in Security, Sysadmin

WPA2 Enterprise with hostapd

After setting up my wireless FreeBSD router I wanted to secure my wireless network with WPA2 Enterprise.

I’ve had a really hard time finding any good documentation on hostapd, but I finally got it to work. So why would you use WPA2 Enterprise, isnt Personal good enough? Well, the problem is these days that anyone can set up a wireless network with the same name as yours. If you connect to this fake network beliving you are connected to your own someone have full access to everything you send and receive. WPA2 Enterprise fixes this because the access point also has to prove its identity by providing a valid SSL Certificate. If this certificate changes you will be notified right away.

So, how do you set it up in hostapd? Well, its not that complex at all, the problem is that you cant find any documentation on it.

Configuration

Here is my configuration for WPA2 Enterprise. This uses hostapds own internal RAIDUS-server but you could as well use FreeRADIUS or some other RADIUS server out there, but then you’ll have to figure out how to configure that in hostapd. 😀

/etc/hostapd.conf

interface=wlan0
driver=bsd
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=web
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
macaddr_acl=0 
auth_algs=1
own_ip_addr=127.0.0.1
ieee8021x=1
eap_server=1
eapol_version=1

# Path for EAP server user database
eap_user_file=/etc/hostapd_eap_user
ca_cert=/etc/ssl/startssl.ca.pem
server_cert=/etc/ssl/domain.tld.crt
private_key=/etc/ssl/domain.tld.key

/etc/hostapd_eap_user

"peter@domain.tld" PEAP [ver=0]
"peter@domain.tld" MSCHAPV2 "passphrase" [2]

You can also set up it to require client certificate to connect to make it even more “secure”. It all depends on how you handle your certificates and passwords.

#"peter@domain.tld" PEAP [ver=0]
"peter@domain.tld" TLS

I use free host and client certificates from https://www.startssl.com but if you want to set up your own CA you can find and excellent article here
Update:
I have found some “documentation” in the form of well commented configurationfiles.
https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
https://w1.fi/cgit/hostap/plain/hostapd/hostapd.eap_user
https://w1.fi/cgit/hostap/plain/hostapd/

Write a Comment

Comment

  1. Hello,

    I’m trying to setup a WPA2 Enterprise network that supports EAP-TLS (802.1x) and I want to use a dedicated Freeradius server. This Freeradius server is patched for specific purposes and is located on the same machine. And I can’t figure out how to setup the hostapd.
    This is my current configuration:

    interface=wlan0
    driver=nl80211
    ssid=whatever
    hw_mode=g
    channel=7
    ieee8021x=1
    auth_algs=1
    eap_server=0
    eapol_key_index_workaround=0

    wpa=2
    wpa_key_mgmt=WPA-EAP
    rsn_pairwise=CCMP
    auth_server_addr=127.0.0.1
    auth_server_port=1812
    auth_server_shared_secret=testing123
    acct_server_addr=127.0.0.1
    acct_server_port=1813
    acct_server_shared_secret=testing123

    Using this configuration I can connect to the hostapd’s hotspot with a username/password that is set in the freeradius server (PEAP), but I can’t connect with certificates only (TLS). On the client side I try to connect using the following wpa_supplicant configuration:

    eapol_version=1
    update_config=1
    network={
    ssid=”MUDPI”
    scan_ssid=1
    key_mgmt=IEEE8021X
    eap=TLS
    identity=”theone”
    ca_cert=”cacert.pem”
    client_cert=”DEVICE1_cert.pem”
    private_key=”DEVICE1_key.pem”
    private_key_passwd=”whatever”
    }

    but when I try to connect I get the following error:

    wlp9s0: SME: Trying to authenticate with [MAC] (SSID=’whatever’ freq=2442 MHz)
    wlp9s0: Trying to associate with [MAC] (SSID=’whatever’ freq=2442 MHz)
    wlp9s0: CTRL-EVENT-ASSOC-REJECT bssid=[MAC] status_code=40

    do you have any idea what I’m doing wrong?

Webmentions

  • Secure wireless FreeBSD router | [²fram:kan:t] January 31, 2019

    […] Lately I started to use the more secure WPA2 Enterprise and you can read about my configuration here […]