{"id":542,"date":"2012-05-16T23:38:27","date_gmt":"2012-05-16T15:38:27","guid":{"rendered":"http:\/\/www.q-station.net\/kb\/?p=542"},"modified":"2012-05-16T23:38:27","modified_gmt":"2012-05-16T15:38:27","slug":"hostapd-802-1x-freeradius","status":"publish","type":"post","link":"https:\/\/kb.q-station.net\/index.php\/2012\/05\/16\/hostapd-802-1x-freeradius\/","title":{"rendered":"hostapd & 802.1x & freeradius"},"content":{"rendered":"

Setting up an AP which accept PEAP\/MSCHAPv2 authentication using Linux with a ‘Master Mode-able’ wifi device, sometimes, is not quite worth. Using ready-made network appliance should be more easy and stable. However, setting up a RADIUS server to terminate the PEAP\/MSCHAPv2 request can’t be avoided.
\n
\nHardware: TP-Link TL-WN722N USB wireless stick
\nOS: Slackware 13.37
\nSoftware: hostapd, freeradius<\/p>\n

Suppose, your Linux could use the USB wireless stick without problem, e.g., wlan0 interface is up. You may refer this post<\/a> to install necessary driver to use the stick.<\/p>\n

Setup hostapd<\/h1>\n

Take the following as reference for the hostapd.conf,<\/p>\n

\r\ninterface=wlan0\r\ndriver=nl80211\r\nlogger_syslog=-1\r\nlogger_syslog_level=2\r\nlogger_stdout=-1\r\nlogger_stdout_level=0\r\ndump_file=\/tmp\/hostapd.dump\r\nctrl_interface=\/var\/run\/hostapd\r\nctrl_interface_group=0\r\nssid=linuxtest802x1\r\nhw_mode=g\r\nchannel=11\r\nbeacon_int=100\r\ndtim_period=2\r\nmax_num_sta=255\r\nrts_threshold=2347\r\nfragm_threshold=2346\r\nmacaddr_acl=0\r\nauth_algs=3\r\nignore_broadcast_ssid=0\r\nwmm_enabled=1\r\nwmm_ac_bk_cwmin=4\r\nwmm_ac_bk_cwmax=10\r\nwmm_ac_bk_aifs=7\r\nwmm_ac_bk_txop_limit=0\r\nwmm_ac_bk_acm=0\r\nwmm_ac_be_aifs=3\r\nwmm_ac_be_cwmin=4\r\nwmm_ac_be_cwmax=10\r\nwmm_ac_be_txop_limit=0\r\nwmm_ac_be_acm=0\r\nwmm_ac_vi_aifs=2\r\nwmm_ac_vi_cwmin=3\r\nwmm_ac_vi_cwmax=4\r\nwmm_ac_vi_txop_limit=94\r\nwmm_ac_vi_acm=0\r\nwmm_ac_vo_aifs=2\r\nwmm_ac_vo_cwmin=2\r\nwmm_ac_vo_cwmax=3\r\nwmm_ac_vo_txop_limit=47\r\nwmm_ac_vo_acm=0\r\nieee80211n=1\r\nht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]\r\nieee8021x=1\r\neapol_version=2\r\neap_message=hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com\r\nwep_key_len_broadcast=13\r\nwep_key_len_unicast=13\r\nwep_rekey_period=3600\r\neapol_key_index_workaround=0\r\neap_reauth_period=3600\r\neap_server=0\r\nown_ip_addr=127.0.0.1\r\nnas_identifier=ap.q-station.net\r\nauth_server_addr=127.0.0.1\r\nauth_server_port=1812\r\nauth_server_shared_secret=testing123\r\nacct_server_addr=127.0.0.1\r\nacct_server_port=1813\r\nacct_server_shared_secret=testing123\r\nwpa=3\r\nwpa_key_mgmt=WPA-EAP\r\nwpa_pairwise=CCMP\r\nrsn_pairwise=CCMP\r\n<\/pre>\n
Freeradius<\/h1>\n
    \n
  • Ensure following is defined in authorize<\/strong> session in sites-enabled\/default<\/strong>\n
    \r\neap {\r\n    ok = return\r\n}\r\n<\/pre>\n<\/li>\n
  • Setup eap.conf\n
      \n
    • Setup tls session<\/li>\n
    • Setup private_key_file,certificate_file,CA_file<\/strong>\n
    • default_eap_type = mschapv2<\/strong> in peap session\n<\/ul>\n<\/li>\n
    • Setup site-enabled\/inner-tunnel<\/strong> for your site\n<\/li>\n<\/ul>\n