EAP-TTLS/PAP

(A). EAP-TTLS/PAP:

EAP-TTLS/PAP is a simple WPA2-Enterprise Wi-Fi authentication method that has been a standard system for many years. When a user wants to connect to the network, the device initiates communication with the network and confirms that it is the correct network by identifying the server certificate. Server certificate validation is one of the most important mechanisms to prevent over-the-air credential theft.

The following is a resprestaion of EAP-TTLS/PAP handshake

Radius Server                          Hostapd(AP)                             wpa_supplicant(station)

|                                    |<<----------------Auth_Req---------------|

|                                    |------------------Auth_Resp------------>>|

|                                    |<<---------------Assoc_Req---------------|

|                                    |----------------Assoc_Resp------------->>|

|                                    |--------------EAP_Req_Identity--------->>|

|                                    |<<------------EAP_Resp_Identity----------|

|<<--------EAP_Resp_Identity---------|

|----------EAP_Req_EAP_TTLS-------->>|

|                                  ``|----------EAP_Req_EAP_TTLS(FWRD)------->>|

|                                    |<<------------TLS.1.2_CLI_HELLO----------|

|<<-----TLS.1.2_CLI_HELLO(FWRD)------|

|---------EAP_Req_EAP_TTLS--------->>|

|                                    |----------EAP_Req_EAP_TTLS(FWRD)------->>|

|                                    |<<-------------EAP_Resp_EAP_TLS----------|

|<<-----EAP_Resp_EAP_TTLS(FRWD)------|

|----------EAP_Req_EAP_TTLS-------->>|

|                                    |----------EAP_Req_EAP_TTLS(FWRD)------->>|

|                                    |<<------------EAP_Resp_EAP_TTLS----------|

|<<-----EAP_Resp_EAP_TTLS(FRWD)------|

|-----TLSv1.2_SERV_CERT_KEY_EXG---->>|

|                                    |-----TLSv1.2_SERV_CERT_KEY_EXG(FWRD)--->>|

|                                    |<<--------TLSv1.2CLI__CERT_KEY_EXG-------|

|<---TLSv1.2CLI_CERT_KEY_EXG(FWRD)---|

|------TLSv1.2CHG_CHPR_SPEC-------->>|

|                                    |------TLSv1.2CHG_CHPR_SPEC(FRWD)------->>|

|                                    |<<--------TLSv1.2_APPLICATION_DATA-------|

|<--TLSv1.2_APPLICATION_DATA(FRWD)---|

|----------TLSv1.2_SUCCESS--------->>|

|                                    |----------TLSv1.2SUCCESS(FRWD)--------->>|

|                                    |------------------EAPOL-M1------------->>|

|                                    |<<----------------EAPOL-M2---------------|

|                                    |------------------EAPOL-M3------------->>|

|                                    |<<----------------EAPOL-M4---------------|

Test bed

Inorder to execute below practical example, two Linux machines are needed with ubuntu version >= 16.04.

  • Check the Ubuntu version on your machine. Ubuntu version used for in this site is 20.04
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.2 LTS
    Release:	20.04
    Codename:	focal
    

wpa_supplicant compilation

The daemon process that runs in the client stations. It implements WPA key negotiation with a WPA Authenticator and EAP authentication with Authentication Server. In addition, it controls the roaming and IEEE 802.11 authentication/association of the wireless LAN driver. Following are the steps to download and compiling wpa_supplicant from source code

  1. Download latest wpa_supplicant
    $ wget https://w1.fi/releases/wpa_supplicant-2.9.tar.gz
    
  2. Install required packages
    $ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev
    
    below messages indicate that packages are installed successfully
    The following NEW packages will be installed:
      libdbus-glib-1-dev libdbus-glib-1-dev-bin libnl-3-dev libnl-genl-3-dev
    0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded.
    Need to get 212 kB of archives.
    After this operation, 1,235 kB of additional disk space will be used.
    Do you want to continue? [Y/n] 
    Get:1 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev-bin amd64 0.110-5fakssync1 [39.5 kB]
    Get:2 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev amd64 0.110-5fakssync1 [69.2 kB]
    Get:3 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-3-dev amd64 3.4.0-1 [92.2 kB]
    Get:4 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-genl-3-dev amd64 3.4.0-1 [10.7 kB]
    Fetched 212 kB in 1s (293 kB/s)             
    Selecting previously unselected package libdbus-glib-1-dev-bin.
    (Reading database ... 385264 files and directories currently installed.)
    Preparing to unpack .../libdbus-glib-1-dev-bin_0.110-5fakssync1_amd64.deb ...
    Unpacking libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
    Selecting previously unselected package libdbus-glib-1-dev:amd64.
    Preparing to unpack .../libdbus-glib-1-dev_0.110-5fakssync1_amd64.deb ...
    Unpacking libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
    Selecting previously unselected package libnl-3-dev:amd64.
    Preparing to unpack .../libnl-3-dev_3.4.0-1_amd64.deb ...
    Unpacking libnl-3-dev:amd64 (3.4.0-1) ...
    Selecting previously unselected package libnl-genl-3-dev:amd64.
    Preparing to unpack .../libnl-genl-3-dev_3.4.0-1_amd64.deb ...
    Unpacking libnl-genl-3-dev:amd64 (3.4.0-1) ...
    Setting up libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
    Setting up libnl-3-dev:amd64 (3.4.0-1) ...
    Setting up libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
    Setting up libnl-genl-3-dev:amd64 (3.4.0-1) ...
    Processing triggers for man-db (2.9.1-1) ...
    
    
  3. Extract the tar file
    $ tar -xvf wpa_supplicant-2.9.tar.gz
    
  4. Go to wpa_supplicant directory
    $ cd wpa_supplicant-2.9/wpa_supplicant
    
  5. Copy the default configuration into .conf file
    $ cp defconfig .config
    
  6. Enable below configs in .config
    $ vim .config
    
    CONFIG_DRIVER_NL80211=y
    CONFIG_RADIUS_SERVER=y
    CONFIG_TLS=openssl
    CONFIG_EAP=y
    CONFIG_TLSV11=y
    CONFIG_TLSV12=y
    CONFIG_EAP_TLS=y
    CONFIG_EAP_MSCHAPV2=y
    CONFIG_EAP_PEAP=y
    CONFIG_EAP_MD5=y
    CONFIG_EAP_GTC=y
    
  7. Build the wpa_supplicant
    $ make
    

    Below is the list of files compiled based on the features enabled in “.config”

      CC  config.c
      CC  notify.c
      CC  bss.c
      CC  eap_register.c
      CC  ../src/utils/common.c
      CC  ../src/utils/wpa_debug.c
      CC  ../src/utils/wpabuf.c
      CC  ../src/utils/bitfield.c
      CC  op_classes.c
      CC  rrm.c
      CC  wmm_ac.c
      CC  ../src/utils/os_unix.c
      CC  ../src/utils/eloop.c
      CC  config_file.c
      CC  ../src/rsn_supp/wpa_ft.c
      CC  ../src/common/sae.c
      CC  ../src/common/dpp.c
      CC  dpp_supplicant.c
      CC  ../src/rsn_supp/wpa.c
      CC  ../src/rsn_supp/preauth.c
      CC  ../src/rsn_supp/pmksa_cache.c
      CC  ../src/rsn_supp/wpa_ie.c
      CC  ../src/common/wpa_common.c
      CC  ibss_rsn.c
      CC  p2p_supplicant.c
      CC  p2p_supplicant_sd.c
      CC  ../src/p2p/p2p.c
      CC  ../src/p2p/p2p_utils.c
      CC  ../src/p2p/p2p_parse.c
      CC  ../src/p2p/p2p_build.c
      CC  ../src/p2p/p2p_go_neg.c
      CC  ../src/p2p/p2p_sd.c
      CC  ../src/p2p/p2p_pd.c
      CC  ../src/p2p/p2p_invitation.c
      CC  ../src/p2p/p2p_dev_disc.c
      CC  ../src/p2p/p2p_group.c
      CC  ../src/ap/p2p_hostapd.c
      CC  wifi_display.c
      CC  hs20_supplicant.c
      CC  interworking.c
      CC  ../src/eap_peer/eap_tls.c
      CC  ../src/eap_peer/eap_peap.c
      CC  ../src/eap_common/eap_peap_common.c
      CC  ../src/eap_peer/eap_ttls.c
      CC  ../src/eap_peer/eap_md5.c
      CC  ../src/eap_peer/eap_mschapv2.c
      CC  ../src/eap_peer/mschapv2.c
      CC  ../src/eap_peer/eap_gtc.c
      CC  ../src/eap_peer/eap_otp.c
      CC  ../src/eap_peer/eap_leap.c
      CC  ../src/eap_peer/eap_fast.c
      CC  ../src/eap_peer/eap_fast_pac.c
      CC  ../src/eap_common/eap_fast_common.c
      CC  ../src/eap_peer/eap_pax.c
      CC  ../src/eap_common/eap_pax_common.c
      CC  ../src/eap_peer/eap_sake.c
      CC  ../src/eap_common/eap_sake_common.c
      CC  ../src/eap_peer/eap_gpsk.c
      CC  ../src/eap_common/eap_gpsk_common.c
      CC  ../src/eap_peer/eap_pwd.c
      CC  ../src/eap_common/eap_pwd_common.c
      CC  wps_supplicant.c
      CC  ../src/utils/uuid.c
      CC  ../src/eap_peer/eap_wsc.c
      CC  ../src/eap_common/eap_wsc_common.c
      CC  ../src/wps/wps.c
      CC  ../src/wps/wps_common.c
      CC  ../src/wps/wps_attr_parse.c
      CC  ../src/wps/wps_attr_build.c
      CC  ../src/wps/wps_attr_process.c
      CC  ../src/wps/wps_dev_attr.c
      CC  ../src/wps/wps_enrollee.c
      CC  ../src/wps/wps_registrar.c
      CC  ../src/eap_peer/eap_ikev2.c
      CC  ../src/eap_peer/ikev2.c
      CC  ../src/eap_common/eap_ikev2_common.c
      CC  ../src/eap_common/ikev2_common.c
      CC  ../src/eap_peer/eap_tnc.c
      CC  ../src/eap_peer/tncc.c
      CC  ../src/eapol_supp/eapol_supp_sm.c
      CC  ../src/eap_peer/eap.c
      CC  ../src/eap_peer/eap_methods.c
      CC  ap.c
      CC  ../src/ap/hostapd.c
      CC  ../src/ap/wpa_auth_glue.c
      CC  ../src/ap/utils.c
      CC  ../src/ap/authsrv.c
      CC  ../src/ap/ap_config.c
      CC  ../src/utils/ip_addr.c
      CC  ../src/ap/sta_info.c
      CC  ../src/ap/tkip_countermeasures.c
      CC  ../src/ap/ap_mlme.c
      CC  ../src/ap/ieee802_1x.c
      CC  ../src/eapol_auth/eapol_auth_sm.c
      CC  ../src/ap/ieee802_11_auth.c
      CC  ../src/ap/ieee802_11_shared.c
      CC  ../src/ap/drv_callbacks.c
      CC  ../src/ap/ap_drv_ops.c
      CC  ../src/ap/beacon.c
      CC  ../src/ap/bss_load.c
      CC  ../src/ap/eap_user_db.c
      CC  ../src/ap/neighbor_db.c
      CC  ../src/ap/rrm.c
      CC  ../src/ap/ieee802_11_ht.c
      CC  ../src/ap/ieee802_11_vht.c
      CC  ../src/ap/ctrl_iface_ap.c
      CC  ../src/eap_server/eap_server.c
      CC  ../src/eap_server/eap_server_identity.c
      CC  ../src/eap_server/eap_server_methods.c
      CC  ../src/ap/wmm.c
      CC  ../src/ap/ap_list.c
      CC  ../src/ap/ieee802_11.c
      CC  ../src/ap/hw_features.c
      CC  ../src/ap/dfs.c
      CC  ../src/ap/wps_hostapd.c
      CC  ../src/eap_server/eap_server_wsc.c
      CC  ../src/ap/dpp_hostapd.c
      CC  ../src/ap/gas_query_ap.c
      CC  ../src/ap/gas_serv.c
      CC  ../src/ap/hs20.c
      CC  ../src/ap/wpa_auth.c
      CC  ../src/ap/wpa_auth_ie.c
      CC  ../src/ap/pmksa_cache_auth.c
      CC  ../src/common/dragonfly.c
      CC  ../src/crypto/ms_funcs.c
      CC  ../src/eap_common/chap.c
      CC  ../src/eap_peer/eap_tls_common.c
      CC  ../src/crypto/tls_openssl.c
      CC  ../src/crypto/tls_openssl_ocsp.c
      CC  ../src/crypto/crypto_openssl.c
      CC  ../src/crypto/aes-siv.c
      CC  ../src/crypto/aes-ctr.c
      CC  ../src/crypto/aes-omac1.c
      CC  ../src/crypto/sha256-kdf.c
      CC  ../src/crypto/sha384-kdf.c
      CC  ../src/crypto/sha512-kdf.c
      CC  ../src/crypto/sha256-prf.c
      CC  ../src/crypto/sha256-tlsprf.c
      CC  ../src/crypto/sha384-prf.c
      CC  ../src/crypto/sha512-prf.c
      CC  ../src/crypto/dh_groups.c
      CC  ../src/crypto/random.c
      CC  ../src/common/ctrl_iface_common.c
      CC  ctrl_iface.c
      CC  ctrl_iface_unix.c
      CC  dbus/dbus_dict_helpers.c
      CC  dbus/dbus_new_helpers.c
    dbus/dbus_new.c: In function ‘wpas_dbus_unregister_p2p_group’:
    dbus/dbus_new.c:4793:3: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
     4793 |   wpa_printf(MSG_DEBUG,
          |   ^~~~~~~~~~~~~~~~~~~~~
     4794 |       "%s: Group object '%s' already unregistered",
          |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     4795 |       __func__, wpa_s->dbus_groupobj_path);
          |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      CC  dbus/dbus_new.c
      CC  dbus/dbus_new_handlers.c
      CC  dbus/dbus_common.c
      CC  dbus/dbus_new_handlers_wps.c
      CC  dbus/dbus_new_handlers_p2p.c
      CC  dbus/dbus_new_introspect.c
      CC  ../src/utils/base64.c
      CC  sme.c
      CC  ../src/common/ieee802_11_common.c
      CC  ../src/common/hw_features_common.c
      CC  ../src/eap_common/eap_common.c
      CC  ../src/crypto/sha1-prf.c
      CC  ../src/crypto/sha1-tprf.c
      CC  ../src/crypto/sha1-tlsprf.c
      CC  bgscan_simple.c
      CC  bgscan.c
      CC  ../src/common/gas_server.c
      CC  ../src/common/gas.c
      CC  gas_query.c
      CC  offchannel.c
      CC  ../src/utils/json.c
      CC  ../src/drivers/driver_common.c
      CC  wpa_supplicant.c
      CC  events.c
      CC  blacklist.c
      CC  wpas_glue.c
      CC  scan.c
      CC  main.c
      CC  ../src/drivers/driver_wired.c
      CC  ../src/drivers/driver_wired_common.c
      CC  ../src/drivers/driver_nl80211.c
      CC  ../src/drivers/driver_nl80211_capa.c
      CC  ../src/drivers/driver_nl80211_event.c
      CC  ../src/drivers/driver_nl80211_monitor.c
      CC  ../src/drivers/driver_nl80211_scan.c
      CC  ../src/drivers/netlink.c
      CC  ../src/drivers/linux_ioctl.c
      CC  ../src/drivers/rfkill.c
      CC  ../src/utils/radiotap.c
      CC  ../src/drivers/driver_wext.c
      CC  ../src/drivers/drivers.c
      CC  ../src/l2_packet/l2_packet_linux.c
      LD  wpa_supplicant
      CC  wpa_cli.c
      CC  ../src/common/wpa_ctrl.c
      CC  ../src/common/cli.c
      CC  ../src/utils/edit_simple.c
      LD  wpa_cli
      CC  wpa_passphrase.c
      LD  wpa_passphrase
    
  8. Install the compiled commands (optional)
    $ make install
    

hostapd compilation

The hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. Following are the steps to download and compiling hostapd from source code

  1. Download latest hostapd
    $ wget http://w1.fi/releases/hostapd-2.9.tar.gz
    
  2. Install required packages
    $ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev
    
    below messages indicate that packages are installed successfully
    The following NEW packages will be installed:
      libdbus-glib-1-dev libdbus-glib-1-dev-bin libnl-3-dev libnl-genl-3-dev
    0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded.
    Need to get 212 kB of archives.
    After this operation, 1,235 kB of additional disk space will be used.
    Do you want to continue? [Y/n] 
    Get:1 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev-bin amd64 0.110-5fakssync1 [39.5 kB]
    Get:2 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev amd64 0.110-5fakssync1 [69.2 kB]
    Get:3 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-3-dev amd64 3.4.0-1 [92.2 kB]
    Get:4 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-genl-3-dev amd64 3.4.0-1 [10.7 kB]
    Fetched 212 kB in 1s (293 kB/s)             
    Selecting previously unselected package libdbus-glib-1-dev-bin.
    (Reading database ... 385264 files and directories currently installed.)
    Preparing to unpack .../libdbus-glib-1-dev-bin_0.110-5fakssync1_amd64.deb ...
    Unpacking libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
    Selecting previously unselected package libdbus-glib-1-dev:amd64.
    Preparing to unpack .../libdbus-glib-1-dev_0.110-5fakssync1_amd64.deb ...
    Unpacking libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
    Selecting previously unselected package libnl-3-dev:amd64.
    Preparing to unpack .../libnl-3-dev_3.4.0-1_amd64.deb ...
    Unpacking libnl-3-dev:amd64 (3.4.0-1) ...
    Selecting previously unselected package libnl-genl-3-dev:amd64.
    Preparing to unpack .../libnl-genl-3-dev_3.4.0-1_amd64.deb ...
    Unpacking libnl-genl-3-dev:amd64 (3.4.0-1) ...
    Setting up libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
    Setting up libnl-3-dev:amd64 (3.4.0-1) ...
    Setting up libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
    Setting up libnl-genl-3-dev:amd64 (3.4.0-1) ...
    Processing triggers for man-db (2.9.1-1) ...
    
    
  3. Extract the tar file
    $ tar -xzvf hostapd-2.9.tar.gz
    
  4. Go to Hostapd directory
    $ cd hostapd-2.9/hostapd
    
  5. Copy the default configuration into .conf file
    $ cp defconfig .config
    
  6. Enable below configs in .config
    $ vim .config
    
    CONFIG_DRIVER_NL80211=y
    CONFIG_RADIUS_SERVER=y
    CONFIG_TLS=openssl
    CONFIG_EAP=y
    CONFIG_TLSV11=y
    CONFIG_TLSV12=y
    CONFIG_EAP_TLS=y
    CONFIG_EAP_MSCHAPV2=y
    CONFIG_EAP_PEAP=y
    CONFIG_EAP_MD5=y
    CONFIG_EAP_GTC=y
    
  7. Build the Hostapd
    $ make
    

    Below is the list of files compiled based on the features enabled in “.config”

      CC  main.c
      CC  config_file.c
      CC  ../src/ap/hostapd.c
      CC  ../src/ap/wpa_auth_glue.c
      CC  ../src/ap/drv_callbacks.c
      CC  ../src/ap/ap_drv_ops.c
      CC  ../src/ap/utils.c
      CC  ../src/ap/authsrv.c
      CC  ../src/ap/ieee802_1x.c
      CC  ../src/ap/ap_config.c
      CC  ../src/ap/eap_user_db.c
      CC  ../src/ap/ieee802_11_auth.c
      CC  ../src/ap/sta_info.c
      CC  ../src/ap/wpa_auth.c
      CC  ../src/ap/tkip_countermeasures.c
      CC  ../src/ap/ap_mlme.c
      CC  ../src/ap/wpa_auth_ie.c
      CC  ../src/ap/preauth_auth.c
      CC  ../src/ap/pmksa_cache_auth.c
      CC  ../src/ap/ieee802_11_shared.c
      CC  ../src/ap/beacon.c
      CC  ../src/ap/bss_load.c
      CC  ../src/ap/neighbor_db.c
      CC  ../src/ap/rrm.c
      CC  ../src/drivers/drivers.c
      CC  ../src/utils/eloop.c
      CC  ../src/utils/common.c
      CC  ../src/utils/wpa_debug.c
      CC  ../src/utils/wpabuf.c
      CC  ../src/utils/os_unix.c
      CC  ../src/utils/ip_addr.c
      CC  ../src/common/ieee802_11_common.c
      CC  ../src/common/wpa_common.c
      CC  ../src/common/hw_features_common.c
      CC  ../src/eapol_auth/eapol_auth_sm.c
      CC  ../src/eapol_auth/eapol_auth_dump.c
      CC  ../src/radius/radius.c
      CC  ../src/radius/radius_client.c
      CC  ../src/radius/radius_das.c
      CC  ../src/ap/accounting.c
      CC  ../src/ap/vlan_init.c
      CC  ../src/ap/vlan_ifconfig.c
      CC  ../src/ap/vlan.c
      CC  ../src/common/ctrl_iface_common.c
      CC  ctrl_iface.c
      CC  ../src/ap/ctrl_iface_ap.c
      CC  ../src/ap/iapp.c
      CC  ../src/drivers/driver_hostap.c
      CC  ../src/drivers/driver_nl80211.c
      CC  ../src/drivers/driver_nl80211_capa.c
      CC  ../src/drivers/driver_nl80211_event.c
      CC  ../src/drivers/driver_nl80211_monitor.c
      CC  ../src/drivers/driver_nl80211_scan.c
      CC  ../src/drivers/netlink.c
      CC  ../src/drivers/linux_ioctl.c
      CC  ../src/drivers/rfkill.c
      CC  ../src/utils/radiotap.c
      CC  ../src/l2_packet/l2_packet_linux.c
      CC  ../src/eap_server/eap_server_md5.c
      CC  ../src/eap_server/eap_server_tls.c
      CC  ../src/eap_server/eap_server_peap.c
      CC  ../src/eap_common/eap_peap_common.c
      CC  ../src/eap_server/eap_server_ttls.c
      CC  ../src/eap_server/eap_server_mschapv2.c
      CC  ../src/eap_server/eap_server_gtc.c
      CC  eap_register.c
      CC  ../src/eap_server/eap_server.c
      CC  ../src/eap_common/eap_common.c
      CC  ../src/eap_server/eap_server_methods.c
      CC  ../src/eap_server/eap_server_identity.c
      CC  ../src/crypto/ms_funcs.c
      CC  ../src/eap_common/chap.c
      CC  ../src/eap_server/eap_server_tls_common.c
      CC  ../src/crypto/tls_openssl.c
      CC  ../src/crypto/tls_openssl_ocsp.c
      CC  ../src/crypto/crypto_openssl.c
      CC  ../src/crypto/aes-omac1.c
      CC  ../src/crypto/sha1-prf.c
      CC  ../src/crypto/sha1-tlsprf.c
      CC  ../src/crypto/sha256-prf.c
      CC  ../src/crypto/sha256-tlsprf.c
      CC  ../src/crypto/sha256-kdf.c
      CC  ../src/crypto/random.c
      CC  ../src/ap/wmm.c
      CC  ../src/ap/ap_list.c
      CC  ../src/ap/ieee802_11.c
      CC  ../src/ap/hw_features.c
      CC  ../src/ap/dfs.c
      CC  ../src/drivers/driver_common.c
      LD  hostapd
      CC  hostapd_cli.c
      CC  ../src/common/wpa_ctrl.c
      CC  ../src/common/cli.c
      CC  ../src/utils/edit_simple.c
      LD  hostapd_cli
    
    
  8. Install the compiled commands (optional)
    $ make install
    

Radius server compilation

  1. Download latest freeradius source code
    $ wget https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.tar.gz
    
  2. Extract the tar file
    $ tar -zxf freeradius-server-3.0.tar.gz
    
  3. Go to Radius server directory
    $ cd freeradius-server-3.0/
    
  4. Open debian/rules, add this line “–without-rml_sql_iodbc ” above this line “–without-rlm_eap_ikev2 ”
    $ vim debian/rules
    
    ...
    
    --without-rml_sql_iodbc \
    --without-rlm_eap_ikev2 \
    
    ...
    
  5. Configure for compilation
    $ ./configure
    
  6. Install requeired packages as suggested by the result of step 5

  7. Build the Radius server
    $ make
    
  8. Install the compiled commands (optional)
    $ make install
    
  9. Go to Raddb folder (all radius server/client files, certificates and keys will be generated here)
    $ cd /usr/local/etc/raddb
    
  10. open client.conf file and verify localhost client is presnet else add your own client like bellow
    $ sudo vim client.conf
    
    client localhost {
    	ipaddr = 127.0.0.1
    	proto = *
    	secret = testing123
    	require_message_authenticator = no
    	nas_type = other
    	limit {
    		max_connections = 16
    		lifetime = 0
    		idle_timeout = 30
    	}
    }
    
    For External Hostapd create a new client in client.conf like shown in bellow
    
    client 192.168.3.11 {
    	ipaddr = 192.168.3.11
    	secret = AuthPassword
    }
    
  11. open users file and uncomment bellow two lines
    $ sudo vim users
    
    bob   Cleartext-Password := "testing123"
    Reply-Message := "Hello, %{User-Name}"
    
  12. set default_eap_type=tls in eap file located in /usr/local/etc/raddb/mods-enabled/
    $ sudo vim /usr/local/etc/raddb/mods-enabled/eap
    
    default_eap_type=ttls
    
  13. Start radius server
    $ sudo radiusd -X
    

Running hostapd

  1. Check if wifi interface with the name “wlan0” is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually

    $ iwconfig 
    wlan0     IEEE 802.11  ESSID:off/any  
              Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
              Retry short limit:7   RTS thr:off   Fragment thr:off
              Power Management:on
    
    $ iw dev 
    phy#1
    	Interface wlan0
    		ifindex 5
    		wdev 0x100000001
    		addr 02:00:00:00:00:00
    		type managed
    		txpower 20.00 dBm
    
  2. Create a hostapd.conf file in /etc/hostapd/ folder with below content
    $ sudo vim /etc/hostapd/hostapd.conf
    

    Copy below content

    interface=wlan0
    driver=nl80211
    ssid=test_eap_ttls_pap
    ieee80211n=1
    macaddr_acl=0
    channel=6
    disassoc_low_ack=1
    wmm_enabled=1
    wpa=2
    wpa_key_mgmt=WPA-EAP
    wpa_pairwise=CCMP
    rsn_pairwise=CCMP
    ieee8021x=1
    eap_server=0
    eap_user_file=/etc/hostapd/eap_user
    auth_algs=1
    auth_server_addr=127.0.0.1
    auth_server_port=1812
    auth_server_shared_secret=testing123
    
    #Cerfificates of radius server configuration
    ca_cert=/usr/local/etc/raddb/certs/ca.pem
    server_cert=/usr/local/etc/raddb/certs/server.crt
    private_key=/usr/local/etc/raddb/certs/server.p12
    private_key_passwd=whatever # default password
    
    1. Create a file eap_user in /etc/hostapd/ folder with below content

    $ sudo vim /etc/hostapd/eap_user
    
    # Wildcard for all other identities
    "user"        PEAP
    "tls_user"    TLS
    "gtc"         GTC                     "password"
    "ttls"        TTLS
    *             PEAP,TTLS,TLS
    # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
    "md5"         MD5                     "password"     [2]
    "chap"        MSCHAPV2                "password"     [2]
    #"t-gtc"      GTC                     "password"     [2]
    "peap"        MSCHAPV2                "password"     [2]
    "gtc"         GTC                     "password"     [2]
    "ttls-MSCHAP" MSCHAP                  "password"     [2]
    "user"        MD5,GTC,MSCHAPV2        "p"            [2]
    "ttls"        TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2    "p"     [2]
    
    1. Make sure that radius server is already running (radiusd -X)

  1. Go to hostapd directory
    $ cd hostapd-2.9/hostapd
    
  2. Run hostapd by issuing follwing command
    $ sudo ./hostapd /etc/hostapd/hostapd.conf
    

    Below log messages are seen on console after running hostapd

    Configuration file: /etc/hostapd/hostapd.conf
    Using interface wlan0 with hwaddr 02:00:00:00:00:00 and ssid "test_eap_ttls_pap"
    wlan0: interface state UNINITIALIZED->ENABLED
    wlan0: AP-ENABLED 
    
    
    
  3. Mode of “wlan0” interface is now assigned as “AP/Master”. Check this by querying information via iwconfig/iw command

    $ iwconfig 
    wlan0     IEEE 802.11  Mode:Master  Tx-Power=20 dBm   
              Retry short limit:7   RTS thr:off   Fragment thr:off
              Power Management:on
    
    $ iw dev
    phy#1
    	Interface wlan0
    		ifindex 5
    		wdev 0x100000001
    		addr 02:00:00:00:00:00
    		ssid test_eap_ttls_pap
    		type AP
    		channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
    		txpower 20.00 dBm
    

Running wpa_supplicant

METHOD 1: With Network Block in wpa_supplicant.conf file

  1. Check if wifi interface with the name “wlan1” is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually
    $ iwconfig 
    wlan1     IEEE 802.11  ESSID:off/any  
              Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
              Retry short limit:7   RTS thr:off   Fragment thr:off
              Power Management:on
    
    $ iw dev
    phy#2
    	Interface wlan1
    		ifindex 6
    		wdev 0x200000001
    		addr 02:00:00:00:01:00
    		type managed
    		txpower 20.00 dBm
    
  2. Go to wpa_supplicant directory
    $ cd wpa_supplicant-2.9/wpa_supplicant
    
  3. Create wpa_supplicant.conf file with following network block contents

    delete all existing content and copy below content

    ctrl_interface=/run/wpa_supplicant
    update_config=1
    
    network={
    	ssid="test_eap_ttls_pap"
    	key_mgmt=WPA-EAP
    	proto=WPA2
    	eap=TTLS
    	pairwise=CCMP
    	phase2="auth=PAP"
    	identity="bob"
    	password="testing123"
    }
    
  4. Run wpa_supplicant
    $ sudo ./wpa_supplicant -Dnl80211 -i wlan1 -c wpa_supplicant.conf
    

    Below log messages are seen on console after running wpa_supplicant

    Successfully initialized wpa_supplicant
    wlan1: SME: Trying to authenticate with 02:00:00:00:00:00 (SSID='test_eap_ttls_pap' freq=2437 MHz)
    wlan1: Trying to associate with 02:00:00:00:00:00 (SSID='test_eap_ttls_pap' freq=2437 MHz)
    wlan1: Associated with 02:00:00:00:00:00
    wlan1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
    wlan1: WPA: Key negotiation completed with 02:00:00:00:00:00 [PTK=CCMP GTK=CCMP]
    wlan1: CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:00:00 completed [id=0 id_str=]
    

    Message “CTRL-EVENT-CONNECTED” indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully

  5. Run wpa_cli and check status in wpa_cli prompt
    $ sudo ./wpa_cli -i wlan1
    >
    > status
    > bssid=02:00:00:00:00:00
    freq=2437
    ssid=test_eap_ttls_pap
    id=0
    mode=station
    pairwise_cipher=CCMP
    group_cipher=CCMP
    key_mgmt=WPA2/IEEE 802.1X/EAP
    wpa_state=COMPLETED
    address=02:00:00:00:01:00
    Supplicant PAE state=AUTHENTICATED
    suppPortStatus=Authorized
    EAP state=SUCCESS
    selectedMethod=21 (EAP-TTLS)
    eap_tls_version=TLSv1.2
    EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384
    tls_session_reused=0
    EAP-TTLSv0 Phase2 method=PAP
    eap_session_id=19afcd49639f54567a7befb9309974a017b3b2b07f325939628fda66f986ed9eeed9edf022b371d8c354cf47361168625bcfde072ce9715fca048822f8c36745b2
    uuid=572cf82f-c957-5653-9b16-b5cfb298abf1
    

    Message “wpa_state=COMPLETE” indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully

  6. Mode of “wlan1” interface is now assigned as “Managed” with ssid “test_eap_ttls_pap”. Check this by querying information via iwconfig/iw command
    $ iwconfig 
    wlan1     IEEE 802.11  ESSID:"test_eap_ttls_pap"
              Mode:Managed  Frequency:2.437 GHz  Access Point: 02:00:00:00:00:00   
              Bit Rate:54 Mb/s   Tx-Power=20 dBm   
              Retry short limit:7   RTS thr:off   Fragment thr:off
              Power Management:on
              Link Quality=70/70  Signal level=-30 dBm  
              Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
              Tx excessive retries:0  Invalid misc:0   Missed beacon:0
    
    
    
    $ iw dev
    phy#2
    	Interface wlan1
    		ifindex 6
    		wdev 0x200000001
    		addr 02:00:00:00:01:00
    		ssid test_eap_ttls_pap
    		type managed
    		channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
    		txpower 20.00 dBm
    

METHOD 2: Without Network Block in wpa_supplicant.conf file

  1. Go to wpa_supplicant directory
    $ cd wpa_supplicant-2.9/wpa_supplicant
    
  2. Create wpa_supplicant.conf file without a network block
    $ vim wpa_supplicant.conf  # add the following contents
    ctrl_interface=/run/wpa_supplicant
    update_config=1
    
  3. Run wpa_supplicant without network block in wpa_supplicant.conf file
    $ sudo ./wpa_supplicant -Dnl80211 -i wlan1 -c wpa_supplicant.conf
    
  4. Run wpa_cli to connect to WPA2 network
    $ sudo ./wpa_cli -i wlan1
    >
    > scan
    > scan_result
    > add_network
    > set_network 0 ssid "test_eap_ttls_pap"
    > set_network 0 key_mgmt WPA-EAP
    > set_network 0 proto WPA2
    > set_network 0 eap TTLS
    > set_network 0 phase2 "auth=PAP"
    > set_network 0 identity "bob"
    > set_network 0 password "testing123"
    > enable_network 0
    > status
    > bssid=02:00:00:00:00:00
    freq=2437
    ssid=test_eap_ttls_pap
    id=0
    mode=station
    pairwise_cipher=CCMP
    group_cipher=CCMP
    key_mgmt=WPA2/IEEE 802.1X/EAP
    wpa_state=COMPLETED
    address=02:00:00:00:01:00
    Supplicant PAE state=AUTHENTICATED
    suppPortStatus=Authorized
    EAP state=SUCCESS
    selectedMethod=21 (EAP-TTLS)
    eap_tls_version=TLSv1.2
    EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384
    tls_session_reused=0
    EAP-TTLSv0 Phase2 method=PAP
    eap_session_id=19afcd49639f54567a7befb9309974a017b3b2b07f325939628fda66f986ed9eeed9edf022b371d8c354cf47361168625bcfde072ce9715fca048822f8c36745b2
    uuid=572cf82f-c957-5653-9b16-b5cfb298abf1
    

Prerequisite for Hostapd:

  1. eap_user_file is created in section E step 2

  2. ca_cert, server_cert, private_key and private_key_passwd is generated after compiling radius server in section D (RADIUS SERVER compilation step 8)

  3. use above certificate and keys in hostapd.conf

  4. verify that AKM is set to WPA-ENTERPRISE ie “Beacon->Wireless_Managment->tagged_parameter” should not contain RNS INFO field

Prerequisite for WPA_SUPPLICANT:

  1. The identity and password differs from EAP-TLS to EAP-TTLS/PAP

  2. Identity and password is given as part of credentials to radius server (Section D step 11)

Run data traffic

Steps

AP

Station

Step 1 : Assign IP address

$ ifconfig wlan0 192.168.3.1 up
$ ifconfig wlan1 192.168.3.10 up

Step 2 : Check IP address

$ ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.1  netmask 255.255.255.0  broadcast 192.168.3.255
        ether 02:00:00:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 61  bytes 11085 (11.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 130  bytes 25688 (25.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
$ ifconfig wlan1
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.10  netmask 255.255.255.0  broadcast 192.168.3.255
        ether 02:00:00:00:01:00  txqueuelen 1000  (Ethernet)
        RX packets 73  bytes 13119 (13.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 65  bytes 13111 (13.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Step 3 : Check ping

$ ping 192.168.3.10
PING 192.168.3.10 (192.168.3.10) 56(84) bytes of data.
64 bytes from 192.168.3.10: icmp_seq=1 ttl=64 time=0.092 ms
64 bytes from 192.168.3.10: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 192.168.3.10: icmp_seq=3 ttl=64 time=0.094 ms
64 bytes from 192.168.3.10: icmp_seq=4 ttl=64 time=0.105 ms
64 bytes from 192.168.3.10: icmp_seq=5 ttl=64 time=0.094 ms

$ ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from 192.168.3.1: icmp_seq=2 ttl=64 time=0.091 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=64 time=0.090 ms
64 bytes from 192.168.3.1: icmp_seq=4 ttl=64 time=0.097 ms
64 bytes from 192.168.3.1: icmp_seq=5 ttl=64 time=0.243 ms

Step 4 : Run iperf TCP DL

$ iperf -c 192.168.3.10 -i 1 -t 5
$ iperf -s -i 1

Step 5 : Run iperf TCP UL

$ iperf -s -i 1
$ iperf -c 192.168.3.1 -i 1 -t 5

Step 6 : Run iperf UDP DL

$ iperf -c 192.168.3.10 -u -b 1000M -i 1 -t 5
$ iperf -s -u -i 1 

Step 7 : Run iperf UDP UL

$ iperf -s -u -i 1
$ iperf -c 192.168.3.1 -u -b 1000M -i 1 -t 5