Hostapd RADIUS server configuration
Husam Ismail ..
mrhusam at hotmail.com
Tue May 6 13:50:31 EDT 2014
Thanks for your response Mathy. What I am trying to utilize here is the integrated RADIUS authentication server. Here is my configuration file:
interface=wlan0driver=nl80211ssid=Test
ignore_broadcast_ssid=1
eap_server=1
# Path for EAP server user databaseeap_user_file=/etc/hostapd.eap_user
# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLSca_cert=/etc/certificates/cacert.pem
# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLSserver_cert=/etc/certificates/newcert.pem
# private_key.private_key=/etc/certificates/newkey.pem
# Passphrase for private keyprivate_key_passwd=pass
own_ip_addr=127.0.0.1
# RADIUS authentication serverauth_server_addr=127.0.0.1auth_server_port=1812auth_server_shared_secret=pass
radius_server_clients=/etc/hostapd.radius_clientsradius_server_auth_port=1812
You are right. Since I don't have these two lines it is behaving as an open network. So now after I added these lines: wpa=3 wpa_key_mgmt=WPA-EAP
Since I don't get it yet (and I really appreciate your help), what is the next step? configure the client with the CA cert and the public key I think, is that right? any thoughts ?
Thanks
> From: vanhoefm at gmail.com
> Date: Tue, 6 May 2014 18:14:02 +0200
> Subject: Re: Hostapd RADIUS server configuration
> To: mrhusam at hotmail.com
> CC: hostap at lists.shmoo.com
>
> What is your complete configuration file? Have you included the
> following two lines?
>
> wpa=3
> wpa_key_mgmt=WPA-EAP
>
> These enable WPA/RSN and configure the authentication mechanism.
> Otherwise it might just be an open network.
>
> On Tue, May 6, 2014 at 5:52 PM, Husam Ismail .. <mrhusam at hotmail.com> wrote:
> > Here is what I have on hostapd.eap_user:
> >
> > # Phase 1 users
> > "user" MD5 "password"
> > "test user" MD5 "secret"
> > "example user" TLS
> > "DOMAIN\user" MSCHAPV2 "password"
> > "gtc user" GTC "password"
> > #"pax user" PAX "unknown"
> > #"pax.user at example.com" PAX 0123456789abcdef0123456789abcdef
> > #"psk user" PSK "unknown"
> > #"psk.user at example.com" PSK 0123456789abcdef0123456789abcdef
> > #"sake.user at example.com" SAKE
> > 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
> > "ttls" TTLS
> > "not anonymous" PEAP
> > # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
> > #"0"* AKA,TTLS,TLS,PEAP,SIM
> > #"1"* SIM,TTLS,TLS,PEAP,AKA
> > #"2"* AKA,TTLS,TLS,PEAP,SIM
> > #"3"* SIM,TTLS,TLS,PEAP,AKA
> > #"4"* AKA,TTLS,TLS,PEAP,SIM
> > #"5"* SIM,TTLS,TLS,PEAP,AKA
> >
> > # Wildcard for all other identities
> > #* PEAP,TTLS,TLS,SIM,AKA
> > * PEAP,TTLS,TLS
> >
> > # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
> > "t-md5" MD5 "password" [2]
> > "DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
> > "t-gtc" GTC "password" [2]
> > "not anonymous" MSCHAPV2 "password" [2]
> > "user" MD5,GTC,MSCHAPV2 "password" [2]
> > "test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2]
> > "ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2]
> >
> > # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
> > #"0"* AKA [2]
> > #"1"* SIM [2]
> > #"2"* AKA [2]
> > #"3"* SIM [2]
> > #"4"* AKA [2]
> > #"5"* SIM [2]
> >
> >
> > Problem is, I can connect to the wireless network and access the server
> > without the use of any password or certifications. What do I miss here?
> >
> >
> > _______________________________________________
> > HostAP mailing list
> > HostAP at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/hostap
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140506/02a0645a/attachment.htm>
More information about the HostAP
mailing list