Q? Configuration for EAP-TLS Auth + 4-Way Handshake

James Ko jim.list at hotmail.com
Tue Aug 13 22:51:59 PDT 2019


Hi,

I'm porting the hostapd/wpa_supplicant to a new embedded platform in which the
network discovery/selection is done externally and prior to starting the
supplicant. The supplicant needs to do EAPOL Authentication using EAP-TLS and
perform the 4-Way Handshake to install the PTK, GTK and do GTK updates.

I have drivers, l2, config, os, etc all ported over. The driver is for a IEEE
802.15.4 MAC which I've configured with the WIRED flag since all the AP
functions/beacons/ssid selection is done outside of the supplicant/hostapd.

The EAP-TLS Authentication finished with PMK install according to the logs...

supplicant:
EAP-TLS: Derived key - hexdump(len=64): [REMOVED]
EAP-TLS: Derived EMSK - hexdump(len=64): [REMOVED]
EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC eapRespData=0x200340c0
EAP: Session-Id - hexdump(len=65): 0d 00 00 00 24 e5 2d 80 19 0b 05 14 65 c6 3f 77 2d 91 43 9d 76 59 41 47 04 f2 4d 74 e0 4e 32 2e 5e 44 c5 9b dc 32 0f 85 1a
wpan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully

authenticator:
MS-MPPE-Send-Key - hexdump(len=32): [REMOVED]
MS-MPPE-Recv-Key - hexdump(len=32): [REMOVED]
IEEE 802.1X: ac:de:48:00:b8:85:95:80 BE_AUTH entering state SUCCESS
but the state machines do not seem to proceed to 4-way handshake after that.

====== wpa_supplicant.conf ======
eapol_version=2
ap_scan=0
passive_scan=1
fast_reauth=1
cred={
eap=TLS
username="info at example.com"
ca_cert="blob://ca_chain"
client_cert="blob://client_cert"
private_key="blob://client_key"
domain=" abc.com"
}
network={
ssid="foo"
proto=RSN
pairwise=CCMP
group=CCMP
key_mgmt=IEEE8021X WPA-EAP
eap=TLS
identity="xxx at xxx.com"
ca_cert="blob://ca_chain"
client_cert="blob://client_cert"
private_key="blob://client_key"
phase1="tls_disable_tlsv1_0=1,tls_disable_tlsv1_1=1,tls_disable_time_checks=1"
eapol_flags=3
eap_workaround=0
wps_disabled=1
}

<<<< blobs deleted >>>>

===== hostapd.conf =====
interface=lpw0
driver=wpan
use_driver_iface_addr=1
auth_algs=1
start_disabled=1
ieee8021x=1
eapol_version=2
eapol_key_index_workaround=0
eap_reauth_period=3600
own_ip_addr=fd03::###
auth_server_addr=fd03::####
auth_server_port=1812
auth_server_shared_secret=password
# external RADIUS server
acct_server_addr=fd03::###
acct_server_port=1813
acct_server_shared_secret=password
wpa=2
wpa_key_mgmt=IEEE8021X WPA-EAP
wpa_pairwise=CCMP
rsn_pairwise=CCMP
group_cipher=CCMP

Am I still missing something in the config to trigger the 4-way handshake?
Is there a particular function in the driver which needs to be implemented?
The device doesn't have 4-way handshake offload so I need the supplicant/hostapd to do it.

Any guidance is appreciated.

Thanks,
Jim 


More information about the Hostap mailing list