=========================================== EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1) =========================================== EAP-PEAP/MSCHAPv2: -------------------- The authenticated wireless access design based on Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAPv2). With PEAP-MSCHAPv2, the user must enter their credentials to be sent to the RADIUS Server that verifies the credentials and authenticates them for network access. The following is a resprestaion of EAP-PEAP/MSCHAPv2 handshake ``Radius Server Hostapd(AP) wpa_supplicant(station)`` ``| |<<----------------Auth_Req---------------|`` ``| |------------------Auth_Resp------------>>|`` ``| |<<---------------Assoc_Req---------------|`` ``| |----------------Assoc_Resp------------->>|`` ``| |---------------EAP_Req_Identity-------->>|`` ``| |<<------------EAP_Resp_Identity----------|`` ``|<<----------EAP_Resp_Identity---------|`` ``|-----------EAP_Req_EAP_TLS---------->>|`` ``| |-----------EAP_Req_EAP_TLS(FWRD)------->>|`` ``| |<<------------TLS_Resp_CLI_HELLO---------|`` ``|<<-------TLS.1.2_CLI_HELLO(FWRD)------|`` ``|------------EAP_Req_EAP_TLS--------->>|`` ``| |----------EAP_Req_EAP_TLS(FWRD)-------->>|`` ``| |<<-------------EAP_Resp_EAP_TLS----------|`` ``|<<------EAP_Resp_EAP_TLS(FRWD)--------|`` ``|-----------EAP_Req_EAP_TLS---------->>|`` ``| |----------EAP_Req_EAP_TLS(FWRD)-------->>|`` ``| |<<-------------EAP_Resp_EAP_TLS----------|`` ``|<<------EAP_Resp_EAP_TLS(FRWD)--------|`` ``|-----------EAP_Req_EAP_TLS---------->>|`` ``| |---------EAP_Req_EAP_TLS(FWRD)--------->>|`` ``|------TLSv1.2_SERV_CERT_KEY_EXG----->>|`` ``| |-----TLSv1.2_SERV_CERT_KEY_EXG(FWRD)--->>|`` ``| |<<---------------EAP_RESP----------------|`` ``|<<-----------EAP_RESP(FRWD)-----------|`` ``|-----------EAP_Req_EAP_TLS---------->>|`` ``| |---------EAP_Req_EAP_TLS(FWRD)-------->>|`` ``| |<<-------TLSv1.2CLI__CERT_KEY_EXG-------|`` ``|<<---TLSv1.2CLI_CERT_KEY_EXG(FWRD)----|`` ``|------TLSv1.2CHG_CHPR_SPEC---------->>|`` ``| |------TLSv1.2CHG_CHPR_SPEC(FRWD)------>>|`` ``| |<<--------------EAP_RESP----------------|`` ``|<<------------EAP_RESP(FRWD)----------|`` ``|----------TLSv1.2_SUCCESS----------->>|`` ``| |----------TLSv1.2SUCCESS(FRWD)-------->>|`` ``| |-----------------EAPOL-M1------------->>|`` ``| |<<---------------EAPOL-M2---------------|`` ``| |-----------------EAPOL-M3------------->>|`` ``| |<<---------------EAPOL-M4---------------|`` Test bed ------------ Inorder to execute below practical example, two Linux machines are needed with ubuntu version >= 16.04. * Check the Ubuntu version on your machine. Ubuntu version used for in this site is 20.04 .. literalinclude:: test_bed_cmds/cmd_test_bed_ubuntu_ver.py wpa_supplicant compilation ----------------------------------- The daemon process that runs in the client stations. It implements WPA key negotiation with a WPA Authenticator and EAP authentication with Authentication Server. In addition, it controls the roaming and IEEE 802.11 authentication/association of the wireless LAN driver. Following are the steps to download and compiling wpa_supplicant from source code 1. Download latest wpa_supplicant .. literalinclude:: supp_cmds/cmd_supp_download.py 2. Install required packages .. literalinclude:: supp_cmds/cmd_supp_pkgs.py below messages indicate that packages are installed successfully .. literalinclude:: supp_cmds/cmd_supp_pkgs_installed_msg.py 3. Extract the tar file .. literalinclude:: supp_cmds/cmd_supp_untar.py 4. Go to wpa_supplicant directory .. literalinclude:: supp_cmds/cmd_supp_cd.py 5. Copy the default configuration into .conf file .. literalinclude:: supp_cmds/cmd_supp_defconfig.py 6. Enable below configs in .config .. literalinclude:: supp_cmds/cmd_supp_defconfig_configs.py 7. Build the wpa_supplicant .. literalinclude:: supp_cmds/cmd_supp_make.py Below is the list of files compiled based on the features enabled in ".config" .. literalinclude:: supp_cmds/cmd_supp_make_log.py 8. Install the compiled commands (optional) .. literalinclude:: supp_cmds/cmd_supp_install.py hostapd compilation ----------------------------------- The hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. Following are the steps to download and compiling hostapd from source code 1. Download latest hostapd .. literalinclude:: hostapd_cmds/cmd_hostapd_download.py 2. Install required packages .. literalinclude:: hostapd_cmds/cmd_hostapd_pkgs.py below messages indicate that packages are installed successfully .. literalinclude:: hostapd_cmds/cmd_hostapd_pkgs_installed_msg.py 3. Extract the tar file .. literalinclude:: hostapd_cmds/cmd_hostapd_untar.py 4. Go to Hostapd directory .. literalinclude:: hostapd_cmds/cmd_hostapd_cd.py 5. Copy the default configuration into .conf file .. literalinclude:: hostapd_cmds/cmd_hostapd_defconfig.py 6. Enable below configs in .config .. literalinclude:: hostapd_cmds/cmd_hostapd_defconfig_configs.py 7. Build the Hostapd .. literalinclude:: hostapd_cmds/cmd_hostapd_make.py Below is the list of files compiled based on the features enabled in ".config" .. literalinclude:: hostapd_cmds/cmd_hostapd_make_log.py 8. Install the compiled commands (optional) .. literalinclude:: hostapd_cmds/cmd_hostapd_install.py Radius server compilation ----------------------------------- 1. Download latest freeradius source code .. literalinclude:: radius_cmds/cmd_radius_download.py 2. Extract the tar file .. literalinclude:: radius_cmds/cmd_radius_untar.py 3. Go to Radius server directory .. literalinclude:: radius_cmds/cmd_radius_cd.py 4. Open debian/rules, add this line “--without-rml_sql_iodbc \” above this line “--without-rlm_eap_ikev2 \” .. literalinclude:: radius_cmds/cmd_radius_debian_rules.py 5. Configure for compilation .. literalinclude:: radius_cmds/cmd_radius_configure.py 6. Install requeired packages as suggested by the result of step 5 7. Build the Radius server .. literalinclude:: radius_cmds/cmd_radius_make.py 8. Install the compiled commands (optional) .. literalinclude:: radius_cmds/cmd_radius_make_install.py 9. Go to Raddb folder (all radius server/client files, certificates and keys will be generated here) .. literalinclude:: radius_cmds/cmd_radius_cd_raddb.py 10. open client.conf file and verify localhost client is presnet else add your own client like bellow .. literalinclude:: radius_cmds/cmd_radius_edit_client_conf.py 11. open users file and uncomment bellow two lines .. literalinclude:: radius_cmds/cmd_radius_edit_users.py 12. set default_eap_type=tls in eap file located in /usr/local/etc/raddb/mods-enabled/ .. literalinclude:: radius_cmds/cmd_radius_edit_etc_eap.py 13. Start radius server .. literalinclude:: radius_cmds/cmd_radius_start.py Running hostapd ------------------------ 1. Check if wifi interface with the name "wlan0" is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually .. literalinclude:: hostapd_cmds/cmd_hostapd_iwx_status.py 2. Create a hostapd.conf file in /etc/hostapd/ folder with below content .. literalinclude:: hostapd_cmds/cmd_hostapd_conf_edit.py Copy below content .. literalinclude:: hostapd_cmds/cmd_hostapd_conf_content.py 3. Create a file eap_user in /etc/hostapd/ folder with below content .. literalinclude:: hostapd_cmds/cmd_hostapd_etc_eap_user.py 4. Make sure that radius server is already running (radiusd -X) 5. Go to hostapd directory .. literalinclude:: hostapd_cmds/cmd_hostapd_cd.py 6. Run hostapd by issuing follwing command .. literalinclude:: hostapd_cmds/cmd_hostapd_run.py Below log messages are seen on console after running hostapd .. literalinclude:: hostapd_cmds/cmd_hostapd_run_log.py 7. Mode of "wlan0" interface is now assigned as "AP/Master". Check this by querying information via iwconfig/iw command .. literalinclude:: hostapd_cmds/cmd_hostapd_iwx_status_ap.py Running wpa_supplicant --------------------------------- ``METHOD 1: With Network Block in wpa_supplicant.conf file`` """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 1. Check if wifi interface with the name "wlan1" is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually .. literalinclude:: supp_cmds/cmd_supp_iwx_status.py 2. Go to wpa_supplicant directory .. literalinclude:: supp_cmds/cmd_supp_cd.py 3. Create wpa_supplicant.conf file with following network block contents delete all existing content and copy below content .. literalinclude:: supp_cmds/cmd_supp_conf_content.py 4. Run wpa_supplicant .. literalinclude:: supp_cmds/cmd_supp_run.py Below log messages are seen on console after running wpa_supplicant .. literalinclude:: supp_cmds/cmd_supp_run_log.py Message "CTRL-EVENT-CONNECTED" indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully 5. Run wpa_cli and check status in wpa_cli prompt .. literalinclude:: supp_cmds/cmd_supp_wpa_cli_check_status.py Message "wpa_state=COMPLETE" indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully 6. Mode of "wlan1" interface is now assigned as "Managed" with ssid "test_eap_peap_mschapv2". Check this by querying information via iwconfig/iw command .. literalinclude:: supp_cmds/cmd_supp_iwx_status_station.py ``METHOD 2: Without Network Block in wpa_supplicant.conf file`` """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 1. Go to wpa_supplicant directory .. literalinclude:: supp_cmds/cmd_supp_cd.py 2. Create wpa_supplicant.conf file without a network block .. literalinclude:: supp_cmds/cmd_supp_conf_content_no_nw_block.py 3. Run wpa_supplicant without network block in wpa_supplicant.conf file .. literalinclude:: supp_cmds/cmd_supp_run.py 4. Run wpa_cli to connect to WPA2 network .. literalinclude:: supp_cmds/cmd_supp_wpa_cli_connect_nw.py Prerequisite for Hostapd: --------------------------------- 1. eap_user_file is created in section E step 2 2. ca_cert, server_cert, private_key and private_key_passwd is generated after compiling radius server in section D (RADIUS SERVER compilation step 8) 3. use above certificate and keys in hostapd.conf 4. verify that AKM is set to WPA-ENTERPRISE ie "Beacon->Wireless_Managment->tagged_parameter" should not contain RNS INFO field Prerequisite for WPA_SUPPLICANT: ---------------------------------------- 1. The identity and password differs from EAP-TLS to EAP-PEAP/MSCHAPV2 2. Identity and password is given as part of credentials to radius server (Section D step 11) Run data traffic ------------------ ========================== =========================================================== ================================================================ Steps AP Station ========================== =========================================================== ================================================================ Step 1 : Assign IP address .. literalinclude:: traffic_cmds/cmd_ifconfig_set_ap.py .. literalinclude:: traffic_cmds/cmd_ifconfig_set_station.py Step 2 : Check IP address .. literalinclude:: traffic_cmds/cmd_ifconfig_ap_status.py .. literalinclude:: traffic_cmds/cmd_ifconfig_station_status.py Step 3 : Check ping .. literalinclude:: traffic_cmds/cmd_ping_sta_from_ap.py .. literalinclude:: traffic_cmds/cmd_ping_ap_from_sta.py Step 4 : Run iperf TCP DL .. literalinclude:: traffic_cmds/cmd_tcp_dl_ap.py .. literalinclude:: traffic_cmds/cmd_tcp_dl_station.py Step 5 : Run iperf TCP UL .. literalinclude:: traffic_cmds/cmd_tcp_ul_ap.py .. literalinclude:: traffic_cmds/cmd_tcp_ul_station.py Step 6 : Run iperf UDP DL .. literalinclude:: traffic_cmds/cmd_udp_dl_ap.py .. literalinclude:: traffic_cmds/cmd_udp_dl_station.py Step 7 : Run iperf UDP UL .. literalinclude:: traffic_cmds/cmd_udp_ul_ap.py .. literalinclude:: traffic_cmds/cmd_udp_ul_station.py ========================== =========================================================== ================================================================