wpa configuration for 802.1x and TKIP

[Jouni Malinen]

On Mon, Jan 24, 2005 at 01:52:51PM -0800, Dani Camps wrote:

> I want to configure 802.1x using EAP-PEAP with a
> Radius as a authentication server. My AP does support
> WPA, so I configure it to use WPA-EAP and I configure
> the Radius server settings (IP address and shared
> secret), then it forces me to use encryption and I
> choose TKIP encryption, about TKIP I can configure two
> parameters, the key update time (3 mts by default) and
> a key, that is the initial key to be used for
> encryption ? I ma not sure ...

"key update time" sounds like rekeying interval. I'm not sure what "the
initial key to be used for encryption" would be, though. If the
configuration is unclear and the AP help pages do not maker it clearer,
please quote the exact text used in the interface..

> #Are these the username and password used for the
> #MSCHAPv2 authentication, against the Radius server
> ???
> 
> identity="my_identity"
> password="***********"

Yes.

> In xsupplicant I had two extra parameters for the TLS
> tunnel:
> 
> chunk_size = 1398
> random_file = /dev/urandom
> 
> Am I missing these lines in the wpa_supplicant
> configuration ?

wpa_supplicant does not use these parameters in the configuration file.

> And there is still another thing I don't understand
> the:
> identity="my_identity"
> 
> Is the one used in the EAPOL identity request or the
> one used in the MSCHAPv2 so the user configured in the
> Radius, or both are the same ?

If you only configure 'identity', it will be used both as the EAPOL
identity in phase 1 (i.e., in EAP-Response/Identity) and in the phase 2
(i.e., MSCHAPv2 in this example). If you want to use different
identities, you can configure 'anonymous_identity' (to be used in phase
1) and then 'identity' is used only in phase 2 (MSCHAPv2).

> Using wpa_supplicant do I still need xsupplicant for
> something ?

No.

-- 
Jouni Malinen                                            PGP id EFC895FA