Wireless Security - WPA2 EAP-TTLS using wpa_supplicant and SSL certificates howto

More and more wireless access networks are adopting 802.11i, the latest IEEE wireless network security standard. This howto explains how to configure and run a 802.11i supplicant (wpa_supplicant) with EAP-TTLS authentication on your wireless network device.

Understanding EAP-TTLS

EAP-TTLS was developed by Func Software (RFC 5281), it is supported by major network equipment vendors. However, there is no native support in Microsoft IAS nor Microsoft Windows's supplicant. Miscosoft uses a similar protocol, EAP-PEAP, which is the topic of another article.

EAP-TTLS allows the supplicant and the RADIUS server to establish a secure TLS tunnel using the public key certificate of the RADIUS server (no client certificates needed). After establishing the tunnel the supplicant authenticates its self to the RADIUS server using a password based authentication exchange.

For EAP-TTLS to work, the supplicant needs to be able to validate the RADIUS server's certificate. For that reason, the supplicant needs to have the public key of the certificate authority that issued the RADIUS server's certificate. Moreover, in order to authenticate to the RADIUS server, the supplicant needs to have a valid id/password pair.

Steps for configuring and using EAP-TTLS on your wireless device

1. Verify that your Wifi interface is WPA/WPA2 ready

Make sure that your wireless interface is WPA/WPA2 WIFI certified. This guarantees that WPA supplicant (client side software of 802.11i) will not find difficulties to authenticate with the wireless access point. The 802.11i standard mandates changes to the 802.11 link layer, if your wireless interface is pre 802.11i, you may need to update the firmware or buy a new one. I use a Netgear WPN-511 with an Ahteros shipset.

2. Get your TLS CA (Certificate Authority) certificate ready

EAP-TTLS requires that you have the certificate of the CA installed in the system. You need to ask the administrators in your institution to provide you with this certificate.

If you have a .p12 certificate issued by your institution, you can create a CA certificate (cacert.pem) as follows:

 openssl pkcs12  -in example.p12  -out cacert.pem -cacerts -nokeys

Put the cacert.pem file somewhere in the file system of your wireless device (e.g /etc/certs)

Refer to PKI SSL certificates with OpenSSL for more information about TLS certificates.

3. Install wpa_supplicant

wpa_supplicant is an EAP/WPA/WPA2 supplicant available for Linux, Windows and Unix systems. Windows binaries are available from the website. The following are two methods for installing wpa_supplicant under linux and FreeBSD.

Install using package managers

Under ubuntu and other debian compatible linux distributions, wpa_supplicant can be installed by typing

 sudo apt-get install wpasupplicant

Under FreeBSD

 cd  /usr/ports/security/wpa_supplicant/
 make install

 pkg_add -vrf wpa_supplicant

Compile from source

Downloaded wpa_supplicant from here here

   wget http://hostap.epitest.fi/releases/wpa_supplicant-0.5.10.tar.gz

Extract the archive

   tar xfz wpa_supplicant-0.5.10.tar.gz

Create a .config file

   cp defconfig .config

Build and install

  make 
  make install

4. Configure

Edit the wpa_supplicant configuration file (e.g. /etc/wpa_supplicant.conf), ant put the following

  network={
      ssid="YOUR-SSID"
      scan_ssid=1
      key_mgmt=WPA-EAP
      pairwise=CCMP TKIP
      group=CCMP TKIP
      eap=TTLS
      identity="XXXXX@yourdomain.com"
      password="YOUR-PASSWORD"
      ca_cert="/etc/certs/cacert.pem"
   }

“YOUR-PASSWORD” is the password provided by your administrator.
“YOUR-SSID” is the (B/E)SSID of the wireless access network.

5. Run the wpa_supplicant daemon

wpa_supplicant -B -i IFACE -Dwext -c /etc/wpa_supplicant.conf

Where IFACE is the name of your wireless interface.

Check that you are associated

 iwconfig IFACE

Get an IP address

 dhclient IFACE

6.Automating

In order to avoid typing all these commands each time you reboot or want to connect to your wireless network, you can (under linux) use the /etc/network/interfaces file to automatically handle network association and IP address acquisition. For this purpose, put the following in /etc/network/interfaces

 auto IFACE
 iface IFACE inet dhcp
     pre-up wpa_supplicant -Bw -Dwext -i IFACE -c/etc/wpa_supplicant.conf
     post-down killall -q wpa_supplicant

Links

Labels: howto, wireless, security