Wireless Security - WPA2 EAP-TLS using wpa_supplicant howto


More and more wireless access networks are adopting WPA2, the latest wireless network security standard. This howto explains how to configure and run a WPA2 supplicant (wpa_supplicant) with EAP-TLS authentication on your wireless network device.


1. Verify that your Wifi interface is WPA/WPA2 ready

Make sure that your wireless interface is WPA/WPA2 WIFI certified. This guarantees that WPA supplicant (client side software of 802.11i) will not find difficulties to authenticate with the wireless access point. The 802.11i standard mandates changes to the 802.11 link layer, if your wireless interface is pre 802.11i, you may need to update the firmware or buy a new one. I use a Netgear WPN-511 with an Ahteros shipset.


2. Get your TLS certificates ready

EAP-TLS requires client TLS certificates to be installed in the system. You need to ask the administrators in your institution to provide you your own TLS certificate.

In the most common cases, your admin will issue you a .p12 file and a password.

We need to create three files from this .p12 certificate

We will call these files cacert.pem, cert.pem and key.pem respectively (You may choose any name you want though). Assuming that your certificate file name is example.p12, run the following :

 openssl pkcs12  -in example.p12  -out cacert.pem -cacerts -nokeys 
 openssl pkcs12  -in example.p12  -out cert.pem -clcerts -nokeys
 openssl pkcs12  -in example.p12  -out key.pem -nocerts

When prompted for a password, just type the same password provided with the certificate.

Put the three generated files somewhere in the file system of your wireless device (e.g /etc/certs)

Refer to PKI SSL certificates with OpenSSL for more information about TLS certificates.


3. Install wpa_supplicant

wpa_supplicant is an EAP/WPA/WPA2 supplicant available for Linux, Windows and Unix systems. Windows binaries are available from the website. The following are two methods for installing wpa_supplicant under linux and FreeBSD.


Install using package managers

Under ubuntu and other debian compatible linux distributions, wpa_supplicant can be installed by typing

 sudo apt-get install wpasupplicant

Under FreeBSD

 cd  /usr/ports/security/wpa_supplicant/
 make install

or

 pkg_add -vrf wpa_supplicant

Compile from source

  • Downloaded wpa_supplicant from here here
   wget http://hostap.epitest.fi/releases/wpa_supplicant-0.5.10.tar.gz
  • Extract the archive
   tar xfz wpa_supplicant-0.5.10.tar.gz
  • Create a .config file
   cp defconfig .config
  • Build and install
  make 
  make install

4. Configure

Edit the wpa_supplicant configuration file (e.g. /etc/wpa_supplicant.conf), ant put the following

  network={
      ssid="YOUR-SSID"
      scan_ssid=1
      key_mgmt=WPA-EAP
      pairwise=CCMP TKIP
      group=CCMP TKIP
      eap=TLS
      identity="XXXXX@yourdomain.com"
      ca_cert="/etc/certs/cacert.pem"
      client_cert="/etc/certs/cert.pem"
      private_key="/etc/certs/key.pem"
      private_key_passwd="YOUR-PASSWORD"
   }
  • “YOUR-PASSWORD” is the password provided by your administrator when your received your .p12 certificate
  • “YOUR-SSID” is the (B/E)SSID of the wireless access network.

5. Run the wpa_supplicant daemon

wpa_supplicant -B -i IFACE -Dwext -c /etc/wpa_supplicant.conf

Where IFACE is the name of your wireless interface.

  • Check that you are associated
 iwconfig IFACE
  • Get an IP address
 dhclient IFACE

6. Automating

In order to avoid typing all these commands each time you reboot or want to connect to your wireless network, you can (under linux) use the /etc/network/interfaces file to automatically handle network association and IP address acquisition. For this purpose, put the following in /etc/network/interfaces

 auto IFACE
 iface IFACE inet dhcp
     pre-up wpa_supplicant -Bw -Dwext -i IFACE -c/etc/wpa_supplicant.conf
     post-down killall -q wpa_supplicant

Links



Wireless Internet Security Performance RADIUS server Wireless Internet Security Performance RADIUS server