Contributed by jj on from the puffy-is-the-captain-of-the-wpa2-enterprise dept.
This is what he wrote:
The recent rantings on misc@ made me look at getting this to work once more. And this time I got it to work, sortof.You'll end up with something like:
The approach uses wpa_supplicant, but since the OpenBSD net80211 stack takes care of most of the key management (including the so-called 4-way handshake) we only really need it to do the IEEE 802.1X EAP authentication for us and have it insert the pairwise master key (PMK) into the net80211 stack. To do this I wrote a very simple OpenBSD "driver" for wpa_supplicant that implements the bare essentials.
As my driver doesn't support scanning for APs and configuring the interface you need to configure the interface yourself. Since you authenticate against a specific AP, it's best to explicitly configure the desired BSSID. You'll need to explicitly configure 802.1x authentication.
# ifconfig rsu0 nwid humppa bssid 11:22:33:44:55:66 wpa wpaakms 802.1x upGive it a couple of seconds to associate with the AP, and start wpa_supplicant:
# wpa_supplicant -i rsu0 -c /etc/wpa_supplicant.confThe wpa_supplicant program will print some messages about the authenticaton process. If authentication is successful, this should end with something like:
rsu0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully rsu0: CTRL-EVENT-CONNECTED - Connection to 11:22:33:44:55:66 completed [id=0 id_str=]At that point ifconfig(8) should report the link status as "active". Here is my /etc/wpa_supplicant.conf. You'll probably have to tweak the "eap" line to match whatever the network you're connecting to is using. And obviously you'll have to change the "ssid", "identity" and "password" lines.
# $OpenBSD: wpa_supplicant.conf,v 1.1 2007/07/01 19:50:57 reyk Exp $ # Sample wpa_supplicant configuration file for wired IEEE 802.1x # port authentication. See wpa_supplicant.conf(5). ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel ap_scan=0 network={ ssid="humppa" key_mgmt=WPA-EAP eap=TTLS PEAP identity="user" password="password" }Here is my .config file for building wpa_supplicant:
CONFIG_DRIVER_OPENBSD=y CONFIG_DRIVER_WIRED=y CONFIG_IEEE8021X_EAPOL=y CONFIG_EAP_MD5=y CONFIG_EAP_MSCHAPV2=y CONFIG_EAP_TLS=y CONFIG_EAP_PEAP=y CONFIG_EAP_TTLS=y CONFIG_EAP_GTC=y CONFIG_EAP_OTP=y CONFIG_EAP_LEAP=y CONFIG_PKCS12=y CONFIG_SMARTCARD=y CONFIG_CTRL_IFACE=y CONFIG_BACKEND=file CONFIG_PEERKEY=y
The wpa_supplicant port was just updated to 2.0 with the appropriate patches applied.
(Comments are closed)
By Simon Lundström (simmel) simmel@soy.se on