Setting up WLAN network with EAP-TLS using only PC hardware and free software

This document describes how to set up a Wireless LAN network with the latest security features by utilising software freely available from the Internet, such as:

Here's my test network:

Picking the right Wireless LAN cards

If you inted to set up your own access point on a regular PC, I suggest getting a WLAN card which supports the so called "hostap"-mode. In this mode the AP functionality is in the driver/userspace and the hardware/firmware of the card is just doing low level operations like sending 802.11 beacons etc. After some browsing through web pages and driver sources I decided to try D-Link DWL-G650 (h/w v. C2), which is based on the Atheros Super G chipset and supported by the ath driver in BSDs.

Setting up PKI

For secure networking, the communicating parties obviously need to trust each other. One method of building up trust is via a trusted 3rd party, e.g. a Certificate Authority in PKI (Public Key Infrastructure). In practice, with EAP-TLS you need to set up certificates for the server and the client, to support mutual authentication. These certificates need to be signed by a CA. If you can't/don't want to use any of the existing CAs, it's easy to build yourself a new one. For creating keys and certificates you need OpenSSL (which is included in any BSD/Linux distribution today). Here is a shell script and openssl.conf that do everything:

Then just copy cacert.pem, clientkey.pem and clientcert.pem to the WLAN client, and cacert.pem, serverkey.pem and servercert.pem to the FreeRADIUS server (see the related configuration files for exact locations).

NOTE: You need a unique private key and a CA-signed certificate for each WLAN client.

Setting up the Authentication Server

If you have more than one WLAN access point, it is logical to have a shared AAA server. I decided to use FreeRADIUS, which is quite simple to install and set up. If you don't want to do this, you can also use hostapd's internal authentication server, or buy one from a shop :-) Here are my FreeRADIUS configuration files (everything else is untouched):

clients.conf (Access Points and shared secrets)
users (User IDs and authentication methods)
eap.conf (EAP configuration)

Setting up an Access Point

For an access point, there are two options: either you find a box from the shop that supports WPA2 (= RSN = 802.1X + CCMP) and figure yourself how to configure it, or you get a PC and install Linux/FreeBSD, hostapd and a WLAN card that supports hostap mode into it. If you decide to use FreeBSD, you need to run at least FreeBSD 6.0-CURRENT, as hostap needs the net80211 API to communicate with the WLAN card driver. I decided to go for the latter option. Here are the essential files:

AP (FreeBSD kernel configuration)
.config (hostapd build configuration)
hostapd.conf (hostapd runtime configuration)

Setting up Mobile Node

For a mobile node you can use either wpa_supplicant (FreeBSD/Linux/Windows) from the Host AP project or Open1x supplicant (Linux). I have used wpa_supplicant. It works with a larger variety of WLAN cards than the hostapd, but so far I have used a same kind of card as with the access point. Here are the essential files:

MN (FreeBSD kernel configuration)
.config (wpa_supplicant build configuration)
wpa_supplicant.conf (wpa_supplicant runtime configuration)

Testing the setup

To see what's happening, first try this:

Start up radius server: radiusd -X
Start up access point: hostapd -dd -K -t /etc/hostapd.conf
Start up mobile node: wpa_supplicant -dd -K -t -i ath0 -c /etc/wpa_supplicant.conf

After a while, your WLAN interface on MN should look something like this:

ath0: flags=8843 mtu 1500
        inet6 fe80::20f:3dff:feae:e1df%ath0 prefixlen 64 scopeid 0x4 
        inet 192.168.0.101 netmask 0xffffff00 broadcast 192.168.0.255
        ether 00:0f:3d:ae:e1:df
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g (OFDM/36Mbps)
        status: associated
        ssid nlab1 channel 2 bssid 00:0f:3d:a9:81:02
        authmode WPA1+WPA2/802.11i privacy ON deftxkey 1
        AES-CCM 1:128-bit <5a5896de96228562d3cfed8c26aae989>
        TKIP 2:128-bit <2d0d23edf5b82b7cd89efba9301b8c6c> rsc 1 tsc 1
        txpowmax 42 protmode CTS roaming MANUAL bintval 100

I simply configured 192.168.0.1 on ath0@AP and 192.168.0.101 on ath0@MN to test ping over WLAN. For more useful setups you either need to configure the AP to act as a bridge or a router. For more information, consult your operating system's man pages or handbook.

Links

Listed here are some links here that I found useful when setting up the network. Remember that there is a lot of common code in FreeBSD/NetBSD/OpenBSD/Linux especially in the networking support and device drivers so don't be to narrow-focused when searching for information.

$Date: 2005/05/18 14:49:27 $