AW: HostAP and EAP/TLS

Daniel Walther d.walther
Tue May 18 12:03:00 PDT 2004


Hello Chris

Thanks for your fast answer.

I'm still trying to make it work.
Here is my eap.conf file:

eap {
                #  Invoke the default supported EAP type when
                #  EAP-Identity response is received.
                #
                #  The incoming EAP messages DO NOT specify which EAP
                #  type they will be using, so it MUST be set here.
                #
                #  For now, only one default EAP type may be used at a time.
                #
                #  If the EAP-Type attribute is set by another module,
                #  then that EAP type takes precedence over the
                #  default type configured here.
                #
                default_eap_type = tls

                #  A list is maintained to correlate EAP-Response
                #  packets with EAP-Request packets.  After a
                #  configurable length of time, entries in the list
                #  expire, and are deleted.
                #
                timer_expire     = 60

                #  There are many EAP types, but the server has support
                #  for only a limited subset.  If the server receives
                #  a request for an EAP type it does not support, then
                #  it normally rejects the request.  By setting this
                #  configuration to "yes", you can tell the server to
                #  instead keep processing the request.  Another module
                #  MUST then be configured to proxy the request to
                #  another RADIUS server which supports that EAP type.
                #
                #  If another module is NOT configured to handle the
                #  request, then the request will still end up being
                #  rejected.
                ignore_unknown_eap_types = no

                # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
                # a User-Name attribute in an Access-Accept, it copies one
                # more byte than it should.
                #
                # We can work around it by configurably adding an extra
                # zero byte.
                cisco_accounting_username_bug = no

...

     ## EAP-TLS
                #
                #  To generate ctest certificates, run the script
                #
                #       ../scripts/certs.sh
                #
                #  The documents on http://www.freeradius.org/doc
                #  are old, but may be helpful.
                #
                #  See also:
                #
                #  http://www.dslreports.com/forum/remark,9286052~mode=flat
                #
                tls {
                        private_key_password = whatever
                        private_key_file = ${raddbdir}/certs/cert-srv.pem

                        #  If Private key & Certificate are located in
                        #  the same file, then private_key_file &
                        #  certificate_file must contain the same file
                        #  name.
                        certificate_file = ${raddbdir}/certs/cert-srv.pem

                        #  Trusted Root CA list
                        CA_file = ${raddbdir}/certs/demoCA/cacert.pem

                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random

                        #
                        #  This can never exceed the size of a RADIUS
                        #  packet (4096 bytes), and is preferably half
                        #  that, to accomodate other attributes in
                        #  RADIUS packet.  On most APs the MAX packet
                        #  length is configured between 1500 - 1600
                        #  In these cases, fragment size should be
                        #  1024 or less.
                        #
                        fragment_size = 1024

                        #  include_length is a flag which is
                        #  by default set to yes If set to
                        #  yes, Total Length of the message is
                        #  included in EVERY packet we send.
                        #  If set to no, Total Length of the
                        #  message is included ONLY in the
                        #  First packet of a fragment series.
                        #
                        include_length = yes

                        #  Check the Certificate Revocation List
                        #
                        #  1) Copy CA certificates and CRLs to same
directory.
                        #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
                        #    'c_rehash' is OpenSSL's command.
                        #  3) Add 'CA_path=<CA certs&CRLs directory>'
                        #      to radiusd.conf's tls section.
                        #  4) uncomment the line below.
                        #  5) Restart radiusd
                #       check_crl = yes

                       #
                       #  If check_cert_cn is set, the value will
                       #  be xlat'ed and checked against the CN
                       #  in the client certificate.  If the values
                       #  do not match, the certificate verification
                       #  will fail rejecting the user.
                       #
               #       check_cert_cn = %{User-Name}
                }

Here is also my hostapd.conf file:

...
##### IEEE 802.11 related configuration
#######################################

# SSID to be used in IEEE 802.11 management frames
ssid=WimS

# Station MAC address -based authentication
# 0 = accept unless in deny list
# 1 = deny unless in accept list
# 2 = use external RADIUS server (accept/deny lists are searched first)
macaddr_acl=0

# Accept/deny lists are read from separate files (containing list of
# MAC addresses, one per line). Use absolute path name to make sure that the
# files can be read on SIGHUP configuration reloads.
#accept_mac_file=/etc/hostapd.accept
#deny_mac_file=/etc/hostapd.deny

# IEEE 802.11 specifies two authentication algorithms. hostapd can be
# configured to allow both of these or only one. Open system authentication
# should be used with IEEE 802.1X.
# Bit fields of allowed authentication algorithms:
# bit 0 = Open System Authentication
# bit 1 = Shared Key Authentication (requires WEP)
auth_algs=3

# Associate as a station to another AP while still acting as an AP on the
same
# channel.
#assoc_ap_addr=00:12:34:56:78:9a


##### IEEE 802.1X (and IEEE 802.1aa/D4) related configuration
#################

# Require IEEE 802.1X authorization
ieee8021x=1

# Use internal minimal EAP Authentication Server for testing IEEE 802.1X.
# This should only be used for testing since it authorizes all users that
# suppot IEEE 802.1X without any keys or certificates.
minimal_eap=0

# Optional displayable message sent with EAP Request-Identity
eap_message=hello

# WEP rekeying (disabled if key lengths are not set or are set to 0)
# Key lengths for default/broadcast and individual/unicast keys:
# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
wep_key_len_broadcast=13
wep_key_len_unicast=13

# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)
wep_rekey_period=300

# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
# only broadcast keys are used)
eapol_key_index_workaround=0

...

##### RADIUS configuration
####################################################
# for IEEE 802.1X with external Authentication Server, IEEE 802.11
# authentication with external ACL for MAC addresses, and accounting

# The own IP address of the access point (used as NAS-IP-Address)
own_ip_addr=192.168.70.60

# Optional NAS-Identifier string for RADIUS messages. When used, this should
be
# a unique to the NAS within the scope of the RADIUS server. For example, a
# fully qualified domain name can be used here.
#nas_identifier=ap.example.com

# RADIUS authentication server
auth_server_addr=192.168.70.185
auth_server_port=1812
auth_server_shared_secret=secret

# RADIUS accounting server
acct_server_addr=192.168.70.185
acct_server_port=1813
acct_server_shared_secret=secret

...

# Retry interval for trying to return to the primary RADIUS server (in
# seconds). RADIUS client code will automatically try to use the next server
# when the current server is not replying to requests. If this interval is
set,
# primary server will be retried after configured amount of time even if the
# currently used secondary server is still working.
#radius_retry_primary_interval=600


# Interim accounting update interval
# If this is set (larger than 0) and acct_server is configured, hostapd will
# send interim accounting updates every N seconds. Note: if set, this
overrides
# possible Acct-Interim-Interval attribute in Access-Accept message. Thus,
this
# value should not be configured in hostapd.conf, if RADIUS server is used
to
# control the interim interval.
# This value should not be less 600 (10 minutes) and must not be less than
# 60 (1 minute).
#radius_acct_interim_interval=600

I tried it with a WindowsXP and a linux computer. But with both requests, my
radius dies! After sending the Challenge answer after the first
authorization request. In the Radius log file I see the following output:

Tue May 18 16:13:20 2004 : Info: Using deprecated naslist file.  Support for
this will go away soon.
Tue May 18 16:13:20 2004 : Info: rlm_exec: Wait=yes but no output defined.
Did you mean output=none?
Tue May 18 16:13:20 2004 : Info: Ready to process requests.
Tue May 18 16:14:26 2004 : Info: rlm_eap_tls:  Length Included
Tue May 18 16:14:27 2004 : Error: Discarding duplicate request from client
wims-network:1035 - ID: 4 due to unfinished request 1

I've started the radwatch script and saw, that my radius server dies every
10 seconds! But why?

The only message that I receive, is that there is a segmentation fault.

How do you created the certificates with OpenSSL?

By the way, I'm using freeradius-0.9.3 and openssl-SNAP-20040518.

Thanks for your help in advance!

Best regards
Daniel

-----Urspr?ngliche Nachricht-----
Von: Chris Evans [mailto:cwevans at acm.org] 
Gesendet: Dienstag, 18. Mai 2004 19:31
An: Daniel Walther
Cc: hostap at shmoo.com
Betreff: Re: HostAP and EAP/TLS

I've got it working fine on my system.  Or so I think.  Every once in a 
while my hostap boxes crash, but it works well enough for me to not 
debug.  The freeradius server stays up just fine.

If you need more help then the part of the file that I think applies to 
eap-tls, just let me know.

part of my radiusd.conf file
eap {
                 #  Invoke the default supported EAP type when
                 #  EAP-Identity response is received.
                 #
                 #  The incoming EAP messages DO NOT specify which EAP
                 #  type they will be using, so it MUST be set here.
                 #
                 #  For now, only one default EAP type may be used at a 
time.
                 #
                 default_eap_type = tls
                 authtype = EAP  ## TODO added, does this work
                 #  Default expiry time to clean the EAP list, It is
                 #  maintained to correlate the EAP-Response for each
                 #  EAP-request sent.
                 timer_expire     = 60
...
                ## EAP-TLS is highly experimental EAP-Type at the moment.
                 #       Please give feedback on the mailing list.
                 tls {
                         private_key_password = password-foo
                         private_key_file = /etc/freeradius/cert-srv.pem

                         #  If Private key & Certificate are located in
                         #  the same file, then private_key_file &
                         #  certificate_file must contain the same file
                         #  name.
                         certificate_file = /etc/freeradius/cert-srv.pem

                         #  Trusted Root CA list
                         CA_file = /etc/freeradius/root.pem

                         dh_file = /etc/freeradius/dh_file
                         random_file = /etc/freeradius/random_file

                         #
                         #  This can never exceed the size of a RADIUS
                         #  packet (4096 bytes), and is preferably half
                         #  that, to accomodate other attributes in
                         #  RADIUS packet.  On most APs the MAX packet
                         #  length is configured between 1500 - 1600
                         #  In these cases, fragment size should be
                         #  1024 or less.
                         #
                         fragment_size = 512

                                 #  include_length is a flag which is
                                 #  by default set to yes If set to
                                 #  yes, Total Length of the message is
                                 #  included in EVERY packet we send.
                                 #  If set to no, Total Length of the
                                 #  message is included ONLY in the
                                 #  First packet of a fragment series.
                                 #
                                 include_length = yes
                 }


         }

On May 18, 2004, at 9:31 AM, Daniel Walther wrote:

> Hi @all
>
> I'm trying to set up HostAP with EAP/TLS. I'm using freeradius.
> But now I have the problem, that the freeradius server crashes after 
> one
> autorization request over EAP/TLS.
> Is there anyone who use HostAP with EAP/TLS and it works? And with 
> which
> products and settings do you use it?
>
> Thanks for your help.
>
> Regards
> Daniel
>
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
>
--
       -+--++---+++----++++-----+++++-----++++----+++---++--+-
      ___
  _.-|   |          |\__/,|   (`\      | Chris Evans
{   |   |          |o o  |__ _) )     |
  "-.|___|        _.( T   )  `  /      | cwevans at acm.org
   .--'-`-.     _((_ `^--' /_<  \      |
.+|______|__.-||__)`-'(((/  (((/      |  "Any technology distinguishable
                                       |  from magic, is not advanced
   Nika plays with a computer mouse    |  enough" -- Gregory Benford
       BY: Mike Rosulek                |
          http://showcase.netins.net/web/mikewrld/ascii/





More information about the Hostap mailing list