OpenBSD Journal

WPA Enterprise mode for OpenBSD

Contributed by jj on from the puffy-is-the-captain-of-the-wpa2-enterprise dept.

After seeing discussions on misc@ about where wpa_supplicant would and would not work, Mark Kettenis (kettenis@) decided to take a look at wpa2-enterprise mode for wifi.

This is what he wrote:
The recent rantings on misc@ made me look at getting this to work once more. And this time I got it to work, sortof.
The approach uses wpa_supplicant, but since the OpenBSD net80211 stack takes care of most of the key management (including the so-called 4-way handshake) we only really need it to do the IEEE 802.1X EAP authentication for us and have it insert the pairwise master key (PMK) into the net80211 stack. To do this I wrote a very simple OpenBSD "driver" for wpa_supplicant that implements the bare essentials.
As my driver doesn't support scanning for APs and configuring the interface you need to configure the interface yourself. Since you authenticate against a specific AP, it's best to explicitly configure the desired BSSID. You'll need to explicitly configure 802.1x authentication.
You'll end up with something like:
  # ifconfig rsu0 nwid humppa bssid 11:22:33:44:55:66 wpa wpaakms 802.1x up
Give it a couple of seconds to associate with the AP, and start wpa_supplicant:
  # wpa_supplicant -i rsu0 -c /etc/wpa_supplicant.conf
The wpa_supplicant program will print some messages about the authenticaton process. If authentication is successful, this should end with something like:
rsu0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
rsu0: CTRL-EVENT-CONNECTED - Connection to 11:22:33:44:55:66 completed [id=0 id_str=]
At that point ifconfig(8) should report the link status as "active". Here is my /etc/wpa_supplicant.conf. You'll probably have to tweak the "eap" line to match whatever the network you're connecting to is using. And obviously you'll have to change the "ssid", "identity" and "password" lines.
# $OpenBSD: wpa_supplicant.conf,v 1.1 2007/07/01 19:50:57 reyk Exp $
# Sample wpa_supplicant configuration file for wired IEEE 802.1x
# port authentication. See wpa_supplicant.conf(5).

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0

network={
	ssid="humppa"
	key_mgmt=WPA-EAP
	eap=TTLS PEAP
	identity="user"
	password="password"
}
Here is my .config file for building wpa_supplicant:
CONFIG_DRIVER_OPENBSD=y
CONFIG_DRIVER_WIRED=y
CONFIG_IEEE8021X_EAPOL=y
CONFIG_EAP_MD5=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_TLS=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_GTC=y
CONFIG_EAP_OTP=y
CONFIG_EAP_LEAP=y
CONFIG_PKCS12=y
CONFIG_SMARTCARD=y
CONFIG_CTRL_IFACE=y
CONFIG_BACKEND=file
CONFIG_PEERKEY=y

The wpa_supplicant port was just updated to 2.0 with the appropriate patches applied.

(Comments are closed)


  1. By Simon Lundström (simmel) simmel@soy.se on

    eduroam working on OpenBSD, hoooooo! ; P

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]