Enforce Security - 802.1x

Thu Jan 15 15:36:32 EST 2015

Ben wrote:
> Hi,
> 
> [WPA2 - EAP-TLS with integrated Radius & EAP Server ON]
> I am using hostapd for a long time and now I am testing multiple
> options, everything is working expect three things :
> 
> -I am seeing that Authentication Algorithm needs to be open for 802.1x
> so it seems that I need to use auth_alg=0 but it is only working with
> auth_alg=3.

For me, auth_algs=1 works pretty fine here.

        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: IEEE 802.1X IEEE 802.1X/SHA-256
                 * Capabilities: 16-PTKSA-RC MFP-capable (0x008c)
                 * 0 PMKIDs
                 * Group mgmt cipher suite: AES-128-CMAC

> Is someone can explain to me why ? I think 3 would be to accept both
> (802.1x and Shared key), but I would like to force it to 802.1x only..
> 
> -i80211w : I am able to join my network through an Android but
> impossible with an iPhone, anyone had been able to test it and make it
> work?
> As soon as I required it (ieee8021w=2) I am get into an issue to connect
> (log saying that I am authenticated but no more message after this)
> 
> -Someone can explain to me the role of Key Management Algorithms?
> I am trying to change from WPA-EAP to WPA-EAP-SHA256 but as soon as I do
> that my computer being confused and detects my wireless network as a
> normal WPA2 network and not a 802.1x anymore...
> Is there pre-requesite to make it work properly?

If it's a Linux STA: you need wpa_supplicant 2.3 and libnl 3.2. Libnl 1
and wpa_supplicant 2.0 is broken (here too).

Regards,
Andreas