================================ EAP-TTLS/PAP ================================ (A). EAP-TTLS/PAP: EAP-TTLS/PAP is a simple WPA2-Enterprise Wi-Fi authentication method that has been a standard system for many years. When a user wants to connect to the network, the device initiates communication with the network and confirms that it is the correct network by identifying the server certificate. Server certificate validation is one of the most important mechanisms to prevent over-the-air credential theft. The following is a resprestaion of EAP-TTLS/PAP handshake ``Radius Server Hostapd(AP) wpa_supplicant(station)`` ``| |<<----------------Auth_Req---------------|`` ``| |------------------Auth_Resp------------>>|`` ``| |<<---------------Assoc_Req---------------|`` ``| |----------------Assoc_Resp------------->>|`` ``| |--------------EAP_Req_Identity--------->>|`` ``| |<<------------EAP_Resp_Identity----------|`` ``|<<--------EAP_Resp_Identity---------|`` ``|----------EAP_Req_EAP_TTLS-------->>|`` ``| ``|----------EAP_Req_EAP_TTLS(FWRD)------->>|`` ``| |<<------------TLS.1.2_CLI_HELLO----------|`` ``|<<-----TLS.1.2_CLI_HELLO(FWRD)------|`` ``|---------EAP_Req_EAP_TTLS--------->>|`` ``| |----------EAP_Req_EAP_TTLS(FWRD)------->>|`` ``| |<<-------------EAP_Resp_EAP_TLS----------|`` ``|<<-----EAP_Resp_EAP_TTLS(FRWD)------|`` ``|----------EAP_Req_EAP_TTLS-------->>|`` ``| |----------EAP_Req_EAP_TTLS(FWRD)------->>|`` ``| |<<------------EAP_Resp_EAP_TTLS----------|`` ``|<<-----EAP_Resp_EAP_TTLS(FRWD)------|`` ``|-----TLSv1.2_SERV_CERT_KEY_EXG---->>|`` ``| |-----TLSv1.2_SERV_CERT_KEY_EXG(FWRD)--->>|`` ``| |<<--------TLSv1.2CLI__CERT_KEY_EXG-------|`` ``|<---TLSv1.2CLI_CERT_KEY_EXG(FWRD)---|`` ``|------TLSv1.2CHG_CHPR_SPEC-------->>|`` ``| |------TLSv1.2CHG_CHPR_SPEC(FRWD)------->>|`` ``| |<<--------TLSv1.2_APPLICATION_DATA-------|`` ``|<--TLSv1.2_APPLICATION_DATA(FRWD)---|`` ``|----------TLSv1.2_SUCCESS--------->>|`` ``| |----------TLSv1.2SUCCESS(FRWD)--------->>|`` ``| |------------------EAPOL-M1------------->>|`` ``| |<<----------------EAPOL-M2---------------|`` ``| |------------------EAPOL-M3------------->>|`` ``| |<<----------------EAPOL-M4---------------|`` Test bed ------------ Inorder to execute below practical example, two Linux machines are needed with ubuntu version >= 16.04. * Check the Ubuntu version on your machine. Ubuntu version used for in this site is 20.04 .. literalinclude:: test_bed_cmds/cmd_test_bed_ubuntu_ver.py wpa_supplicant compilation ----------------------------------- The daemon process that runs in the client stations. It implements WPA key negotiation with a WPA Authenticator and EAP authentication with Authentication Server. In addition, it controls the roaming and IEEE 802.11 authentication/association of the wireless LAN driver. Following are the steps to download and compiling wpa_supplicant from source code 1. Download latest wpa_supplicant .. literalinclude:: supp_cmds/cmd_supp_download.py 2. Install required packages .. literalinclude:: supp_cmds/cmd_supp_pkgs.py below messages indicate that packages are installed successfully .. literalinclude:: supp_cmds/cmd_supp_pkgs_installed_msg.py 3. Extract the tar file .. literalinclude:: supp_cmds/cmd_supp_untar.py 4. Go to wpa_supplicant directory .. literalinclude:: supp_cmds/cmd_supp_cd.py 5. Copy the default configuration into .conf file .. literalinclude:: supp_cmds/cmd_supp_defconfig.py 6. Enable below configs in .config .. literalinclude:: supp_cmds/cmd_supp_defconfig_configs.py 7. Build the wpa_supplicant .. literalinclude:: supp_cmds/cmd_supp_make.py Below is the list of files compiled based on the features enabled in ".config" .. literalinclude:: supp_cmds/cmd_supp_make_log.py 8. Install the compiled commands (optional) .. literalinclude:: supp_cmds/cmd_supp_install.py hostapd compilation ----------------------------------- The hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. Following are the steps to download and compiling hostapd from source code 1. Download latest hostapd .. literalinclude:: hostapd_cmds/cmd_hostapd_download.py 2. Install required packages .. literalinclude:: hostapd_cmds/cmd_hostapd_pkgs.py below messages indicate that packages are installed successfully .. literalinclude:: hostapd_cmds/cmd_hostapd_pkgs_installed_msg.py 3. Extract the tar file .. literalinclude:: hostapd_cmds/cmd_hostapd_untar.py 4. Go to Hostapd directory .. literalinclude:: hostapd_cmds/cmd_hostapd_cd.py 5. Copy the default configuration into .conf file .. literalinclude:: hostapd_cmds/cmd_hostapd_defconfig.py 6. Enable below configs in .config .. literalinclude:: hostapd_cmds/cmd_hostapd_defconfig_configs.py 7. Build the Hostapd .. literalinclude:: hostapd_cmds/cmd_hostapd_make.py Below is the list of files compiled based on the features enabled in ".config" .. literalinclude:: hostapd_cmds/cmd_hostapd_make_log.py 8. Install the compiled commands (optional) .. literalinclude:: hostapd_cmds/cmd_hostapd_install.py Radius server compilation ----------------------------------- 1. Download latest freeradius source code .. literalinclude:: radius_cmds/cmd_radius_download.py 2. Extract the tar file .. literalinclude:: radius_cmds/cmd_radius_untar.py 3. Go to Radius server directory .. literalinclude:: radius_cmds/cmd_radius_cd.py 4. Open debian/rules, add this line “--without-rml_sql_iodbc \” above this line “--without-rlm_eap_ikev2 \” .. literalinclude:: radius_cmds/cmd_radius_debian_rules.py 5. Configure for compilation .. literalinclude:: radius_cmds/cmd_radius_configure.py 6. Install requeired packages as suggested by the result of step 5 7. Build the Radius server .. literalinclude:: radius_cmds/cmd_radius_make.py 8. Install the compiled commands (optional) .. literalinclude:: radius_cmds/cmd_radius_make_install.py 9. Go to Raddb folder (all radius server/client files, certificates and keys will be generated here) .. literalinclude:: radius_cmds/cmd_radius_cd_raddb.py 10. open client.conf file and verify localhost client is presnet else add your own client like bellow .. literalinclude:: radius_cmds/cmd_radius_edit_client_conf.py 11. open users file and uncomment bellow two lines .. literalinclude:: radius_cmds/cmd_radius_edit_users.py 12. set default_eap_type=tls in eap file located in /usr/local/etc/raddb/mods-enabled/ .. literalinclude:: radius_cmds/cmd_radius_edit_etc_eap.py 13. Start radius server .. literalinclude:: radius_cmds/cmd_radius_start.py Running hostapd ------------------------ 1. Check if wifi interface with the name "wlan0" is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually .. literalinclude:: hostapd_cmds/cmd_hostapd_iwx_status.py 2. Create a hostapd.conf file in /etc/hostapd/ folder with below content .. literalinclude:: hostapd_cmds/cmd_hostapd_conf_edit.py Copy below content .. literalinclude:: hostapd_cmds/cmd_hostapd_conf_content.py 3. Create a file eap_user in /etc/hostapd/ folder with below content .. literalinclude:: hostapd_cmds/cmd_hostapd_etc_eap_user.py 4. Make sure that radius server is already running (radiusd -X) 5. Go to hostapd directory .. literalinclude:: hostapd_cmds/cmd_hostapd_cd.py 6. Run hostapd by issuing follwing command .. literalinclude:: hostapd_cmds/cmd_hostapd_run.py Below log messages are seen on console after running hostapd .. literalinclude:: hostapd_cmds/cmd_hostapd_run_log.py 7. Mode of "wlan0" interface is now assigned as "AP/Master". Check this by querying information via iwconfig/iw command .. literalinclude:: hostapd_cmds/cmd_hostapd_iwx_status_ap.py Running wpa_supplicant --------------------------------- ``METHOD 1: With Network Block in wpa_supplicant.conf file`` """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 1. Check if wifi interface with the name "wlan1" is available. This is created on boot up of the ubuntu machine or by installing wifi driver manually .. literalinclude:: supp_cmds/cmd_supp_iwx_status.py 2. Go to wpa_supplicant directory .. literalinclude:: supp_cmds/cmd_supp_cd.py 3. Create wpa_supplicant.conf file with following network block contents delete all existing content and copy below content .. literalinclude:: supp_cmds/cmd_supp_conf_content.py 4. Run wpa_supplicant .. literalinclude:: supp_cmds/cmd_supp_run.py Below log messages are seen on console after running wpa_supplicant .. literalinclude:: supp_cmds/cmd_supp_run_log.py Message "CTRL-EVENT-CONNECTED" indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully 5. Run wpa_cli and check status in wpa_cli prompt .. literalinclude:: supp_cmds/cmd_supp_wpa_cli_check_status.py Message "wpa_state=COMPLETE" indicates that wpa_supplicant(station) is connected to hostapd(ap) successfully 6. Mode of "wlan1" interface is now assigned as "Managed" with ssid "test_eap_ttls_pap". Check this by querying information via iwconfig/iw command .. literalinclude:: supp_cmds/cmd_supp_iwx_status_station.py ``METHOD 2: Without Network Block in wpa_supplicant.conf file`` """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 1. Go to wpa_supplicant directory .. literalinclude:: supp_cmds/cmd_supp_cd.py 2. Create wpa_supplicant.conf file without a network block .. literalinclude:: supp_cmds/cmd_supp_conf_content_no_nw_block.py 3. Run wpa_supplicant without network block in wpa_supplicant.conf file .. literalinclude:: supp_cmds/cmd_supp_run.py 4. Run wpa_cli to connect to WPA2 network .. literalinclude:: supp_cmds/cmd_supp_wpa_cli_connect_nw.py Prerequisite for Hostapd: --------------------------- 1. eap_user_file is created in section E step 2 2. ca_cert, server_cert, private_key and private_key_passwd is generated after compiling radius server in section D (RADIUS SERVER compilation step 8) 3. use above certificate and keys in hostapd.conf 4. verify that AKM is set to WPA-ENTERPRISE ie "Beacon->Wireless_Managment->tagged_parameter" should not contain RNS INFO field Prerequisite for WPA_SUPPLICANT: ---------------------------------- 1. The identity and password differs from EAP-TLS to EAP-TTLS/PAP 2. Identity and password is given as part of credentials to radius server (Section D step 11) Run data traffic ------------------ ========================== =========================================================== ================================================================ Steps AP Station ========================== =========================================================== ================================================================ Step 1 : Assign IP address .. literalinclude:: traffic_cmds/cmd_ifconfig_set_ap.py .. literalinclude:: traffic_cmds/cmd_ifconfig_set_station.py Step 2 : Check IP address .. literalinclude:: traffic_cmds/cmd_ifconfig_ap_status.py .. literalinclude:: traffic_cmds/cmd_ifconfig_station_status.py Step 3 : Check ping .. literalinclude:: traffic_cmds/cmd_ping_sta_from_ap.py .. literalinclude:: traffic_cmds/cmd_ping_ap_from_sta.py Step 4 : Run iperf TCP DL .. literalinclude:: traffic_cmds/cmd_tcp_dl_ap.py .. literalinclude:: traffic_cmds/cmd_tcp_dl_station.py Step 5 : Run iperf TCP UL .. literalinclude:: traffic_cmds/cmd_tcp_ul_ap.py .. literalinclude:: traffic_cmds/cmd_tcp_ul_station.py Step 6 : Run iperf UDP DL .. literalinclude:: traffic_cmds/cmd_udp_dl_ap.py .. literalinclude:: traffic_cmds/cmd_udp_dl_station.py Step 7 : Run iperf UDP UL .. literalinclude:: traffic_cmds/cmd_udp_ul_ap.py .. literalinclude:: traffic_cmds/cmd_udp_ul_station.py ========================== =========================================================== ================================================================