Configuring Strong Wi-Fi (802.1X) Authentication in Linux, Part II

Supplicants and Authentication

Last month, we discovered 802.1X authentication and how it works with encryption techniques to secure wireless networks. We learned WEP encryption is dead, WPA is okay, and WPA2 is the best. We found that the Wi-Fi Protected Access versions can be used in two very different modes: Personal (PSK) which is easy to setup and Enterprise which uses 802.1X authentication to provide adequate security for business networks.

In the previous part, we also discovered the two main 802.1X supplicants (clients): Xsupplicant and wpa_supplicant. We used wpa_supplicant via Ubuntu's networking GUI. Now we're going to discuss how to manually configure wpa_supplicant using it's configuration file, in case your Linux distribution doesn't interface with the supplicant.

Configuring wpa_supplicant via the config file

If you've installed wpa_supplicant yourself, you can set it up via the configuration file. If the supplicant came with your Linux distribution, you still might choose to use the configuration file to fine-tune the authentication and encryption settings.

Here are a few general parameters you may want to set that apply to all networks you connect to:

• eapol_version: Set to either 1 or 2. By default, wpa_supplicant uses version 2 of EAPOL, as specified in the IEEE 802.1X-2004 standard. However, some APs still support only the first version.
• fast_reauth: Leave set to 1 to enable fast re-authentication for all supported EAP methods, or set to 2 to disable fast re-authentication.

You specify the details of networks you want to connect to in blocks using brackets. The supplicant will try to connect to the listed networks in the order they appear in. Before you take the time to configure all the settings, you might want to check if the supplicant is working fine with your wireless driver by connecting to an unencrypted AP first, using the following block:

# Connects to the specified open or unencrypted network

network = {

ssid="network_name"

key_mgmt=NONE

}

Before you configure more network blocks, let's review some of the possible fields you can use in them to configure the network settings:

• ssid: This required field specifies the network name.
• scan_ssid: When set to 1, this will add the SSID to the probe requests, in case you're connecting to a hidden network or an AP with multiple SSIDs.
• key_mgmt: Possible options include WPA-PSK (requires the psk field), WPA-EAP, IEEE8021X (authentication with or without dynamically generated WEP keys), and NONE (for open or static WEP networks).
• pairwise: If WPA is used, specify either CCMP (WPA2) or TKIP (WPA).
• eap: Space-separated list of the acceptable EAP methods: MD5, MSCHAPV2, OTP, GTC, TLS, PEAP, or TTLS.
• identity: String used for EAP identity, such as the username.
• password: String used for the EAP password.
• ca_cert: Full file path to CA certificate file in PEM or DER format, so the server certificate can be validated.
• ca_path: Full path to a directory where there are CA certificate files in PEM format you want to be added to the trusted list, so the server certificate can be validated.
• client_cert: Full file path to a client certificate file in PEM or DER format, so you can use EAP methods like TLS.

Now lets put some of these fields to use in some network block examples.

Here's an example of a network block configured to connect to a WPA-Enterprise network with 802.1X authentication (using the PEAP protocol which requires users to enter login credentials):

network = {

ssid="wpa-enterpise-peap example"

key_mgmt=WPA-EAP

pairwise=TKIP

group=TKIP

eap=PEAP

identity="user@your_domain"

password="your_password"

ca_cert="/etc/cert/ca.pem"

phase1="peapver=0"

phase2="MSCHAPV2"

}

For instance, this is an example of a network block configured to connect to a WPA2-Enterprise network with 802.1X authentication (using EAP-TLS which requires client and server certificates):

network = {

ssid="wpa2-enterpise-tls example"

key_mgmt=WPA-EAP

pairwise=CCMP

group=CCMP

eap=TLS

ca_cert="/etc/cert/ca.pem"

private_key="/etc/cert/user.p12"

private_key_passwd="PKCS#12 your_password"

}