[PATCH 20/20] tests: IEEE802.1X with security profiles
Andrei Otcheretianski
andrei.otcheretianski at intel.com
Wed Jun 10 06:12:13 PDT 2026
From: Ilan Peer <ilan.peer at intel.com>
Add testing coverage for IEEE802.1X with security profiles:
- Profile 3 (With 802.1X EAP over authentication).
- Profile 7 (With 802.1X EAP over authentication).
- Profile 13
Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
tests/hwsim/test_ieee8021x_auth.py | 63 ++++++++++++++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/tests/hwsim/test_ieee8021x_auth.py b/tests/hwsim/test_ieee8021x_auth.py
index eb99d1bf8b..00edc7a535 100644
--- a/tests/hwsim/test_ieee8021x_auth.py
+++ b/tests/hwsim/test_ieee8021x_auth.py
@@ -912,3 +912,66 @@ def test_ieee8021x_auth_protocol_eap_tls_pmksa_not_found_by_ap(dev, apdev):
if sta["AKMSuiteSelector"] != '00-0f-ac-5':
raise Exception("Incorrect AKMSuiteSelector after PMKSA fallback")
+
+def _run_ieee8021x_auth_security_profile(dev, apdev, key_mgmt,
+ expected_akm, expected_profile,
+ frame_prot=False):
+ ssid = "test-ieee8021x-auth-secprof"
+
+ params = hostapd.wpa2_eap_params(ssid=ssid)
+ params["wpa_key_mgmt"] = key_mgmt
+ params["rsn_pairwise"] = "GCMP-256"
+ params["group_cipher"] = "GCMP-256"
+ params["ieee80211w"] = "2"
+ params["sec_profile_enabled"] = "1"
+
+ sta_extra = {}
+ if frame_prot:
+ params["eap_using_authentication_frames"] = "1"
+ params["assoc_frame_encryption"] = "1"
+ params["pmksa_caching_privacy"] = "1"
+ sta_extra["pmksa_privacy"] = "1"
+ sta_extra["eap_over_auth_frame"] = "1"
+
+ hapd = hostapd.add_ap(apdev[0], params)
+
+ dev[0].connect(ssid,
+ key_mgmt=key_mgmt,
+ ieee80211w="2",
+ pairwise="GCMP-256",
+ group="GCMP-256",
+ eap="TLS",
+ identity="tls user",
+ ca_cert="auth_serv/ca.pem",
+ client_cert="auth_serv/user.pem",
+ private_key="auth_serv/user.key",
+ scan_freq="2412",
+ **sta_extra)
+
+ hapd.wait_sta()
+ sta = hapd.get_sta(dev[0].own_addr())
+
+ if sta["AKMSuiteSelector"] != expected_akm:
+ raise Exception("Incorrect AKMSuiteSelector value: " +
+ sta["AKMSuiteSelector"])
+
+ val = dev[0].get_status_field("matched_sec_profile")
+ if val != str(expected_profile):
+ raise Exception("Unexpected matched_sec_profile: " + str(val))
+
+def test_ieee8021x_auth_alg_eap_tls_security_profile_3(dev, apdev):
+ """IEEE 802.1X authentication with EAP-TLS and Security Profile 3 (AKM 5)"""
+ _run_ieee8021x_auth_security_profile(dev, apdev, "WPA-EAP-SHA256",
+ "00-0f-ac-5", 3, frame_prot=True)
+
+def test_ieee8021x_auth_alg_eap_tls_security_profile_7(dev, apdev):
+ """IEEE 802.1X authentication with EAP-TLS and Security Profile 7 (AKM 12)"""
+ if "WPA-EAP-SUITE-B-192" not in dev[0].get_capability("key_mgmt"):
+ raise HwsimSkip("WPA-EAP-SUITE-B-192 not supported")
+ _run_ieee8021x_auth_security_profile(dev, apdev, "WPA-EAP-SUITE-B-192",
+ "00-0f-ac-12", 7, frame_prot=True)
+
+def test_ieee8021x_auth_alg_eap_tls_security_profile_13(dev, apdev):
+ """IEEE 802.1X authentication with EAP-TLS and Security Profile 13 (AKM 23)"""
+ _run_ieee8021x_auth_security_profile(dev, apdev, "WPA-EAP-SHA384",
+ "00-0f-ac-23", 13)
--
2.53.0
More information about the Hostap
mailing list