More and more wireless access networks are adopting WPA2, the latest wireless network security standard. This howto explains how to configure and run a WPA2 supplicant (wpa_supplicant) with EAP-TLS authentication on your wireless network device.

Make sure that your wireless interface is WPA/WPA2 WIFI certified. This guarantees that WPA supplicant (client side software of 802.11i) will not find difficulties to authenticate with the wireless access point. The 802.11i standard mandates changes to the 802.11 link layer, if your wireless interface is pre 802.11i, you may need to update the firmware or buy a new one. I use a Netgear WPN-511 with an Ahteros shipset.

EAP-TLS requires client TLS certificates to be installed in the system. You need to ask the administrators in your institution to provide you your own TLS certificate.

In the most common cases, your admin will issue you a .p12 file and a password.

We need to create three files from this .p12 certificate

We will call these files cacert.pem, cert.pem and key.pem respectively (You may choose any name you want though). Assuming that your certificate file name is example.p12, run the following :

 openssl pkcs12  -in example.p12  -out cacert.pem -cacerts -nokeys 
 openssl pkcs12  -in example.p12  -out cert.pem -clcerts -nokeys
 openssl pkcs12  -in example.p12  -out key.pem -nocerts

When prompted for a password, just type the same password provided with the certificate.

Put the three generated files somewhere in the file system of your wireless device (e.g /etc/certs)

Refer to PKI SSL certificates with OpenSSL for more information about TLS certificates.

wpa_supplicant is an EAP/WPA/WPA2 supplicant available for Linux, Windows and Unix systems. Windows binaries are available from the website. The following are two methods for installing wpa_supplicant under linux and FreeBSD.

Under ubuntu and other debian compatible linux distributions, wpa_supplicant can be installed by typing

 sudo apt-get install wpasupplicant

Under FreeBSD

 cd  /usr/ports/security/wpa_supplicant/
 make install

or

 pkg_add -vrf wpa_supplicant

• Downloaded wpa_supplicant from here here

   wget http://hostap.epitest.fi/releases/wpa_supplicant-0.5.10.tar.gz

• Extract the archive

   tar xfz wpa_supplicant-0.5.10.tar.gz

• Create a .config file

   cp defconfig .config

• Build and install

  make 
  make install

Edit the wpa_supplicant configuration file (e.g. /etc/wpa_supplicant.conf), ant put the following

  network={
      ssid="YOUR-SSID"
      scan_ssid=1
      key_mgmt=WPA-EAP
      pairwise=CCMP TKIP
      group=CCMP TKIP
      eap=TLS
      identity="XXXXX@yourdomain.com"
      ca_cert="/etc/certs/cacert.pem"
      client_cert="/etc/certs/cert.pem"
      private_key="/etc/certs/key.pem"
      private_key_passwd="YOUR-PASSWORD"
   }

• “YOUR-PASSWORD” is the password provided by your administrator when your received your .p12 certificate
• “YOUR-SSID” is the (B/E)SSID of the wireless access network.

wpa_supplicant -B -i IFACE -Dwext -c /etc/wpa_supplicant.conf

Where IFACE is the name of your wireless interface.

• Check that you are associated

 iwconfig IFACE

• Get an IP address

 dhclient IFACE

In order to avoid typing all these commands each time you reboot or want to connect to your wireless network, you can (under linux) use the /etc/network/interfaces file to automatically handle network association and IP address acquisition. For this purpose, put the following in /etc/network/interfaces

 auto IFACE
 iface IFACE inet dhcp
     pre-up wpa_supplicant -Bw -Dwext -i IFACE -c/etc/wpa_supplicant.conf
     post-down killall -q wpa_supplicant

• EAP-Kerberos
• hostapd RADIUS server configuration howto
• Configuring EAP-TLS with Xsupplicant – Dieter Weber

AD HERE

Labels: howto, wireless, security