802.1x on Linux with xsupplicant

Many of the well-known problems in 802.11 security are quite old and can be addressed by using 802.1x appropriately. Here's the client side.
Running xsupplicant

Once xsupplicant is configured, you finally can authenticate to the network. Start by connecting to the network that you want to attach to with iwconfig and bringing up the interface. I have found that it helps to give xsupplicant a dummy WEP key so it knows that it will be connecting to an encrypted network as well. Three commands do the trick:

# iwconfig ath0 key 12345678901234567890123456
# iwconfig essid "batnet"
# ifconfig ath0 up

The wireless interface name is driver-dependent. My interface is ath0, but yours may not be.

In the current version of xsupplicant, it is mandatory to supply an interface with the -i option. When testing, I generally find it helpful to log debug messages with -d and keep the process in the foreground with -f. To see a full list of what can be printed, use --help:

# xsupplicant -w -dasic -i ath0 -f

Debug messages print out each frame that is sent and received, as well as provide processing information with each sent or received frame. At the end of the process, the key information is processed. For example, a dynamic WEP key looks like this:

Processing EAPoL-Key!
[INT] Key Descriptor   = 1
[INT] Key Length       = 13
[INT] Replay Counter   = 41 2F BB 2D 00 00 00 D6
[INT] Key IV           = 66 15 69 E2 B2 8C 0E 89 7C D3 94 8C 93 25 43 1B
[INT] Key Index (RAW)  = 80
[INT] Key Signature    = 49 C1 15 B8 E9 D0 87 53 A6 FD 5D 76 CB 51 9D 65
[INT] EAPoL Key Processed: unicast [1] 13 bytes.
[INT] Using peer key!
[INT] Successfully set WEP key [1]
[INT] Successfully set the WEP transmit key [1]

Configuring and Using WPA

WPA is triggered by a command-line option and is configured by two options in the global section of the configuration file. WPA allows you to specify the type of encryption used for unicast (pairwise) and broadcast or multicast (group) frames. Both options can be set in the configuration file and can take values of wep40, wep104, tkip, ccmp or wrap. At this point, however, only the RC4-based ciphers—WEP and TKIP—work reliably. Set up the two lines of configuration like this:

wpa_pairwise_cipher = tkip
wpa_group_cipher = tkip

  . . .

To use WPA at run time, you must have configured support in the driver for your card as well as the main configuration file. WPA is not simply the new encryption routines of TKIP and it does affect the association process and key distribution. Due to the level of driver support required, you need to specify a driver with the -D option, and you must use a driver that has WPA support compiled in:

# xsupplicant -dasic -i ath0 -D madwifi

Resources for this article: /article/8404.

Matthew Gast is the author of the leading technical book on wireless LANs, 802.11 Wireless Networks: The Definitive Guide (O'Reilly Media). He currently is Director of Consulting Engineering for an advanced wireless systems company, where he helps customers understand new security protocols and standards and how to use them to build secure wireless LANs. He can be reached at matthew.gast@gmail.com, but only when he is close to sea level.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Unable to get Xsupplicant to work

Satish's picture


I am not able to get Xsupplicant to work for me.
Can somebody help?

Here are the network details:
SSID (Network Name: TTUnet
WEP data encryption Enabled
Automatically provided WEP key Enabled
IEEE 802.1x authentication Enabled
EAP type: Protected EAP (PEAP)
Protected EAP Authentication Method Secured password (EAP-MSCHAP v2)
EAP MSCHAP v2 Properties - Automatically Login Disabled

Here is the content of my /etc/xsupplicant.conf

network_list = all
default_netname = TTUnet
startup_command = echo "some command"
first_auth_command = dhclient %i
reauth_command = echo "authenticated user %i"
logfile = /var/log/xsupplicant.log
allow_types = all
identity = msg
eap-peap {
root_cert = NONE
chunk_size = 1398
random_file = /path/to/random/source
allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
eap-mschapv2 {
username = user
password = "passwd"

And I am using SUSE Enterprise Desktop Linux 10
I have my wireless adapter configured and works well with normal WEP/WPA networks.


Xsupplicant error

Jack's picture

why I have this error with starting ?

syntax error:

startup_command = /sbin/iwconfig eth1 essid aeriusEAP enc open
General Parse error!
There was a problem with the config file. We cannot continue.

wrong version

Anonymous's picture

remove the command, if you are using version 1.2.6 like i am then that command doesn't work for some reason. Remove it and other like "first_auth_command", then give it a try.