Extract the tar file
$ tar -xzvf hostapd-2.9.tar.gz
- Go to Hostapd directory
$ cd hostapd-2.9/hostapd
- Copy the default configuration into .conf file
$ cp defconfig .config
- Enable below configs in .config
$ vim .config CONFIG_DRIVER_NL80211=y CONFIG_RADIUS_SERVER=y CONFIG_TLS=openssl CONFIG_EAP=y CONFIG_TLSV11=y CONFIG_TLSV12=y CONFIG_EAP_TLS=y CONFIG_EAP_MSCHAPV2=y CONFIG_EAP_PEAP=y CONFIG_EAP_MD5=y CONFIG_EAP_GTC=y
- Build the Hostapd
$ makeBelow is the list of files compiled based on the features enabled in “.config”
CC main.c CC config_file.c CC ../src/ap/hostapd.c CC ../src/ap/wpa_auth_glue.c CC ../src/ap/drv_callbacks.c CC ../src/ap/ap_drv_ops.c CC ../src/ap/utils.c CC ../src/ap/authsrv.c CC ../src/ap/ieee802_1x.c CC ../src/ap/ap_config.c CC ../src/ap/eap_user_db.c CC ../src/ap/ieee802_11_auth.c CC ../src/ap/sta_info.c CC ../src/ap/wpa_auth.c CC ../src/ap/tkip_countermeasures.c CC ../src/ap/ap_mlme.c CC ../src/ap/wpa_auth_ie.c CC ../src/ap/preauth_auth.c CC ../src/ap/pmksa_cache_auth.c CC ../src/ap/ieee802_11_shared.c CC ../src/ap/beacon.c CC ../src/ap/bss_load.c CC ../src/ap/neighbor_db.c CC ../src/ap/rrm.c CC ../src/drivers/drivers.c CC ../src/utils/eloop.c CC ../src/utils/common.c CC ../src/utils/wpa_debug.c CC ../src/utils/wpabuf.c CC ../src/utils/os_unix.c CC ../src/utils/ip_addr.c CC ../src/common/ieee802_11_common.c CC ../src/common/wpa_common.c CC ../src/common/hw_features_common.c CC ../src/eapol_auth/eapol_auth_sm.c CC ../src/eapol_auth/eapol_auth_dump.c CC ../src/radius/radius.c CC ../src/radius/radius_client.c CC ../src/radius/radius_das.c CC ../src/ap/accounting.c CC ../src/ap/vlan_init.c CC ../src/ap/vlan_ifconfig.c CC ../src/ap/vlan.c CC ../src/common/ctrl_iface_common.c CC ctrl_iface.c CC ../src/ap/ctrl_iface_ap.c CC ../src/ap/iapp.c CC ../src/drivers/driver_hostap.c CC ../src/drivers/driver_nl80211.c CC ../src/drivers/driver_nl80211_capa.c CC ../src/drivers/driver_nl80211_event.c CC ../src/drivers/driver_nl80211_monitor.c CC ../src/drivers/driver_nl80211_scan.c CC ../src/drivers/netlink.c CC ../src/drivers/linux_ioctl.c CC ../src/drivers/rfkill.c CC ../src/utils/radiotap.c CC ../src/l2_packet/l2_packet_linux.c CC ../src/eap_server/eap_server_md5.c CC ../src/eap_server/eap_server_tls.c CC ../src/eap_server/eap_server_peap.c CC ../src/eap_common/eap_peap_common.c CC ../src/eap_server/eap_server_ttls.c CC ../src/eap_server/eap_server_mschapv2.c CC ../src/eap_server/eap_server_gtc.c CC eap_register.c CC ../src/eap_server/eap_server.c CC ../src/eap_common/eap_common.c CC ../src/eap_server/eap_server_methods.c CC ../src/eap_server/eap_server_identity.c CC ../src/crypto/ms_funcs.c CC ../src/eap_common/chap.c CC ../src/eap_server/eap_server_tls_common.c CC ../src/crypto/tls_openssl.c CC ../src/crypto/tls_openssl_ocsp.c CC ../src/crypto/crypto_openssl.c CC ../src/crypto/aes-omac1.c CC ../src/crypto/sha1-prf.c CC ../src/crypto/sha1-tlsprf.c CC ../src/crypto/sha256-prf.c CC ../src/crypto/sha256-tlsprf.c CC ../src/crypto/sha256-kdf.c CC ../src/crypto/random.c CC ../src/ap/wmm.c CC ../src/ap/ap_list.c CC ../src/ap/ieee802_11.c CC ../src/ap/hw_features.c CC ../src/ap/dfs.c CC ../src/drivers/driver_common.c LD hostapd CC hostapd_cli.c CC ../src/common/wpa_ctrl.c CC ../src/common/cli.c CC ../src/utils/edit_simple.c LD hostapd_cli
- Install the compiled commands (optional)
$ make install
Radius server compilation
- Download latest freeradius source code
$ wget https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.tar.gz
- Extract the tar file
$ tar -zxf freeradius-server-3.0.tar.gz
- Go to Radius server directory
$ cd freeradius-server-3.0/
- Open debian/rules, add this line “–without-rml_sql_iodbc ” above this line “–without-rlm_eap_ikev2 ”
$ vim debian/rules ... --without-rml_sql_iodbc \ --without-rlm_eap_ikev2 \ ...
- Configure for compilation
$ ./configureInstall requeired packages as suggested by the result of step 5
- Build the Radius server
$ make
- Install the compiled commands (optional)
$ make install
- Go to Raddb folder (all radius server/client files, certificates and keys will be generated here)
$ cd /usr/local/etc/raddb
- open client.conf file and verify localhost client is presnet else add your own client like bellow
$ sudo vim client.conf client localhost { ipaddr = 127.0.0.1 proto = * secret = testing123 require_message_authenticator = no nas_type = other limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } For External Hostapd create a new client in client.conf like shown in bellow client 192.168.3.11 { ipaddr = 192.168.3.11 secret = AuthPassword }
- open users file and uncomment bellow two lines
$ sudo vim users bob Cleartext-Password := "testing123" Reply-Message := "Hello, %{User-Name}"
- set default_eap_type=tls in eap file located in /usr/local/etc/raddb/mods-enabled/
$ sudo vim /usr/local/etc/raddb/mods-enabled/eap default_eap_type=ttls
- Start radius server
$ sudo radiusd -X
Running hostapd
Check if wifi interface with the name “wlan0” is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually
$ iwconfig wlan0 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on $ iw dev phy#1 Interface wlan0 ifindex 5 wdev 0x100000001 addr 02:00:00:00:00:00 type managed txpower 20.00 dBm
- Create a hostapd.conf file in /etc/hostapd/ folder with below content
$ sudo vim /etc/hostapd/hostapd.confCopy below content
interface=wlan0 driver=nl80211 ssid=test_eap_ttls_mschap ieee80211n=1 macaddr_acl=0 channel=6 disassoc_low_ack=1 wmm_enabled=1 wpa=1 wpa_key_mgmt=WPA-EAP wpa_pairwise=CCMP rsn_pairwise=CCMP ieee8021x=1 eap_server=0 eap_user_file=/etc/hostapd/eap_user auth_algs=1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=testing123 #Cerfificates of radius server configuration ca_cert=/usr/local/etc/raddb/certs/ca.pem server_cert=/usr/local/etc/raddb/certs/server.crt private_key=/usr/local/etc/raddb/certs/server.p12 private_key_passwd=whatever # default password
Create a file eap_user in /etc/hostapd/ folder with below content
$ sudo vim /etc/hostapd/eap_user # Wildcard for all other identities "user" PEAP "tls_user" TLS "gtc" GTC "password" "ttls" TTLS * PEAP,TTLS,TLS # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users "md5" MD5 "password" [2] "chap" MSCHAPV2 "password" [2] #"t-gtc" GTC "password" [2] "peap" MSCHAPV2 "password" [2] "gtc" GTC "password" [2] "ttls-MSCHAP" MSCHAP "password" [2] "user" MD5,GTC,MSCHAPV2 "p" [2] "ttls" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "p" [2]
Make sure that radius server is already running (radiusd -X)
- Go to hostapd directory
$ cd hostapd-2.9/hostapd
- Run hostapd by issuing follwing command
$ sudo ./hostapd /etc/hostapd/hostapd.confBelow log messages are seen on console after running hostapd
Configuration file: /etc/hostapd/hostapd.conf Using interface wlan0 with hwaddr 02:00:00:00:00:00 and ssid "test_eap_ttls_mschap" wlan0: interface state UNINITIALIZED->ENABLED wlan0: AP-ENABLEDMode of “wlan0” interface is now assigned as “AP/Master”. Check this by querying information via iwconfig/iw command
$ iwconfig wlan0 IEEE 802.11 Mode:Master Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on $ iw dev phy#1 Interface wlan0 ifindex 5 wdev 0x100000001 addr 02:00:00:00:00:00 ssid test_eap_ttls_mschapv2 type AP channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz txpower 20.00 dBm
Running wpa_supplicant
METHOD 1: With Network Block in wpa_supplicant.conf file
- Check if wifi interface with the name “wlan1” is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually
$ iwconfig wlan1 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on $ iw dev phy#2 Interface wlan1 ifindex 6 wdev 0x200000001 addr 02:00:00:00:01:00 type managed txpower 20.00 dBm
- Go to wpa_supplicant directory
$ cd wpa_supplicant-2.9/wpa_supplicantCreate wpa_supplicant.conf file with following network block contents
delete all existing content and copy below content
ctrl_interface=/run/wpa_supplicant update_config=1 network={ ssid="test_eap_ttls_mschap" key_mgmt=WPA-EAP proto=WPA eap=TTLS pairwise=CCMP phase2="auth=MSCHAP" identity="bob" password="testing123" }
- Run wpa_supplicant
$ sudo ./wpa_supplicant -Dnl80211 -i wlan1 -c wpa_supplicant.confBelow log messages are seen on console after running wpa_supplicant
Successfully initialized wpa_supplicant wlan1: SME: Trying to authenticate with 02:00:00:00:00:00 (SSID='test_eap_ttls_mschap' freq=2437 MHz) wlan1: Trying to associate with 02:00:00:00:00:00 (SSID='test_eap_ttls_mschap' freq=2437 MHz) wlan1: Associated with 02:00:00:00:00:00 wlan1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlan1: WPA: Key negotiation completed with 02:00:00:00:00:00 [PTK=CCMP GTK=CCMP] wlan1: CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:00:00 completed [id=0 id_str=]Message “CTRL-EVENT-CONNECTED” indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully
- Run wpa_cli and check status in wpa_cli prompt
$ sudo ./wpa_cli -i wlan1 > > status > bssid=02:00:00:00:00:00 freq=2437 ssid=test_eap_ttls_mschap id=0 mode=station pairwise_cipher=CCMP group_cipher=CCMP key_mgmt=WPA/IEEE 802.1X/EAP wpa_state=COMPLETED address=02:00:00:00:01:00 Supplicant PAE state=AUTHENTICATED suppPortStatus=Authorized EAP state=SUCCESS selectedMethod=21 (EAP-TTLS) eap_tls_version=TLSv1.2 EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384 tls_session_reused=0 EAP-TTLSv0 Phase2 method=MSCHAP eap_session_id=1520f38fdef0e9b674740f2527e5ecb8efc2ed10e238e6f45186d3d990b43815335401e2bb418cb3c50cc2578c229483bbfc3d344319678a30c8d20a7788bf64c6 uuid=572cf82f-c957-5653-9b16-b5cfb298abf1Message “wpa_state=COMPLETE” indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully
- Mode of “wlan1” interface is now assigned as “Managed” with ssid “test_eap_ttls_mschap”. Check this by querying information via iwconfig/iw command
$ iwconfig wlan1 IEEE 802.11 ESSID:"test_eap_ttls_mschap" Mode:Managed Frequency:2.437 GHz Access Point: 02:00:00:00:00:00 Bit Rate:54 Mb/s Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on Link Quality=70/70 Signal level=-30 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 $ iw dev phy#2 Interface wlan1 ifindex 6 wdev 0x200000001 addr 02:00:00:00:01:00 ssid test_eap_ttls_mschap type managed channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz txpower 20.00 dBm
METHOD 2: Without Network Block in wpa_supplicant.conf file
- Go to wpa_supplicant directory
$ cd wpa_supplicant-2.9/wpa_supplicant
- Create wpa_supplicant.conf file without a network block
$ vim wpa_supplicant.conf # add the following contents ctrl_interface=/run/wpa_supplicant update_config=1
- Run wpa_supplicant without network block in wpa_supplicant.conf file
$ sudo ./wpa_supplicant -Dnl80211 -i wlan1 -c wpa_supplicant.conf
- Run wpa_cli to connect to WPA2 network
$ sudo ./wpa_cli -i wlan1 > > scan > scan_result > add_network > set_network 0 ssid "test_eap_ttls_mschap" > set_network 0 key_mgmt WPA-EAP > set_network 0 proto WPA > set_network 0 eap TTLS > set_network 0 phase2 "auth=MSCHAP" > set_network 0 identity "bob" > set_network 0 password "testing123" > enable_network 0 > status > bssid=02:00:00:00:00:00 freq=2437 ssid=test_eap_ttls_mschap id=0 mode=station pairwise_cipher=CCMP group_cipher=CCMP key_mgmt=WPA/IEEE 802.1X/EAP wpa_state=COMPLETED address=02:00:00:00:01:00 Supplicant PAE state=AUTHENTICATED suppPortStatus=Authorized EAP state=SUCCESS selectedMethod=21 (EAP-TTLS) eap_tls_version=TLSv1.2 EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384 tls_session_reused=0 EAP-TTLSv0 Phase2 method=MSCHAP eap_session_id=1520f38fdef0e9b674740f2527e5ecb8efc2ed10e238e6f45186d3d990b43815335401e2bb418cb3c50cc2578c229483bbfc3d344319678a30c8d20a7788bf64c6 uuid=572cf82f-c957-5653-9b16-b5cfb298abf1
Prerequisite for Hostapd:
eap_user_file is created in section E step 2
ca_cert, server_cert, private_key and private_key_passwd is generated after compiling radius server in section D (RADIUS SERVER compilation step 8)
use above certificate and keys in hostapd.conf
verify that AKM is set to WPA-ENTERPRISE ie “Beacon->Wireless_Managment->tagged_parameter” should not contain RNS INFO field
Prerequisite for WPA_SUPPLICANT:
The identity and password differs from EAP-TLS to EAP-TTLS/MSCHAP
Identity and password is given as part of credentials to radius server (Section D step 11)
Run data traffic
Steps |
AP |
Station |
---|---|---|
Step 1 : Assign IP address |
$ ifconfig wlan0 192.168.3.1 up
|
$ ifconfig wlan1 192.168.3.10 up
|
Step 2 : Check IP address |
$ ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
ether 02:00:00:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 61 bytes 11085 (11.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 130 bytes 25688 (25.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
$ ifconfig wlan1
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.10 netmask 255.255.255.0 broadcast 192.168.3.255
ether 02:00:00:00:01:00 txqueuelen 1000 (Ethernet)
RX packets 73 bytes 13119 (13.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 65 bytes 13111 (13.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
Step 3 : Check ping |
$ ping 192.168.3.10
PING 192.168.3.10 (192.168.3.10) 56(84) bytes of data.
64 bytes from 192.168.3.10: icmp_seq=1 ttl=64 time=0.092 ms
64 bytes from 192.168.3.10: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 192.168.3.10: icmp_seq=3 ttl=64 time=0.094 ms
64 bytes from 192.168.3.10: icmp_seq=4 ttl=64 time=0.105 ms
64 bytes from 192.168.3.10: icmp_seq=5 ttl=64 time=0.094 ms
|
$ ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from 192.168.3.1: icmp_seq=2 ttl=64 time=0.091 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=64 time=0.090 ms
64 bytes from 192.168.3.1: icmp_seq=4 ttl=64 time=0.097 ms
64 bytes from 192.168.3.1: icmp_seq=5 ttl=64 time=0.243 ms
|
Step 4 : Run iperf TCP DL |
$ iperf -c 192.168.3.10 -i 1 -t 5
|
$ iperf -s -i 1
|
Step 5 : Run iperf TCP UL |
$ iperf -s -i 1
|
$ iperf -c 192.168.3.1 -i 1 -t 5
|
Step 6 : Run iperf UDP DL |
$ iperf -c 192.168.3.10 -u -b 1000M -i 1 -t 5
|
$ iperf -s -u -i 1
|
Step 7 : Run iperf UDP UL |
$ iperf -s -u -i 1
|
$ iperf -c 192.168.3.1 -u -b 1000M -i 1 -t 5
|