802.1x on Linux with xsupplicant

Many of the well-known problems in 802.11 security are quite old and can be addressed by using 802.1x appropriately. Here's the client side.
Running xsupplicant

Once xsupplicant is configured, you finally can authenticate to the network. Start by connecting to the network that you want to attach to with iwconfig and bringing up the interface. I have found that it helps to give xsupplicant a dummy WEP key so it knows that it will be connecting to an encrypted network as well. Three commands do the trick:

# iwconfig ath0 key 12345678901234567890123456
# iwconfig essid "batnet"
# ifconfig ath0 up

The wireless interface name is driver-dependent. My interface is ath0, but yours may not be.

In the current version of xsupplicant, it is mandatory to supply an interface with the -i option. When testing, I generally find it helpful to log debug messages with -d and keep the process in the foreground with -f. To see a full list of what can be printed, use --help:

# xsupplicant -w -dasic -i ath0 -f

Debug messages print out each frame that is sent and received, as well as provide processing information with each sent or received frame. At the end of the process, the key information is processed. For example, a dynamic WEP key looks like this:

Processing EAPoL-Key!
[INT] Key Descriptor   = 1
[INT] Key Length       = 13
[INT] Replay Counter   = 41 2F BB 2D 00 00 00 D6
[INT] Key IV           = 66 15 69 E2 B2 8C 0E 89 7C D3 94 8C 93 25 43 1B
[INT] Key Index (RAW)  = 80
[INT] Key Signature    = 49 C1 15 B8 E9 D0 87 53 A6 FD 5D 76 CB 51 9D 65
[INT] EAPoL Key Processed: unicast [1] 13 bytes.
[INT] Using peer key!
[INT] Successfully set WEP key [1]
[INT] Successfully set the WEP transmit key [1]

Configuring and Using WPA

WPA is triggered by a command-line option and is configured by two options in the global section of the configuration file. WPA allows you to specify the type of encryption used for unicast (pairwise) and broadcast or multicast (group) frames. Both options can be set in the configuration file and can take values of wep40, wep104, tkip, ccmp or wrap. At this point, however, only the RC4-based ciphers—WEP and TKIP—work reliably. Set up the two lines of configuration like this:

wpa_pairwise_cipher = tkip
wpa_group_cipher = tkip

network-config
{
  . . .
}

To use WPA at run time, you must have configured support in the driver for your card as well as the main configuration file. WPA is not simply the new encryption routines of TKIP and it does affect the association process and key distribution. Due to the level of driver support required, you need to specify a driver with the -D option, and you must use a driver that has WPA support compiled in:

# xsupplicant -dasic -i ath0 -D madwifi

Resources for this article: /article/8404.

Matthew Gast is the author of the leading technical book on wireless LANs, 802.11 Wireless Networks: The Definitive Guide (O'Reilly Media). He currently is Director of Consulting Engineering for an advanced wireless systems company, where he helps customers understand new security protocols and standards and how to use them to build secure wireless LANs. He can be reached at matthew.gast@gmail.com, but only when he is close to sea level.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Unable to get Xsupplicant to work

Satish's picture

Hi,

I am not able to get Xsupplicant to work for me.
Can somebody help?

Here are the network details:
SSID (Network Name: TTUnet
WEP data encryption Enabled
Automatically provided WEP key Enabled
IEEE 802.1x authentication Enabled
EAP type: Protected EAP (PEAP)
Protected EAP Authentication Method Secured password (EAP-MSCHAP v2)
EAP MSCHAP v2 Properties - Automatically Login Disabled

Here is the content of my /etc/xsupplicant.conf

network_list = all
default_netname = TTUnet
startup_command = echo "some command"
first_auth_command = dhclient %i
reauth_command = echo "authenticated user %i"
logfile = /var/log/xsupplicant.log
TTUnet
{
allow_types = all
identity = msg
eap-peap {
root_cert = NONE
chunk_size = 1398
random_file = /path/to/random/source
allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
eap-mschapv2 {
username = user
password = "passwd"
}
}
}

And I am using SUSE Enterprise Desktop Linux 10
I have my wireless adapter configured and works well with normal WEP/WPA networks.

Thanks

Xsupplicant error

Jack's picture

why I have this error with starting ?

===-------------------------------------------------------
syntax error:

startup_command = /sbin/iwconfig eth1 essid aeriusEAP enc open
^
General Parse error!
There was a problem with the config file. We cannot continue.

wrong version

Anonymous's picture

remove the command, if you are using version 1.2.6 like i am then that command doesn't work for some reason. Remove it and other like "first_auth_command", then give it a try.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState