hostapd is an open source project that implements software for access points and RADIUS servers. This article focuses on the RADIUS server part of hostapd. We will see how to configure the hostapd software to act as a RADIUS server and how to setup TLS based EAP authentication such as EAP-TLS, EAP-TTLS and EAP-PEAP.

• The hostapd source code can be obtained from here

• After unpacking, we need to create a .config file that contains the following

CONFIG_DRIVER_WIRED=y
CONFIG_EAP=y

CONFIG_EAP_MD5=y
CONFIG_EAP_TLS=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
CONFIG_PKCS12=y
CONFIG_RADIUS_SERVER=y

• Build the hostapd RADIUS server by typing 'make'

Now that the binary is ready, we need to prepare three configuration files for our RADIUS server as follows.

This is the main configuration file, it controls global behavior or the RADIUS server and indicates the location of the other configuration files. This is what we need to put in this file :

First, we need to tell hostapd which interface it should listen on.

interface=eth0

Then setup some variables that control the debugging output levels

logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=4

We then need to do EAP server configuration. The hostapd.eap_user configuration file tells hostapd which EAP method to use with which user.

eap_server=1
eap_user_file=/etc/hostapd.eap_user

When using TLS based authentication methods, the RADIUS server's public and private keys and password, as well as the certification authority's certificate file must be specified. We assume that these files are all placed in /etc/certs. See PKI SSL certificate management with OpenSSL for information about how to create these certificates.

ca_cert=/etc/certs/cacert.pem
server_cert=/etc/certs/newcert.pem
private_key=/etc/certs/newkey.pem
private_key_passwd=password

RADIUS server configuration, to specify the RADIUS port number to use and the list of RADIUS clients.

radius_server_clients=/etc/hostapd.radius_clients
radius_server_auth_port=1812

In this file, we specify the RADIUS clients (access points) that will be contacting this back end RADIUS server for authenticating wireless devices. The syntax allows us to specify single IP addresses and IP address ranges. After the IP address, the secret password is specified. The 0.0.0.0/0 entry specifies a default password for all clients.

   10.1.2.3        secret_password1
   192.168.1.0/24  secret_password2
   0.0.0.0/0       secret_password3

This file specifies which EAP method to use with which user. The hostapd RADIUS server supports several authentication methods, in this article we focus only on methods based on TLS since they are the most secure and widely used. To specify an EAP method for a user (or group of users), a line is added that contains the user(s) in question then the EAP method to use. For example :

"*@DOMAIN.COM" TLS

This tells the hostapd RADIUS server to use EAP-TLS with all users from the domain DOMAIN.COM

This is another example for using EAP-PEAPv0:

"*@DOMAIN.COM" PEAP [ver=0]
"*@DOMAIN.COM" MSCHAPV2 "password" [2]

And this is an example for using EAP-TTLS:

"*@DOMAIN.COM" TTLS
"*@DOMAIN.COM" MSCHAPV2 "password" [2]

The phase 2 authentication specified by adding '[2]' at the end of the line must be used in EAP-PEAPV0 and EAP-TTLS. For EAP-TTLS though, the MSCHAPV2 authentication method is not the only option, MD5 for instance can be used. For example, this is a valid configuration for EAP-TTLS.

"*@DOMAIN.COM" TTLS
"*@DOMAIN.COM" MD5 "password" [2]

To run the hostapd RADIUS server, type

hostapd /etc/hostapd.conf

For more debugging output, you can use the -ddd option.

More resources

Labels: security, wireless, howto