After setting up my wireless FreeBSD router I wanted to secure my wireless network with WPA2 Enterprise.
I’ve had a really hard time finding any good documentation on hostapd, but I finally got it to work. So why would you use WPA2 Enterprise, isnt Personal good enough? Well, the problem is these days that anyone can set up a wireless network with the same name as yours. If you connect to this fake network beliving you are connected to your own someone have full access to everything you send and receive. WPA2 Enterprise fixes this because the access point also has to prove its identity by providing a valid SSL Certificate. If this certificate changes you will be notified right away.
So, how do you set it up in hostapd? Well, its not that complex at all, the problem is that you cant find any documentation on it.
Configuration
Here is my configuration for WPA2 Enterprise. This uses hostapds own internal RAIDUS-server but you could as well use FreeRADIUS or some other RADIUS server out there, but then you’ll have to figure out how to configure that in hostapd. 😀
/etc/hostapd.conf
interface=wlan0 driver=bsd ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel ssid=web wpa=2 wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP CCMP macaddr_acl=0 auth_algs=1 own_ip_addr=127.0.0.1 ieee8021x=1 eap_server=1 eapol_version=1 # Path for EAP server user database eap_user_file=/etc/hostapd_eap_user ca_cert=/etc/ssl/startssl.ca.pem server_cert=/etc/ssl/domain.tld.crt private_key=/etc/ssl/domain.tld.key
/etc/hostapd_eap_user
"peter@domain.tld" PEAP [ver=0] "peter@domain.tld" MSCHAPV2 "passphrase" [2]
You can also set up it to require client certificate to connect to make it even more “secure”. It all depends on how you handle your certificates and passwords.
#"peter@domain.tld" PEAP [ver=0] "peter@domain.tld" TLS
I use free host and client certificates from https://www.startssl.com but if you want to set up your own CA you can find and excellent article here
Update:
I have found some “documentation” in the form of well commented configurationfiles.
https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
https://w1.fi/cgit/hostap/plain/hostapd/hostapd.eap_user
https://w1.fi/cgit/hostap/plain/hostapd/
Hello,
I’m trying to setup a WPA2 Enterprise network that supports EAP-TLS (802.1x) and I want to use a dedicated Freeradius server. This Freeradius server is patched for specific purposes and is located on the same machine. And I can’t figure out how to setup the hostapd.
This is my current configuration:
interface=wlan0
driver=nl80211
ssid=whatever
hw_mode=g
channel=7
ieee8021x=1
auth_algs=1
eap_server=0
eapol_key_index_workaround=0
wpa=2
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=testing123
Using this configuration I can connect to the hostapd’s hotspot with a username/password that is set in the freeradius server (PEAP), but I can’t connect with certificates only (TLS). On the client side I try to connect using the following wpa_supplicant configuration:
eapol_version=1
update_config=1
network={
ssid=”MUDPI”
scan_ssid=1
key_mgmt=IEEE8021X
eap=TLS
identity=”theone”
ca_cert=”cacert.pem”
client_cert=”DEVICE1_cert.pem”
private_key=”DEVICE1_key.pem”
private_key_passwd=”whatever”
}
but when I try to connect I get the following error:
wlp9s0: SME: Trying to authenticate with [MAC] (SSID=’whatever’ freq=2442 MHz)
wlp9s0: Trying to associate with [MAC] (SSID=’whatever’ freq=2442 MHz)
wlp9s0: CTRL-EVENT-ASSOC-REJECT bssid=[MAC] status_code=40
do you have any idea what I’m doing wrong?
Hi!
First of all you should verify that hostapd successfully connects to the freeradius server. The EAP-TLS configuration is all on the freeradius side and you didnt provide any info on that configuration so its not much I can say about it.
When I configured freeradius for eap-tls I used this guide https://wiki.alpinelinux.org/wiki/FreeRadius_EAP-TLS_configuration#Configuration described in https://framkant.org/2018/04/802-1x-client-and-server-in-freebsd/