top of page

Configuring 802.1X Authentication in Linux

By Eric Geier (NoWiresSecurity Founder & Owner)  - originally published on LinuxPlanet.com

 

In this tutorial, we'll first see how 802.1X authentication fits into the big picture of wireless LAN security. Then we'll configure the authentication settings in Ubuntu. Lastly, we'll review the manual configuration of 802.1X supplicants. Lets get started!

The transition from WEP to WPA to WPA2

Back when the vulnerabilities of WEP encryption for Wi-Fi networks were uncovered, the IEEE and wireless industry started developing new protocols and standards. They came up with the 802.11i, a standard to finally implement a fully secure encryption mechanism for wireless LANs. Before it was completed, the Wi-Fi Alliance released the Wi-Fi Protected Access (WPA) encryption standard, loosely based on 802.11i using RC4/TKIP for the underlying encryption. Later they released WPA2, which includes full support for 802.11i using CCMP/AES encryption.

As many news outlets have discussed lately, there have been more flaws found in the first version of WPA. However, unlike some reports say, it hasn't been cracked; full encryption keys or passphrases haven't been recovered. The flaws apply to the underlying RC4/TKIP encryption and affects both the Enterprise and PSK modes of the first version of WPA. This does not have anything to do with WPA2, which uses a fully secure CCMP/AES encryption. Though WPA currently provides adequate security, especially with long and mixed character passphrases, you should try to migrate to WPA2--and make sure you don't use WEP at all.

The two modes of Wi-Fi Protected Access

Both WPA and WPA2 can be used in two very different modes: Enterprise (802.1X/EAP) and Personal (PSK). In full WPA and WPA2 implementations, wireless clients authenticate themselves via the 802.1X/EAP protocol to an external RADIUS server, whereas the Personal mode doesn't. Though the Personal mode is much easier to setup and is fine for residential use, it is necessary to authenticate clients on business networks. Instead of entering static encryption keys into clients, the keys in the Enterprise mode are negotiated and changed automatically in the background after authentication when connecting to the network.

This dynamic keying of the Enterprise mode has real-world benefits. The actual encryption keys that unlock the Wi-Fi connections aren't stored on the computers like with the Personal mode. Therefore, if a computer is stolen, the thief doesn't have the keys to the network. Plus employees would never see the keys. They'd present a username and password, digital certificate, or smart card in order to access the network, which would be used in the 802.1X authentication. These credentials could be revoked by the network administrators as needed, unlike when using the Personal mode, where they'd have to change the encryption keys on all the computers.

802.1X supplicants

A fancy name for the client software that represents the client end of the authentication is a 802.1X supplicant. You input the credentials into the supplicant. The supplicant communicates with the authenticator, such as a wireless access point or switch, which then talks to the authentication (RADIUS) server.

So in order to connect to a 802.1X-enabled network, you must install a client. Years ago this wasn't the easiest task when using Linux. Cisco and Microsoft basically held the only supplicants. Even though open source supplicants were developed, they weren't very simple to configure. However, now some Linux distributions have integrated the 802.1X settings into the OS GUI, where configuring them and inputting the credentials is pretty trivial.

The two main 802.1X supplicants projects in Linux are Xsupplicant and wpa_supplicant. The Xsupplicant has been around since 2003 and is developed by Open1X and backed by the OpenSEA Alliance. The wpa_supplicant has been around since 2004 and is developed by Jouni Malinen and other contributors. Both clients run on Linux and Windows and have a GUI application in addition to text-based configuration. The wpa_supplicant project also supports BSD and Mac OS X.

 

Not only is Ubuntu 9.10 already loaded with the wpa_supplicant, its own networking GUI communicates directly with the supplicant. Configuring 802.1X authentication and connecting to WPA or WPA2 Enterprise networks in Ubuntu is pretty straightforward. When you're ready to connect, simply click the network icon on the top of the screen and select the network from the list.

If you're using a password-based EAP protocol, like the popular PEAPv0/EAP-MSCHAPv2, you'll be prompted to enter the authentication settings, such as seen in Figure 1. This also assumes the wireless card and driver supports WPA/WPA2.

 

First, verify Wireless Security is set to WPA & WPA2 Enterprise. Then choose the Authentication protocol that's supported by the authentication server, such as the popular PEAP protocol. Unless your authentication server is set to accept anonymous connections, ignore that setting.

Next you should choose a CA Certificate file, so the client can verify it's connecting to a legitimate authentication server before completing its authentication. Though you can skip this setting, it's recommended to validate the server's certificate for full security. If the authentication server is loaded with a SSL certificate purchased from a Certificate Authority like VeriSign or Godaddy, you'll have to download their public root certificates from their site since Ubuntu isn't already loaded with them like in Windows. If you created your own self signed certificates like with openssl, you need to select the root CA certificate that was created.

Now you can set the other settings for the EAP type you selected. If you selected PEAP, for example, you can leave the PEAP Version as Automatic and the Inner Authentication as MSCHAPv2.

Finally, input a Username and Password that's setup in the authentication server or backend database.

When you're done, click Connect. Give it a couple of seconds to complete the 802.1X process and it should successfully connect up to the network. If not, double-check the settings and check the debug or logs on the authentication server.

Configuring wpa_supplicant via the config file

If you've installed wpa_supplicant yourself, you can set it up via the configuration file. If the supplicant came with your Linux distribution, you still might choose to use the configuration file to fine-tune the authentication and encryption settings.

Here are a few general parameters you may want to set that apply to all networks you connect to:

 

  • eapol_version: Set to either 1 or 2. By default, wpa_supplicant uses version 2 of EAPOL, as specified in the IEEE 802.1X-2004 standard. However, some APs still support only the first version.

  • fast_reauth: Leave set to 1 to enable fast re-authentication for all supported EAP methods, or set to 2 to disable fast re-authentication.

 

You specify the details of networks you want to connect to in blocks using brackets. The supplicant will try to connect to the listed networks in the order they appear in. Before you take the time to configure all the settings, you might want to check if the supplicant is working fine with your wireless driver by connecting to an unencrypted AP first, using the following block:

 

# Connects to the specified open or unencrypted network

network = {

ssid="network_name"

key_mgmt=NONE

}

 

Before you configure more network blocks, let's review some of the possible fields you can use in them to configure the network settings:

 

  • ssid: This required field specifies the network name.

  • scan_ssid: When set to 1, this will add the SSID to the probe requests, in case you're connecting to a hidden network or an AP with multiple SSIDs.

  • key_mgmt: Possible options include WPA-PSK (requires the psk field), WPA-EAP, IEEE8021X (authentication with or without dynamically generated WEP keys), and NONE (for open or static WEP networks).

  • pairwise: If WPA is used, specify either CCMP (WPA2) or TKIP (WPA).

  • eap: Space-separated list of the acceptable EAP methods: MD5, MSCHAPV2, OTP, GTC, TLS, PEAP, or TTLS.

  • identity: String used for EAP identity, such as the username.

  • password: String used for the EAP password.

  • ca_cert: Full file path to CA certificate file in PEM or DER format, so the server certificate can be validated.

  • ca_path: Full path to a directory where there are CA certificate files in PEM format you want to be added to the trusted list, so the server certificate can be validated.

  • client_cert: Full file path to a client certificate file in PEM or DER format, so you can use EAP methods like TLS.

 

Now lets put some of these fields to use in some network block examples.

Here's an example of a network block configured to connect to a WPA-Enterprise network with 802.1X authentication (using the PEAP protocol which requires users to enter login credentials):

 

network = {

ssid="wpa-enterpise-peap example"

key_mgmt=WPA-EAP

pairwise=TKIP

group=TKIP

eap=PEAP

identity="user@your_domain"

password="your_password"

ca_cert="/etc/cert/ca.pem"

phase1="peapver=0"

phase2="MSCHAPV2"

}

 

For instance, this is an example of a network block configured to connect to a WPA2-Enterprise network with 802.1X authentication (using EAP-TLS which requires client and server certificates):

 

network = {

ssid="wpa2-enterpise-tls example"

key_mgmt=WPA-EAP

pairwise=CCMP

group=CCMP

eap=TLS

ca_cert="/etc/cert/ca.pem"

private_key="/etc/cert/user.p12"

private_key_passwd="PKCS#12 your_password"

}

 

Once you have the wpa_supplicant.conf file configured with the desired settings and network block(s), you can go ahead and give it a try. Here's an example of what you can run from the command-line:

 

wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf

 

This runs the daemon in the background, uses the wlan0 network interface, and reads the configuration files from the etc directory. If you need additional help, run man wpa_supplicant to see it's manual. If you have any problems, try running the following command to see debugging information:

 

wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf -d

 

So you don't have to run these commands after every boot, consider adding the following to the file at /etc/network/interfaces:

 

auto wlan0

iface wlan0 inet dhcp

pre-up wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf

post-down killall -q wpa_supplicant

 

Using the wpa_gui application

If the command-line isn't appealing, you can use wpa_gui. It's a graphical utility that you can use to configure most of the wpa_supplicant settings. Depending upon your Linux distribution, this may be installed with the wpa_supplicant package or may have to be installed from a separate wpa_gui package.

Figure 2 shows an example of wpa_gui in Ubuntu. It is basically a graphical version of the command-line and configuration file method. You can scan for networks and save profiles for them. Plus you can see the network status, review the event history, and configure WPS settings.


Getting more help

We reviewed only some aspects of wpa_supplicant. The project offers many more examples in a full configuration file. Plus you can communicate and search on their mailing list.

bottom of page