More and more wireless access networks are adopting 802.11i, the latest IEEE wireless network security standard. This howto explains how to configure and run a 802.11i supplicant (wpa_supplicant) with EAP-TTLS authentication on your wireless network device.

EAP-TTLS was developed by Func Software (RFC 5281), it is supported by major network equipment vendors. However, there is no native support in Microsoft IAS nor Microsoft Windows's supplicant. Miscosoft uses a similar protocol, EAP-PEAP, which is the topic of another article.

EAP-TTLS allows the supplicant and the RADIUS server to establish a secure TLS tunnel using the public key certificate of the RADIUS server (no client certificates needed). After establishing the tunnel the supplicant authenticates its self to the RADIUS server using a password based authentication exchange.

For EAP-TTLS to work, the supplicant needs to be able to validate the RADIUS server's certificate. For that reason, the supplicant needs to have the public key of the certificate authority that issued the RADIUS server's certificate. Moreover, in order to authenticate to the RADIUS server, the supplicant needs to have a valid id/password pair.

Make sure that your wireless interface is WPA/WPA2 WIFI certified. This guarantees that WPA supplicant (client side software of 802.11i) will not find difficulties to authenticate with the wireless access point. The 802.11i standard mandates changes to the 802.11 link layer, if your wireless interface is pre 802.11i, you may need to update the firmware or buy a new one. I use a Netgear WPN-511 with an Ahteros shipset.

EAP-TTLS requires that you have the certificate of the CA installed in the system. You need to ask the administrators in your institution to provide you with this certificate.

If you have a .p12 certificate issued by your institution, you can create a CA certificate (cacert.pem) as follows:

 openssl pkcs12  -in example.p12  -out cacert.pem -cacerts -nokeys 

Put the cacert.pem file somewhere in the file system of your wireless device (e.g /etc/certs)

Refer to PKI SSL certificates with OpenSSL for more information about TLS certificates.

wpa_supplicant is an EAP/WPA/WPA2 supplicant available for Linux, Windows and Unix systems. Windows binaries are available from the website. The following are two methods for installing wpa_supplicant under linux and FreeBSD.

Under ubuntu and other debian compatible linux distributions, wpa_supplicant can be installed by typing

 sudo apt-get install wpasupplicant

Under FreeBSD

 cd  /usr/ports/security/wpa_supplicant/
 make install

or

 pkg_add -vrf wpa_supplicant

• Downloaded wpa_supplicant from here here

   wget http://hostap.epitest.fi/releases/wpa_supplicant-0.5.10.tar.gz

• Extract the archive

   tar xfz wpa_supplicant-0.5.10.tar.gz

• Create a .config file

   cp defconfig .config

• Build and install

  make 
  make install

Edit the wpa_supplicant configuration file (e.g. /etc/wpa_supplicant.conf), ant put the following

  network={
      ssid="YOUR-SSID"
      scan_ssid=1
      key_mgmt=WPA-EAP
      pairwise=CCMP TKIP
      group=CCMP TKIP
      eap=TTLS
      identity="XXXXX@yourdomain.com"
      password="YOUR-PASSWORD"
      ca_cert="/etc/certs/cacert.pem"
   }

• “YOUR-PASSWORD” is the password provided by your administrator.
• “YOUR-SSID” is the (B/E)SSID of the wireless access network.

wpa_supplicant -B -i IFACE -Dwext -c /etc/wpa_supplicant.conf

Where IFACE is the name of your wireless interface.

• Check that you are associated

 iwconfig IFACE

• Get an IP address

 dhclient IFACE

In order to avoid typing all these commands each time you reboot or want to connect to your wireless network, you can (under linux) use the /etc/network/interfaces file to automatically handle network association and IP address acquisition. For this purpose, put the following in /etc/network/interfaces

 auto IFACE
 iface IFACE inet dhcp
     pre-up wpa_supplicant -Bw -Dwext -i IFACE -c/etc/wpa_supplicant.conf
     post-down killall -q wpa_supplicant

• hostapd RADIUS server configuration howto
• EAP-Kerberos

Labels: howto, wireless, security