Enforce Security - 802.1x

Ben benoitne at gmail.com
Fri Jan 16 05:12:44 EST 2015


Thanks Jouni!

On 15/01/2015 23:55, Jouni Malinen wrote:
> On Thu, Jan 15, 2015 at 08:00:41PM +0100, Ben wrote:
>> [WPA2 - EAP-TLS with integrated Radius & EAP Server ON]
>> I am using hostapd for a long time and now I am testing multiple
>> options, everything is working expect three things :
>>
>> -I am seeing that Authentication Algorithm needs to be open for
>> 802.1x so it seems that I need to use auth_alg=0 but it is only
>> working with auth_alg=3.
>> Is someone can explain to me why ? I think 3 would be to accept both
>> (802.1x and Shared key), but I would like to force it to 802.1x
>> only..
> # Bit fields of allowed authentication algorithms:
> # bit 0 = Open System Authentication
> # bit 1 = Shared Key Authentication (requires WEP)
> auth_algs=3
>
> Please note that "bit 0" = 1 and "bit 1" = 2. In other words, you should
> really use auth_algs=1 with WPA2-Enterprise. auth_algs=3 will work as
> well, since you cannot really use Shared Key Authentication with WPA2.

It makes sense now! I read to quickly the comment and not realized that 
it speaks about bit and not value!
I put auth_algs=1
>> -i80211w : I am able to join my network through an Android but
>> impossible with an iPhone, anyone had been able to test it and make
>> it work?
> Which iOS version are you using?

Latest : iOS 8.1.2
>
>> As soon as I required it (ieee8021w=2) I am get into an issue to
>> connect (log saying that I am authenticated but no more message
>> after this)
> Which wpa_key_mgmt value did you use with ieee80211w=2? WPA-EAP-SHA256
> is the only option I'd expect to work here robustly.
Yes!
I also tried WPA-EAP (without SHA256) and it is working on Android device.
As soon as I put WPA-EAP-SHA256 my network is considered as a normal 
WPA2 network on my computer!
This is the reason why I am suspecting something missing on my hostapd 
to make it work properly?
>> -Someone can explain to me the role of Key Management Algorithms?
>> I am trying to change from WPA-EAP to WPA-EAP-SHA256 but as soon as
>> I do that my computer being confused and detects my wireless network
>> as a normal WPA2 network and not a 802.1x anymore...
>> Is there pre-requesite to make it work properly?
> What WLAN component and software do you use on your computer in this
> case? There are number of deployed devices that have had issues with
> either multiple AKMs or PMF getting enabled.
>
I have tried on MacOS - iPhone - Android.
All with the default Wireless Network Management
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150116/6def2342/attachment-0001.htm>


More information about the HostAP mailing list