802.1x on Linux with xsupplicant

Many of the well-known problems in 802.11 security are quite old and can be addressed by using 802.1x appropriately. Here's the client side.
Running xsupplicant

Once xsupplicant is configured, you finally can authenticate to the network. Start by connecting to the network that you want to attach to with iwconfig and bringing up the interface. I have found that it helps to give xsupplicant a dummy WEP key so it knows that it will be connecting to an encrypted network as well. Three commands do the trick:

# iwconfig ath0 key 12345678901234567890123456
# iwconfig essid "batnet"
# ifconfig ath0 up

The wireless interface name is driver-dependent. My interface is ath0, but yours may not be.

In the current version of xsupplicant, it is mandatory to supply an interface with the -i option. When testing, I generally find it helpful to log debug messages with -d and keep the process in the foreground with -f. To see a full list of what can be printed, use --help:

# xsupplicant -w -dasic -i ath0 -f

Debug messages print out each frame that is sent and received, as well as provide processing information with each sent or received frame. At the end of the process, the key information is processed. For example, a dynamic WEP key looks like this:

Processing EAPoL-Key!
[INT] Key Descriptor   = 1
[INT] Key Length       = 13
[INT] Replay Counter   = 41 2F BB 2D 00 00 00 D6
[INT] Key IV           = 66 15 69 E2 B2 8C 0E 89 7C D3 94 8C 93 25 43 1B
[INT] Key Index (RAW)  = 80
[INT] Key Signature    = 49 C1 15 B8 E9 D0 87 53 A6 FD 5D 76 CB 51 9D 65
[INT] EAPoL Key Processed: unicast [1] 13 bytes.
[INT] Using peer key!
[INT] Successfully set WEP key [1]
[INT] Successfully set the WEP transmit key [1]

Configuring and Using WPA

WPA is triggered by a command-line option and is configured by two options in the global section of the configuration file. WPA allows you to specify the type of encryption used for unicast (pairwise) and broadcast or multicast (group) frames. Both options can be set in the configuration file and can take values of wep40, wep104, tkip, ccmp or wrap. At this point, however, only the RC4-based ciphers—WEP and TKIP—work reliably. Set up the two lines of configuration like this:

wpa_pairwise_cipher = tkip
wpa_group_cipher = tkip

network-config
{
  . . .
}

To use WPA at run time, you must have configured support in the driver for your card as well as the main configuration file. WPA is not simply the new encryption routines of TKIP and it does affect the association process and key distribution. Due to the level of driver support required, you need to specify a driver with the -D option, and you must use a driver that has WPA support compiled in:

# xsupplicant -dasic -i ath0 -D madwifi

Resources for this article: /article/8404.

Matthew Gast is the author of the leading technical book on wireless LANs, 802.11 Wireless Networks: The Definitive Guide (O'Reilly Media). He currently is Director of Consulting Engineering for an advanced wireless systems company, where he helps customers understand new security protocols and standards and how to use them to build secure wireless LANs. He can be reached at matthew.gast@gmail.com, but only when he is close to sea level.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Unable to get Xsupplicant to work

Satish's picture

Hi,

I am not able to get Xsupplicant to work for me.
Can somebody help?

Here are the network details:
SSID (Network Name: TTUnet
WEP data encryption Enabled
Automatically provided WEP key Enabled
IEEE 802.1x authentication Enabled
EAP type: Protected EAP (PEAP)
Protected EAP Authentication Method Secured password (EAP-MSCHAP v2)
EAP MSCHAP v2 Properties - Automatically Login Disabled

Here is the content of my /etc/xsupplicant.conf

network_list = all
default_netname = TTUnet
startup_command = echo "some command"
first_auth_command = dhclient %i
reauth_command = echo "authenticated user %i"
logfile = /var/log/xsupplicant.log
TTUnet
{
allow_types = all
identity = msg
eap-peap {
root_cert = NONE
chunk_size = 1398
random_file = /path/to/random/source
allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
eap-mschapv2 {
username = user
password = "passwd"
}
}
}

And I am using SUSE Enterprise Desktop Linux 10
I have my wireless adapter configured and works well with normal WEP/WPA networks.

Thanks

Xsupplicant error

Jack's picture

why I have this error with starting ?

===-------------------------------------------------------
syntax error:

startup_command = /sbin/iwconfig eth1 essid aeriusEAP enc open
^
General Parse error!
There was a problem with the config file. We cannot continue.

wrong version

Anonymous's picture

remove the command, if you are using version 1.2.6 like i am then that command doesn't work for some reason. Remove it and other like "first_auth_command", then give it a try.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix