Skip to content

Creating PSK or EAP Networks

Jump to bottom Edit New page
Dominic White edited this page Dec 3, 2018 · 5 revisions

Creating PSK or EAP Networks

This assumes a basic understanding of hostapd.conf files. If you don’t have that, please read simplest hostapd.conf.

Clients will not automatically connect to a network, even if the name matches one they are looking for, if the security configuration of that network does not match what they are expecting (i.e WPA-MGT/EAP or WPA/2-PSK). Additionally, impersonating secure networks can allow the interception of crackable credentials from the clients.

WPA/2 Pre-shared Key (PSK) Networks

Creating PSK networks is as simple as adding the following lines to the wlan’s config: 

wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=ASecurePassword
auth_algs=3
This will create a permissive PSK network that can do WPA1 and WPA2. The password (aka the key) is "ASecurePassword".

A full simple config for the above setup based on the simplest hostapd.conf would look like: 

interface=wlan0
ssid=PSKNet
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=ASecurePassword
auth_algs=3

EAP Networks

Creating an EAP network is slightly more complicated due to the additional options it required, the simplest EAP configuration could look like: 

wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3

ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=ca.pem
server_cert=server.pem
private_key=server.key
private_key_passwd=
dh_file=dhparam.pem

You’ll notice, several files are required and the key isn’t encrypted (hence a blank passwd). These can be named what you like, I’ve merely used examples, and would ideally have absolute paths. You only need to do this setup once:

  • ca.pem, server.pem, server.key - These are certificates in PEM format. You can generating or purchase these. The following openssl commands will do it for you too: 

    openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key -out csr.csr
openssl req -x509 -sha256 -days 365 -key server.key -in csr.csr -out server.pem
ln -s server.pem ca.pem

  • hostapd.eap_user - This is the RADIUS server’s authentication configuration, detailed below.

  • dhparam.pem - These are the Diffie Helman parameters. They can be generated with 

    openssl dhparam 2048 > dhparam.pem

eap_user_file

The format of this file can be quite complicated. Given our primary purpose is to allow any user to connect, we can use a simple permissive configuration: 

*		PEAP,TTLS,TLS,MD5,GTC
"t"     	TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP  "1234test"  [2]

The top line handles "outer authentication" or in the case of non-tunneled EAP modes, the only authentications. The bottom line handles inner EAP modes. In the inner EAP mode, we assume a username of "t" because MANA and hostapd-wpe will translate the incoming username to "t" so that it always matches. Inner auth is indicated by the [2] at the end.

There are other EAP modes, but these are the ones for which MANA has implemented credential capture.

Add a custom footer
Clone this wiki locally