WPA2/AES disconnect problem

Alexander Pohl a.h.pohl
Wed Dec 6 13:57:56 PST 2006 

Dear Kuba,

Here are my config files for freeradius. You basically need only to
adjust eap.conf to allow PEAP and TLS  authentication methods and
create a users file (or use a MySQL, PostgreSQL or LDAP database). You
also need a public key infrastructure to generate your own
certificates.

eap.conf:

default_eap_type = tls
  tls {
                        private_key_file = ${raddbdir}/certs/freeradius-key.pem
                        certificate_file = ${raddbdir}/certs/freeradius-cert.pem
                        CA_file = ${raddbdir}/certs/cacert.pem
                        CA_path = ${raddbdir}/certs
                        dh_file = ${raddbdir}/certs/dh1024.pem
                        random_file = /dev/urandom

                        check_crl = yes
                        check_cert_issuer = "/O=The University of
Reading/OU=CA/emailAddress=a.h.pohl at reading.ac.uk/L=Reading/ST=Berkshire/C=GB/CN=Debian
RootCA"
}
peap {
                      default_eap_type = mschapv2
}

users:

"user"    User-Password == "pass"



I have summarised the openssl commands to set up your own PKI below.
You need a simple openssl.cnf file:

#
# OpenSSL configuration file.
#

# Establish working directory.
dir = .

[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above, for consistency and less typing.
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = The University of Reading
localityName_default = Reading
stateOrProvinceName_default = Berkshire
countryName_default = GB

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

[ openvpn_server ]
nsCertType = server
nsComment  = "OpenSSL Generated Server Certificate"

[ openvpn_client ]
nsCertType = client
nsComment  = "OpenSSL Generated Client Certificate"



Then use the following commands to generate your certificates:

# make root CA
mkdir newcerts private
echo '01' > serial
touch index.txt

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem
-out cacert.pem -days 3650 -config ./openssl.cnf

chmod 0400 private/cakey.pem
echo 'private key' > private/ca.key
chmod 0400 private/ca.key

# check
openssl x509 -in cacert.pem -noout -text
openssl x509 -in cacert.pem -noout -dates
openssl x509 -in cacert.pem -noout -purpose

#signing request
openssl req -new -nodes -out req.pem -config ./openssl.cnf

---
Organizational Unit: a reminder of what the certificate is for
Email Address: the postmaster, wemaster, etc...
Common Name: the server hostname, server name, etc...
---

#sign client
openssl ca -out cert.pem -passin file:private/ca.key -config
./openssl.cnf -extensions xpclient_ext -infiles req.pem
#sign server
openssl ca -out cert.pem -passin file:private/ca.key -config
./openssl.cnf -extensions xpserver_ext -infiles req.pem

#remove text
mv cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem

cat cert.pem key.pem > cert-key.pem

#create revocation list
openssl ca -gencrl -passin file:private/ca.key -crldays 31 -config
./openssl.cnf -out rootca.crl

#diffie-hellmann
openssl dhparam -out dh1024.pem 1024


You have to save your private key for cacert.pem in a file or type the
passphrase interactively. Coming back to hostapd configuration, WPA2
uses always AES (CCMP), whereas with WPA you have the choice between
TKIP or AES. The client decides which cipher will be used in case of
WPA, if you allow both (wpa_pairwise=TKIP CCMP).

I hope that keeps you going,
Alexander

More information about the Hostap mailing list