~~NOTOC~~





====== Wireless Security - WPA2 EAP-TLS using wpa_supplicant howto ======

More and more wireless access networks are adopting WPA2, the latest wireless network security standard. This howto explains how to configure and run a WPA2 supplicant (wpa_supplicant) with EAP-TLS authentication on your wireless network device.


===== 1. Verify that your Wifi interface is WPA/WPA2 ready =====

Make sure that your wireless interface is WPA/WPA2 WIFI certified. This guarantees that WPA supplicant (client side software of 802.11i) will not find difficulties to authenticate with the wireless access point. The 802.11i standard mandates changes to the 802.11 link layer, if your wireless interface is pre 802.11i, you may need to update the firmware or buy a new one. I use a Netgear WPN-511 with an Ahteros shipset.











===== 2. Get your TLS certificates ready =====

EAP-TLS requires client TLS certificates to be installed in the system. You need to ask the administrators in your institution to provide you your own TLS certificate.

In the most common cases, your admin will issue you a .p12 file and a password.

We need to create three files from this .p12 certificate

We will call these files cacert.pem, cert.pem and key.pem respectively (You may choose any name you want though). Assuming that your certificate file name is example.p12, run the following :

   openssl pkcs12  -in example.p12  -out cacert.pem -cacerts -nokeys 
   openssl pkcs12  -in example.p12  -out cert.pem -clcerts -nokeys
   openssl pkcs12  -in example.p12  -out key.pem -nocerts

When prompted for a password, just type the same password provided with the certificate.

Put the three generated files somewhere in the file system of your wireless device (e.g /etc/certs)

Refer to //**[[technotes:manipulating pki certificates|PKI SSL certificates with OpenSSL]]**// for more information about TLS certificates.



===== 3. Install wpa_supplicant =====

[[http://hostap.epitest.fi/wpa_supplicant/|wpa_supplicant]] is an EAP/WPA/WPA2 supplicant available for Linux, Windows and Unix systems. Windows binaries are available from the website. The following are two methods for installing wpa_supplicant under linux and FreeBSD.




=== Install using package managers ===

Under ubuntu and other debian compatible linux distributions, wpa_supplicant can be installed by typing 
 
   sudo apt-get install wpasupplicant

Under FreeBSD

   cd  /usr/ports/security/wpa_supplicant/
   make install

or 
  
   pkg_add -vrf wpa_supplicant


=== Compile from source ===

  * Downloaded wpa_supplicant from here [[http://hostap.epitest.fi/releases/wpa_supplicant-0.5.10.tar.gz|here]]

     wget http://hostap.epitest.fi/releases/wpa_supplicant-0.5.10.tar.gz

  * Extract the archive 

     tar xfz wpa_supplicant-0.5.10.tar.gz

  * Create a .config file 

     cp defconfig .config

  * Build and install

    make 
    make install




===== 4. Configure =====

Edit the wpa_supplicant configuration file (e.g. /etc/wpa_supplicant.conf), ant put the following

    network={
        ssid="YOUR-SSID"
        scan_ssid=1
        key_mgmt=WPA-EAP
        pairwise=CCMP TKIP
        group=CCMP TKIP
        eap=TLS
        identity="XXXXX@yourdomain.com"
        ca_cert="/etc/certs/cacert.pem"
        client_cert="/etc/certs/cert.pem"
        private_key="/etc/certs/key.pem"
        private_key_passwd="YOUR-PASSWORD"
     }

  * "YOUR-PASSWORD" is the password provided by your administrator when your received your .p12 certificate
  * "YOUR-SSID" is the (B/E)SSID of the wireless access network.


===== 5. Run the wpa_supplicant daemon =====

  wpa_supplicant -B -i IFACE -Dwext -c /etc/wpa_supplicant.conf

Where //IFACE// is the name of your wireless interface.


  * Check that you are associated

   iwconfig IFACE

  * Get an IP address 

   dhclient IFACE








===== 6. Automating =====
 
In order to avoid typing all these commands each time you reboot or want to connect to your wireless network, you can (under linux) use the ///etc/network/interfaces// file to automatically handle network association and IP address acquisition. For this purpose, put the following in /etc/network/interfaces

   auto IFACE
   iface IFACE inet dhcp
       pre-up wpa_supplicant -Bw -Dwext -i IFACE -c/etc/wpa_supplicant.conf
       post-down killall -q wpa_supplicant









===== Links =====

  * [[technotes:EAP-Kerberos]]
  * [[technotes:hostapd RADIUS server configuration howto]]
  * [[http://uellue.de/blog/single.php?date=1180101420|Configuring EAP-TLS with Xsupplicant]] -- Dieter Weber



{{tag>howto wireless security}}