EAP-TTLS/MSCHAP

(A). EAP-TTLS/MSCHAP:

MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. MS-CHAPv1 and MS-CHAPv2 are used as one authentication option in Microsoft’s implementation of the PPTP protocol for virtual private networks. It also used as authentication option with RADIUS servers.

The following is a resprestaion of EAP-TTLS/MSCHAP handshake

Radius Server                        Hostapd(AP)                     wpa_supplicant(station)

|                                    |<<----------------Auth_Req---------------|

|                                    |------------------Auth_Resp------------>>|

|                                    |<<---------------Assoc_Req---------------|

|                                    |----------------Assoc_Resp------------->>|

|                                    |--------------EAP_Req_Identity--------->>|

|                                    |<<------------EAP_Resp_Identity----------|

|<<--------EAP_Resp_Identity---------|

|-----------EAP_Req_EAP_TTLS------->>|

|                                    |----------EAP_Req_EAP_TTLS(FWRD)----- ->>|

|                                    |<<------------TLS.1.2_CLI_HELLO--- ------|

|<<------TLS.1.2_CLI_HELLO(FWRD)-----|

|----------EAP_Req_EAP_TTLS-------->>|

|                                    |----------EAP_Req_EAP_TTLS(FWRD)------->>|

|                                    |<<-------------EAP_Resp_EAP_TLS----------|

|<<------EAP_Resp_EAP_TTLS(FRWD)-----|

|------------EAP_Req_EAP_TTLS------>>|

|                                    |----------EAP_Req_EAP_TTLS(FWRD)------->>|

|                                    |<<------------EAP_Resp_EAP_TTLS-----  ---|

|<<-----EAP_Resp_EAP_TTLS(FRWD)------|

|-------TLSv1.2_SERV_CERT_KEY_EXG--->|

|                                    |-----TLSv1.2_SERV_CERT_KEY_EXG(FWRD)--->>|

|                                    |<<--------TLSv1.2CLI__CERT_KEY_EXG-------|

|<<---TLSv1.2CLI_CERT_KEY_EXG(FWRD)--|

|------TLSv1.2CHG_CHPR_SPEC-------->>|

|                                    |------TLSv1.2CHG_CHPR_SPEC(FRWD)------->>|

|                                    |<<--------TLSv1.2_APPLICATION_DATA-------|

|<---TLSv1.2_APPLICATION_DATA(FRWD)--|

|----------TLSv1.2_SUCCESS--------->>|

|                                    |----------TLSv1.2SUCCESS(FRWD)--------->>|

|                                    |-----------------EAPOL-M1-------------->>|

|                                    |<<---------------EAPOL-M2----------------|

|                                    |-----------------EAPOL-M3-------------->>|

|                                    |<<---------------EAPOL-M4----------------|

Test bed

Inorder to execute below practical example, two Linux machines are needed with ubuntu version >= 16.04.

  • Check the Ubuntu version on your machine. Ubuntu version used for in this site is 20.04
    $ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.2 LTS
Release:	20.04
Codename:	focal

wpa_supplicant compilation

The daemon process that runs in the client stations. It implements WPA key negotiation with a WPA Authenticator and EAP authentication with Authentication Server. In addition, it controls the roaming and IEEE 802.11 authentication/association of the wireless LAN driver. Following are the steps to download and compiling wpa_supplicant from source code

  1. Download latest wpa_supplicant
    $ wget https://w1.fi/releases/wpa_supplicant-2.9.tar.gz
  2. Install required packages
    $ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev
    below messages indicate that packages are installed successfully
    The following NEW packages will be installed:
  libdbus-glib-1-dev libdbus-glib-1-dev-bin libnl-3-dev libnl-genl-3-dev
0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded.
Need to get 212 kB of archives.
After this operation, 1,235 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev-bin amd64 0.110-5fakssync1 [39.5 kB]
Get:2 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev amd64 0.110-5fakssync1 [69.2 kB]
Get:3 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-3-dev amd64 3.4.0-1 [92.2 kB]
Get:4 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-genl-3-dev amd64 3.4.0-1 [10.7 kB]
Fetched 212 kB in 1s (293 kB/s)             
Selecting previously unselected package libdbus-glib-1-dev-bin.
(Reading database ... 385264 files and directories currently installed.)
Preparing to unpack .../libdbus-glib-1-dev-bin_0.110-5fakssync1_amd64.deb ...
Unpacking libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
Selecting previously unselected package libdbus-glib-1-dev:amd64.
Preparing to unpack .../libdbus-glib-1-dev_0.110-5fakssync1_amd64.deb ...
Unpacking libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
Selecting previously unselected package libnl-3-dev:amd64.
Preparing to unpack .../libnl-3-dev_3.4.0-1_amd64.deb ...
Unpacking libnl-3-dev:amd64 (3.4.0-1) ...
Selecting previously unselected package libnl-genl-3-dev:amd64.
Preparing to unpack .../libnl-genl-3-dev_3.4.0-1_amd64.deb ...
Unpacking libnl-genl-3-dev:amd64 (3.4.0-1) ...
Setting up libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
Setting up libnl-3-dev:amd64 (3.4.0-1) ...
Setting up libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
Setting up libnl-genl-3-dev:amd64 (3.4.0-1) ...
Processing triggers for man-db (2.9.1-1) ...
  3. Extract the tar file
    $ tar -xvf wpa_supplicant-2.9.tar.gz
  4. Go to wpa_supplicant directory
    $ cd wpa_supplicant-2.9/wpa_supplicant
  5. Copy the default configuration into .conf file
    $ cp defconfig .config
  6. Enable below configs in .config
    $ vim .config

CONFIG_DRIVER_NL80211=y
CONFIG_RADIUS_SERVER=y
CONFIG_TLS=openssl
CONFIG_EAP=y
CONFIG_TLSV11=y
CONFIG_TLSV12=y
CONFIG_EAP_TLS=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_GTC=y
CONFIG_SUITEB=y
CONFIG_SUITEB192=y
  7. Build the wpa_supplicant
    $ make

    Below is the list of files compiled based on the features enabled in “.config”

      CC  config.c
  CC  notify.c
  CC  bss.c
  CC  eap_register.c
  CC  ../src/utils/common.c
  CC  ../src/utils/wpa_debug.c
  CC  ../src/utils/wpabuf.c
  CC  ../src/utils/bitfield.c
  CC  op_classes.c
  CC  rrm.c
  CC  wmm_ac.c
  CC  ../src/utils/os_unix.c
  CC  ../src/utils/eloop.c
  CC  config_file.c
  CC  ../src/rsn_supp/wpa_ft.c
  CC  ../src/common/sae.c
  CC  ../src/common/dpp.c
  CC  dpp_supplicant.c
  CC  ../src/rsn_supp/wpa.c
  CC  ../src/rsn_supp/preauth.c
  CC  ../src/rsn_supp/pmksa_cache.c
  CC  ../src/rsn_supp/wpa_ie.c
  CC  ../src/common/wpa_common.c
  CC  ibss_rsn.c
  CC  p2p_supplicant.c
  CC  p2p_supplicant_sd.c
  CC  ../src/p2p/p2p.c
  CC  ../src/p2p/p2p_utils.c
  CC  ../src/p2p/p2p_parse.c
  CC  ../src/p2p/p2p_build.c
  CC  ../src/p2p/p2p_go_neg.c
  CC  ../src/p2p/p2p_sd.c
  CC  ../src/p2p/p2p_pd.c
  CC  ../src/p2p/p2p_invitation.c
  CC  ../src/p2p/p2p_dev_disc.c
  CC  ../src/p2p/p2p_group.c
  CC  ../src/ap/p2p_hostapd.c
  CC  wifi_display.c
  CC  hs20_supplicant.c
  CC  interworking.c
  CC  ../src/eap_peer/eap_tls.c
  CC  ../src/eap_peer/eap_peap.c
  CC  ../src/eap_common/eap_peap_common.c
  CC  ../src/eap_peer/eap_ttls.c
  CC  ../src/eap_peer/eap_md5.c
  CC  ../src/eap_peer/eap_mschapv2.c
  CC  ../src/eap_peer/mschapv2.c
  CC  ../src/eap_peer/eap_gtc.c
  CC  ../src/eap_peer/eap_otp.c
  CC  ../src/eap_peer/eap_leap.c
  CC  ../src/eap_peer/eap_fast.c
  CC  ../src/eap_peer/eap_fast_pac.c
  CC  ../src/eap_common/eap_fast_common.c
  CC  ../src/eap_peer/eap_pax.c
  CC  ../src/eap_common/eap_pax_common.c
  CC  ../src/eap_peer/eap_sake.c
  CC  ../src/eap_common/eap_sake_common.c
  CC  ../src/eap_peer/eap_gpsk.c
  CC  ../src/eap_common/eap_gpsk_common.c
  CC  ../src/eap_peer/eap_pwd.c
  CC  ../src/eap_common/eap_pwd_common.c
  CC  wps_supplicant.c
  CC  ../src/utils/uuid.c
  CC  ../src/eap_peer/eap_wsc.c
  CC  ../src/eap_common/eap_wsc_common.c
  CC  ../src/wps/wps.c
  CC  ../src/wps/wps_common.c
  CC  ../src/wps/wps_attr_parse.c
  CC  ../src/wps/wps_attr_build.c
  CC  ../src/wps/wps_attr_process.c
  CC  ../src/wps/wps_dev_attr.c
  CC  ../src/wps/wps_enrollee.c
  CC  ../src/wps/wps_registrar.c
  CC  ../src/eap_peer/eap_ikev2.c
  CC  ../src/eap_peer/ikev2.c
  CC  ../src/eap_common/eap_ikev2_common.c
  CC  ../src/eap_common/ikev2_common.c
  CC  ../src/eap_peer/eap_tnc.c
  CC  ../src/eap_peer/tncc.c
  CC  ../src/eapol_supp/eapol_supp_sm.c
  CC  ../src/eap_peer/eap.c
  CC  ../src/eap_peer/eap_methods.c
  CC  ap.c
  CC  ../src/ap/hostapd.c
  CC  ../src/ap/wpa_auth_glue.c
  CC  ../src/ap/utils.c
  CC  ../src/ap/authsrv.c
  CC  ../src/ap/ap_config.c
  CC  ../src/utils/ip_addr.c
  CC  ../src/ap/sta_info.c
  CC  ../src/ap/tkip_countermeasures.c
  CC  ../src/ap/ap_mlme.c
  CC  ../src/ap/ieee802_1x.c
  CC  ../src/eapol_auth/eapol_auth_sm.c
  CC  ../src/ap/ieee802_11_auth.c
  CC  ../src/ap/ieee802_11_shared.c
  CC  ../src/ap/drv_callbacks.c
  CC  ../src/ap/ap_drv_ops.c
  CC  ../src/ap/beacon.c
  CC  ../src/ap/bss_load.c
  CC  ../src/ap/eap_user_db.c
  CC  ../src/ap/neighbor_db.c
  CC  ../src/ap/rrm.c
  CC  ../src/ap/ieee802_11_ht.c
  CC  ../src/ap/ieee802_11_vht.c
  CC  ../src/ap/ctrl_iface_ap.c
  CC  ../src/eap_server/eap_server.c
  CC  ../src/eap_server/eap_server_identity.c
  CC  ../src/eap_server/eap_server_methods.c
  CC  ../src/ap/wmm.c
  CC  ../src/ap/ap_list.c
  CC  ../src/ap/ieee802_11.c
  CC  ../src/ap/hw_features.c
  CC  ../src/ap/dfs.c
  CC  ../src/ap/wps_hostapd.c
  CC  ../src/eap_server/eap_server_wsc.c
  CC  ../src/ap/dpp_hostapd.c
  CC  ../src/ap/gas_query_ap.c
  CC  ../src/ap/gas_serv.c
  CC  ../src/ap/hs20.c
  CC  ../src/ap/wpa_auth.c
  CC  ../src/ap/wpa_auth_ie.c
  CC  ../src/ap/pmksa_cache_auth.c
  CC  ../src/common/dragonfly.c
  CC  ../src/crypto/ms_funcs.c
  CC  ../src/eap_common/chap.c
  CC  ../src/eap_peer/eap_tls_common.c
  CC  ../src/crypto/tls_openssl.c
  CC  ../src/crypto/tls_openssl_ocsp.c
  CC  ../src/crypto/crypto_openssl.c
  CC  ../src/crypto/aes-siv.c
  CC  ../src/crypto/aes-ctr.c
  CC  ../src/crypto/aes-omac1.c
  CC  ../src/crypto/sha256-kdf.c
  CC  ../src/crypto/sha384-kdf.c
  CC  ../src/crypto/sha512-kdf.c
  CC  ../src/crypto/sha256-prf.c
  CC  ../src/crypto/sha256-tlsprf.c
  CC  ../src/crypto/sha384-prf.c
  CC  ../src/crypto/sha512-prf.c
  CC  ../src/crypto/dh_groups.c
  CC  ../src/crypto/random.c
  CC  ../src/common/ctrl_iface_common.c
  CC  ctrl_iface.c
  CC  ctrl_iface_unix.c
  CC  dbus/dbus_dict_helpers.c
  CC  dbus/dbus_new_helpers.c
dbus/dbus_new.c: In function ‘wpas_dbus_unregister_p2p_group’:
dbus/dbus_new.c:4793:3: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
 4793 |   wpa_printf(MSG_DEBUG,
      |   ^~~~~~~~~~~~~~~~~~~~~
 4794 |       "%s: Group object '%s' already unregistered",
      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 4795 |       __func__, wpa_s->dbus_groupobj_path);
      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  CC  dbus/dbus_new.c
  CC  dbus/dbus_new_handlers.c
  CC  dbus/dbus_common.c
  CC  dbus/dbus_new_handlers_wps.c
  CC  dbus/dbus_new_handlers_p2p.c
  CC  dbus/dbus_new_introspect.c
  CC  ../src/utils/base64.c
  CC  sme.c
  CC  ../src/common/ieee802_11_common.c
  CC  ../src/common/hw_features_common.c
  CC  ../src/eap_common/eap_common.c
  CC  ../src/crypto/sha1-prf.c
  CC  ../src/crypto/sha1-tprf.c
  CC  ../src/crypto/sha1-tlsprf.c
  CC  bgscan_simple.c
  CC  bgscan.c
  CC  ../src/common/gas_server.c
  CC  ../src/common/gas.c
  CC  gas_query.c
  CC  offchannel.c
  CC  ../src/utils/json.c
  CC  ../src/drivers/driver_common.c
  CC  wpa_supplicant.c
  CC  events.c
  CC  blacklist.c
  CC  wpas_glue.c
  CC  scan.c
  CC  main.c
  CC  ../src/drivers/driver_wired.c
  CC  ../src/drivers/driver_wired_common.c
  CC  ../src/drivers/driver_nl80211.c
  CC  ../src/drivers/driver_nl80211_capa.c
  CC  ../src/drivers/driver_nl80211_event.c
  CC  ../src/drivers/driver_nl80211_monitor.c
  CC  ../src/drivers/driver_nl80211_scan.c
  CC  ../src/drivers/netlink.c
  CC  ../src/drivers/linux_ioctl.c
  CC  ../src/drivers/rfkill.c
  CC  ../src/utils/radiotap.c
  CC  ../src/drivers/driver_wext.c
  CC  ../src/drivers/drivers.c
  CC  ../src/l2_packet/l2_packet_linux.c
  LD  wpa_supplicant
  CC  wpa_cli.c
  CC  ../src/common/wpa_ctrl.c
  CC  ../src/common/cli.c
  CC  ../src/utils/edit_simple.c
  LD  wpa_cli
  CC  wpa_passphrase.c
  LD  wpa_passphrase
  8. Install the compiled commands (optional)
    $ make install

hostapd compilation

The hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. Following are the steps to download and compiling hostapd from source code

  1. Download latest hostapd
    $ wget http://w1.fi/releases/hostapd-2.9.tar.gz
  2. Install required packages
    $ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev
    below messages indicate that packages are installed successfully
    The following NEW packages will be installed:
  libdbus-glib-1-dev libdbus-glib-1-dev-bin libnl-3-dev libnl-genl-3-dev
0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded.
Need to get 212 kB of archives.
After this operation, 1,235 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev-bin amd64 0.110-5fakssync1 [39.5 kB]
Get:2 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libdbus-glib-1-dev amd64 0.110-5fakssync1 [69.2 kB]
Get:3 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-3-dev amd64 3.4.0-1 [92.2 kB]
Get:4 http://in.archive.ubuntu.com/ubuntu focal/main amd64 libnl-genl-3-dev amd64 3.4.0-1 [10.7 kB]
Fetched 212 kB in 1s (293 kB/s)             
Selecting previously unselected package libdbus-glib-1-dev-bin.
(Reading database ... 385264 files and directories currently installed.)
Preparing to unpack .../libdbus-glib-1-dev-bin_0.110-5fakssync1_amd64.deb ...
Unpacking libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
Selecting previously unselected package libdbus-glib-1-dev:amd64.
Preparing to unpack .../libdbus-glib-1-dev_0.110-5fakssync1_amd64.deb ...
Unpacking libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
Selecting previously unselected package libnl-3-dev:amd64.
Preparing to unpack .../libnl-3-dev_3.4.0-1_amd64.deb ...
Unpacking libnl-3-dev:amd64 (3.4.0-1) ...
Selecting previously unselected package libnl-genl-3-dev:amd64.
Preparing to unpack .../libnl-genl-3-dev_3.4.0-1_amd64.deb ...
Unpacking libnl-genl-3-dev:amd64 (3.4.0-1) ...
Setting up libdbus-glib-1-dev-bin (0.110-5fakssync1) ...
Setting up libnl-3-dev:amd64 (3.4.0-1) ...
Setting up libdbus-glib-1-dev:amd64 (0.110-5fakssync1) ...
Setting up libnl-genl-3-dev:amd64 (3.4.0-1) ...
Processing triggers for man-db (2.9.1-1) ...
  3. Extract the tar file
    $ tar -xzvf hostapd-2.9.tar.gz
  4. Go to Hostapd directory
    $ cd hostapd-2.9/hostapd
  5. Copy the default configuration into .conf file
    $ cp defconfig .config
  6. Enable below configs in .config
    $ vim .config

CONFIG_DRIVER_NL80211=y
CONFIG_RADIUS_SERVER=y
CONFIG_TLS=openssl
CONFIG_EAP=y
CONFIG_TLSV11=y
CONFIG_TLSV12=y
CONFIG_EAP_TLS=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_GTC=y
CONFIG_SUITEB=y
CONFIG_SUITEB192=y
  7. Build the Hostapd
    $ make

    Below is the list of files compiled based on the features enabled in “.config”

      CC  main.c
  CC  config_file.c
  CC  ../src/ap/hostapd.c
  CC  ../src/ap/wpa_auth_glue.c
  CC  ../src/ap/drv_callbacks.c
  CC  ../src/ap/ap_drv_ops.c
  CC  ../src/ap/utils.c
  CC  ../src/ap/authsrv.c
  CC  ../src/ap/ieee802_1x.c
  CC  ../src/ap/ap_config.c
  CC  ../src/ap/eap_user_db.c
  CC  ../src/ap/ieee802_11_auth.c
  CC  ../src/ap/sta_info.c
  CC  ../src/ap/wpa_auth.c
  CC  ../src/ap/tkip_countermeasures.c
  CC  ../src/ap/ap_mlme.c
  CC  ../src/ap/wpa_auth_ie.c
  CC  ../src/ap/preauth_auth.c
  CC  ../src/ap/pmksa_cache_auth.c
  CC  ../src/ap/ieee802_11_shared.c
  CC  ../src/ap/beacon.c
  CC  ../src/ap/bss_load.c
  CC  ../src/ap/neighbor_db.c
  CC  ../src/ap/rrm.c
  CC  ../src/drivers/drivers.c
  CC  ../src/utils/eloop.c
  CC  ../src/utils/common.c
  CC  ../src/utils/wpa_debug.c
  CC  ../src/utils/wpabuf.c
  CC  ../src/utils/os_unix.c
  CC  ../src/utils/ip_addr.c
  CC  ../src/common/ieee802_11_common.c
  CC  ../src/common/wpa_common.c
  CC  ../src/common/hw_features_common.c
  CC  ../src/eapol_auth/eapol_auth_sm.c
  CC  ../src/eapol_auth/eapol_auth_dump.c
  CC  ../src/radius/radius.c
  CC  ../src/radius/radius_client.c
  CC  ../src/radius/radius_das.c
  CC  ../src/ap/accounting.c
  CC  ../src/ap/vlan_init.c
  CC  ../src/ap/vlan_ifconfig.c
  CC  ../src/ap/vlan.c
  CC  ../src/common/ctrl_iface_common.c
  CC  ctrl_iface.c
  CC  ../src/ap/ctrl_iface_ap.c
  CC  ../src/ap/iapp.c
  CC  ../src/drivers/driver_hostap.c
  CC  ../src/drivers/driver_nl80211.c
  CC  ../src/drivers/driver_nl80211_capa.c
  CC  ../src/drivers/driver_nl80211_event.c
  CC  ../src/drivers/driver_nl80211_monitor.c
  CC  ../src/drivers/driver_nl80211_scan.c
  CC  ../src/drivers/netlink.c
  CC  ../src/drivers/linux_ioctl.c
  CC  ../src/drivers/rfkill.c
  CC  ../src/utils/radiotap.c
  CC  ../src/l2_packet/l2_packet_linux.c
  CC  ../src/eap_server/eap_server_md5.c
  CC  ../src/eap_server/eap_server_tls.c
  CC  ../src/eap_server/eap_server_peap.c
  CC  ../src/eap_common/eap_peap_common.c
  CC  ../src/eap_server/eap_server_ttls.c
  CC  ../src/eap_server/eap_server_mschapv2.c
  CC  ../src/eap_server/eap_server_gtc.c
  CC  eap_register.c
  CC  ../src/eap_server/eap_server.c
  CC  ../src/eap_common/eap_common.c
  CC  ../src/eap_server/eap_server_methods.c
  CC  ../src/eap_server/eap_server_identity.c
  CC  ../src/crypto/ms_funcs.c
  CC  ../src/eap_common/chap.c
  CC  ../src/eap_server/eap_server_tls_common.c
  CC  ../src/crypto/tls_openssl.c
  CC  ../src/crypto/tls_openssl_ocsp.c
  CC  ../src/crypto/crypto_openssl.c
  CC  ../src/crypto/aes-omac1.c
  CC  ../src/crypto/sha1-prf.c
  CC  ../src/crypto/sha1-tlsprf.c
  CC  ../src/crypto/sha256-prf.c
  CC  ../src/crypto/sha256-tlsprf.c
  CC  ../src/crypto/sha256-kdf.c
  CC  ../src/crypto/random.c
  CC  ../src/ap/wmm.c
  CC  ../src/ap/ap_list.c
  CC  ../src/ap/ieee802_11.c
  CC  ../src/ap/hw_features.c
  CC  ../src/ap/dfs.c
  CC  ../src/drivers/driver_common.c
  LD  hostapd
  CC  hostapd_cli.c
  CC  ../src/common/wpa_ctrl.c
  CC  ../src/common/cli.c
  CC  ../src/utils/edit_simple.c
  LD  hostapd_cli
  8. Install the compiled commands (optional)
    $ make install

Radius server compilation

  1. Download latest freeradius source code
    $ wget https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.tar.gz
  2. Extract the tar file
    $ tar -zxf freeradius-server-3.0.tar.gz
  3. Go to Radius server directory
    $ cd freeradius-server-3.0/
  4. Open debian/rules, add this line “–without-rml_sql_iodbc ” above this line “–without-rlm_eap_ikev2 ”
    $ vim debian/rules

...

--without-rml_sql_iodbc \
--without-rlm_eap_ikev2 \

...
  5. Configure for compilation
    $ ./configure

  6. Install requeired packages as suggested by the result of step 5

  7. Build the Radius server
    $ make
  8. Install the compiled commands (optional)
    $ make install
  9. Go to Raddb folder (all radius server/client files, certificates and keys will be generated here)
    $ cd /usr/local/etc/raddb
  10. open client.conf file and verify localhost client is presnet else add your own client like bellow
    $ sudo vim client.conf

client localhost {
	ipaddr = 127.0.0.1
	proto = *
	secret = testing123
	require_message_authenticator = no
	nas_type = other
	limit {
		max_connections = 16
		lifetime = 0
		idle_timeout = 30
	}
}

For External Hostapd create a new client in client.conf like shown in bellow

client 192.168.3.11 {
	ipaddr = 192.168.3.11
	secret = AuthPassword
}
  11. open users file and uncomment bellow two lines
    $ sudo vim users

bob   Cleartext-Password := "testing123"
Reply-Message := "Hello, %{User-Name}"
  12. set default_eap_type=tls in eap file located in /usr/local/etc/raddb/mods-enabled/
    $ sudo vim /usr/local/etc/raddb/mods-enabled/eap

default_eap_type=ttls
  13. Start radius server
    $ sudo radiusd -X

Running hostapd

  1. Check if wifi interface with the name “wlan0” is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually

    $ iwconfig 
wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

$ iw dev 
phy#1
	Interface wlan0
		ifindex 5
		wdev 0x100000001
		addr 02:00:00:00:00:00
		type managed
		txpower 20.00 dBm
  2. Create a hostapd.conf file in /etc/hostapd/ folder with below content
    $ sudo vim /etc/hostapd/hostapd.conf

    Copy below content

    interface=wlan0
driver=nl80211
ssid=test_eap_ttls_mschap
ieee80211n=1
macaddr_acl=0
channel=6
disassoc_low_ack=1
wmm_enabled=1
wpa=2
wpa_key_mgmt=WPA-EAP-SUITE-B-192
wpa_pairwise=CCMP
rsn_pairwise=CCMP
ieee8021x=1
eap_server=0
eap_user_file=/etc/hostapd/eap_user
auth_algs=1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123

#Cerfificates of radius server configuration
ca_cert=/usr/local/etc/raddb/certs/ca.pem
server_cert=/usr/local/etc/raddb/certs/server.crt
private_key=/usr/local/etc/raddb/certs/server.p12
private_key_passwd=whatever # default password

    1. Create a file eap_user in /etc/hostapd/ folder with below content

    $ sudo vim /etc/hostapd/eap_user

# Wildcard for all other identities
"user"        PEAP
"tls_user"    TLS
"gtc"         GTC                     "password"
"ttls"        TTLS
*             PEAP,TTLS,TLS
# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
"md5"         MD5                     "password"     [2]
"chap"        MSCHAPV2                "password"     [2]
#"t-gtc"      GTC                     "password"     [2]
"peap"        MSCHAPV2                "password"     [2]
"gtc"         GTC                     "password"     [2]
"ttls-MSCHAP" MSCHAP                  "password"     [2]
"user"        MD5,GTC,MSCHAPV2        "p"            [2]
"ttls"        TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2    "p"     [2]

    1. Make sure that radius server is already running (radiusd -X)

  1. Go to hostapd directory
    $ cd hostapd-2.9/hostapd
  2. Run hostapd by issuing follwing command
    $ sudo ./hostapd /etc/hostapd/hostapd.conf

    Below log messages are seen on console after running hostapd

    Configuration file: /etc/hostapd/hostapd.conf
Using interface wlan0 with hwaddr 02:00:00:00:00:00 and ssid "test_eap_ttls_mschap"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED

  3. Mode of “wlan0” interface is now assigned as “AP/Master”. Check this by querying information via iwconfig/iw command

    $ iwconfig 
wlan0     IEEE 802.11  Mode:Master  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

$ iw dev
phy#1
	Interface wlan0
		ifindex 5
		wdev 0x100000001
		addr 02:00:00:00:00:00
		ssid test_eap_ttls_mschapv2
		type AP
		channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
		txpower 20.00 dBm

Running wpa_supplicant

METHOD 1: With Network Block in wpa_supplicant.conf file

  1. Check if wifi interface with the name “wlan1” is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually
    $ iwconfig 
wlan1     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

$ iw dev
phy#2
	Interface wlan1
		ifindex 6
		wdev 0x200000001
		addr 02:00:00:00:01:00
		type managed
		txpower 20.00 dBm
  2. Go to wpa_supplicant directory
    $ cd wpa_supplicant-2.9/wpa_supplicant

  3. Create wpa_supplicant.conf file with following network block contents

    delete all existing content and copy below content

    ctrl_interface=/run/wpa_supplicant
update_config=1

network={
	ssid="test_eap_ttls_mschap"
	key_mgmt=WPA-EAP-SUITE-B-192
	proto=WPA2
	eap=TTLS
	pairwise=CCMP
	phase2="auth=MSCHAP"
	identity="bob"
	password="testing123"
}
  4. Run wpa_supplicant
    $ sudo ./wpa_supplicant -Dnl80211 -i wlan1 -c wpa_supplicant.conf

    Below log messages are seen on console after running wpa_supplicant

    Successfully initialized wpa_supplicant
wlan1: SME: Trying to authenticate with 02:00:00:00:00:00 (SSID='test_eap_ttls_mschap' freq=2437 MHz)
wlan1: Trying to associate with 02:00:00:00:00:00 (SSID='test_eap_ttls_mschap' freq=2437 MHz)
wlan1: Associated with 02:00:00:00:00:00
wlan1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan1: WPA: Key negotiation completed with 02:00:00:00:00:00 [PTK=CCMP GTK=CCMP]
wlan1: CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:00:00 completed [id=0 id_str=]

    Message “CTRL-EVENT-CONNECTED” indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully

  5. Run wpa_cli and check status in wpa_cli prompt
    $ sudo ./wpa_cli -i wlan1
>
> status
> bssid=02:00:00:00:00:00
freq=2437
ssid=test_eap_ttls_mschap
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA-EAP-SUITE-B-192
wpa_state=COMPLETED
address=02:00:00:00:01:00
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=21 (EAP-TTLS)
eap_tls_version=TLSv1.2
EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384
tls_session_reused=0
EAP-TTLSv0 Phase2 method=MSCHAP
eap_session_id=1520f38fdef0e9b674740f2527e5ecb8efc2ed10e238e6f45186d3d990b43815335401e2bb418cb3c50cc2578c229483bbfc3d344319678a30c8d20a7788bf64c6
uuid=572cf82f-c957-5653-9b16-b5cfb298abf1

    Message “wpa_state=COMPLETE” indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully

  6. Mode of “wlan1” interface is now assigned as “Managed” with ssid “test_eap_ttls_mschap”. Check this by querying information via iwconfig/iw command
    $ iwconfig 
wlan1     IEEE 802.11  ESSID:"test_eap_ttls_mschap"
          Mode:Managed  Frequency:2.437 GHz  Access Point: 02:00:00:00:00:00   
          Bit Rate:54 Mb/s   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          Link Quality=70/70  Signal level=-30 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0



$ iw dev
phy#2
	Interface wlan1
		ifindex 6
		wdev 0x200000001
		addr 02:00:00:00:01:00
		ssid test_eap_ttls_mschap
		type managed
		channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
		txpower 20.00 dBm

METHOD 2: Without Network Block in wpa_supplicant.conf file

  1. Go to wpa_supplicant directory
    $ cd wpa_supplicant-2.9/wpa_supplicant
  2. Create wpa_supplicant.conf file without a network block
    $ vim wpa_supplicant.conf  # add the following contents
ctrl_interface=/run/wpa_supplicant
update_config=1
  3. Run wpa_supplicant without network block in wpa_supplicant.conf file
    $ sudo ./wpa_supplicant -Dnl80211 -i wlan1 -c wpa_supplicant.conf
  4. Run wpa_cli to connect to WPA2 network
    $ sudo ./wpa_cli -i wlan1
>
> scan
> scan_result
> add_network
> set_network 0 ssid "test_eap_ttls_mschap"
> set_network 0 key_mgmt WPA-EAP
> set_network 0 proto WPA2
> set_network 0 eap TTLS
> set_network 0 phase2 "auth=MSCHAP"
> set_network 0 identity "bob"
> set_network 0 password "testing123"
> enable_network 0
> status
> bssid=02:00:00:00:00:00
freq=2437
ssid=test_eap_ttls_mschap
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA-EAP-SUITE-B-192
wpa_state=COMPLETED
address=02:00:00:00:01:00
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=21 (EAP-TTLS)
eap_tls_version=TLSv1.2
EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384
tls_session_reused=0
EAP-TTLSv0 Phase2 method=MSCHAP
eap_session_id=1520f38fdef0e9b674740f2527e5ecb8efc2ed10e238e6f45186d3d990b43815335401e2bb418cb3c50cc2578c229483bbfc3d344319678a30c8d20a7788bf64c6
uuid=572cf82f-c957-5653-9b16-b5cfb298abf1

Prerequisite for Hostapd:

  1. eap_user_file is created in section E step 2

  2. ca_cert, server_cert, private_key and private_key_passwd is generated after compiling radius server in section D (RADIUS SERVER compilation step 8)

  3. use above certificate and keys in hostapd.conf

  4. verify that AKM is set to WPA-ENTERPRISE ie “Beacon->Wireless_Managment->tagged_parameter” should not contain RNS INFO field

Prerequisite for WPA_SUPPLICANT:

  1. The identity and password differs from EAP-TLS to EAP-TTLS/MSCHAP

  2. Identity and password is given as part of credentials to radius server (Section D step 11)

Run data traffic

Steps

AP

Station

Step 1 : Assign IP address

 
$ ifconfig wlan0 192.168.3.1 up

$ ifconfig wlan1 192.168.3.10 up

Step 2 : Check IP address

 
$ ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.1  netmask 255.255.255.0  broadcast 192.168.3.255
        ether 02:00:00:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 61  bytes 11085 (11.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 130  bytes 25688 (25.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$ ifconfig wlan1
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.10  netmask 255.255.255.0  broadcast 192.168.3.255
        ether 02:00:00:00:01:00  txqueuelen 1000  (Ethernet)
        RX packets 73  bytes 13119 (13.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 65  bytes 13111 (13.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Step 3 : Check ping

 
$ ping 192.168.3.10
PING 192.168.3.10 (192.168.3.10) 56(84) bytes of data.
64 bytes from 192.168.3.10: icmp_seq=1 ttl=64 time=0.092 ms
64 bytes from 192.168.3.10: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 192.168.3.10: icmp_seq=3 ttl=64 time=0.094 ms
64 bytes from 192.168.3.10: icmp_seq=4 ttl=64 time=0.105 ms
64 bytes from 192.168.3.10: icmp_seq=5 ttl=64 time=0.094 ms


$ ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from 192.168.3.1: icmp_seq=2 ttl=64 time=0.091 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=64 time=0.090 ms
64 bytes from 192.168.3.1: icmp_seq=4 ttl=64 time=0.097 ms
64 bytes from 192.168.3.1: icmp_seq=5 ttl=64 time=0.243 ms

Step 4 : Run iperf TCP DL

 
$ iperf -c 192.168.3.10 -i 1 -t 5

$ iperf -s -i 1

Step 5 : Run iperf TCP UL

 
$ iperf -s -i 1

$ iperf -c 192.168.3.1 -i 1 -t 5

Step 6 : Run iperf UDP DL

 
$ iperf -c 192.168.3.10 -u -b 1000M -i 1 -t 5

$ iperf -s -u -i 1

Step 7 : Run iperf UDP UL

 
$ iperf -s -u -i 1

$ iperf -c 192.168.3.1 -u -b 1000M -i 1 -t 5