wpa_supplicant on Windows & hostapd with integrated EAP server

Jouni Malinen jkmaline at cc.hut.fi
Sat Oct 14 23:24:00 EDT 2006 

On Wed, Sep 20, 2006 at 01:32:32AM -0700, Tran Thanh Dinh wrote:

>     I want to run a test of 802.1X with wpa_supplicant running on Windows and integrated EAP server on hostapd. Any method can be used but I prefer the simplest one (MD5???). I just want to see how the 802.1X works. 

EAP-MD5 does not derive keying material, so it is not very useful method
for wired networks. 

>     I wonder if there's any constraints in my test case. The README-Windows file of wpa_supplucant says that IEEE802.1X with dynamics WEP keys was tested. Does it mean EAP-MD5 is not supported for WIndows version please.

I have not tested IEEE 802.1X authentication without encryption, but
with a wireless card on Windows, so I don't know whether this works or
not. EAP-MD5 works fine with wired cards on Windows, though.
 
> Here is the config file for eap_psk on hostapd side:
> eap_psk.conf
> driver=madwifi
> interface=ath0
> bridge=br0
> eap_server=1
> ssid=eap_psk_test
> ieee8021x=1
> eap_user_file=/etc/hostapd.eap_user
> logger_stdout=-1
> logger_stdout_level=0

madwifi driver interface may not support unencrypted operation (i.e.,
either plaintext mode or IEEE 802.1X without encryption), so the problem
may be on the AP side and not in the client..


> On wpa_supplicant side, the config file used is: 
> eap_psk.conf
> ap_scan=1
> network={
> ssid="eap_psk_test"
> key_mgmt=IEEE8021X
> eap=MD5
> identity="psk"
> eappsk=0123456789abcdef0123456789abcdef
> }

This is invalid configuration. EAP-MD5 needs password, not eappsk. In
addition, you would need to add eapol_flags=0 if you are using IEEE
802.1X without dynamic WEP keys. This may also explain why the client
refuses to try to associate with the AP (the default eapol_flags setting
requires that the AP advertises encryption).

> I tried also with eap_leap. On hostapd side, I edited
> the /etc/hostapd.eap_user file as follow
> 
> "leap" LEAP "leap"

hostapd does not support LEAP at all. LEAP is not standard compliant EAP
method and in addition, it is not very secure, so there is not much
desire to add support for it into hostapd.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list