[clue-tech] Linux WPA accesspoint using hostapd?

[Jim Ockers]

Hi everyone,

I'm getting desperate so please answer if you think you have
anything like this working.

I have to set up a Linux accesspoint using WPA (wifi protected
access).  We have to have RADIUS as the back-end server so we
can use usernames and passwords as the means of access control.
The clients will be wpa_supplicant or Windows XP's 802.1x
supplicant.

THE ACCESS POINT IS LINUX.  Not Cisco, or anything else.  We
think we have to have a software solution that will fit inside
an existing Linux server with the addition of a PCI radio card.

I'm using madwifi (http://madwifi.sourceforge.net) as the Linux 
driver for the Atheros silicon radios.  I have Cisco and D-Link
cards with the Atheros chips.

I'm using hostapd (http://hostap.epitest.fi) as the 802.1x
authenticator and WPA key manager.  hostapd appears to fully
support madwifi.  wpa_supplicant also supports madwifi and is
from the same website.

I'm using freeradius as the RADIUS server.  www.freeradius.org.
Works great.

The client is madwifi with wpa_supplicant, or Windows XP SP1's
built-in supplicant.  I've got both for testing.

So I am trying to get the following to work:

WPA-EAP with 802.1x authorization
 EAP-PEAP authentication
  PEAP-TTLS with MSCHAPV2 phase2 authentication
  (where the client does not verify the server's certificate,
  but it could I guess)
WPA-EAP crypto key management
 TKIP group keys
 CCMP pairwise keys

I specifically don't want to use WPA-PSK (preshared key) 
authorization, because we want to have revocable username/password
pairs for access.  I don't really care how well WPA-PSK works
because I don't think I can use it.

Has anyone on this list gotten anything like this to work?  Anyone
currently working on anything like this?  I'd like to bounce config
files and ideas off someone or get some examples.  It seems that
most people who are using Linux WPA are using some commercial access
point and Linux as the client, or else they are using WPA-PSK which
is not really industrial strength security IMHO.

I've gotten parts of this to work and both wpa_supplicant and Windows
XP are able to associate and authenticate to the AP.  However the
network doesn't work, and the keying is a problem.  The TKIP key
rotation is really important to this function.

An important clue is that with MSCHAPV2 the password has to be the
NT-hash or else the RADIUS server says access denied, but luckily 
smbpasswd will generate the NT hash passwords.

Thanks,
Jim

P.S. I've tried the madwifi WPA CVS branch but it appears that hostapd
(compiled against the madwifi trunk, not the WPA branch) has a richer
WPA featureset at this time.

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/