IEEE 802.1X EAP/TLS authentication with open source tools


From: Jouni Malinen (jkmaline_at_cc.hut.fi)
Date: 2002-08-16 20:17:16 UTC



There have been some queries about IEEE 802.1X with Host AP driver, but so far I haven't heard about completely successful authentication using only open source programs. However, this has now changed :-).

I spent some time with Open1x code (www.open1x.org) and FreeRadius (www.freeradius.org) and managed to complete EAP/TLS authentication with FreeRadius as authentication server, Host AP driver in Master mode as the AP and the same system using open1x.authenticator. Client system was using Host AP driver in Managed mode and Xsupplicant (www.open1x.org).

FreeRadius v0.7 has somewhat experimental implementation for EAP/TLS. One shared library needed to be compiled with snapshot version of openssl. This required some manual work which will hopefully disappear with next release of openssl.

Xsupplicant seems to be working without changes. However, it does not have very advanced error reporting system, i.e., it segfaults on more or less any error ;-). In other words, if everything works fine, there is no problems, but if something fails, gdb is useful tool for finding out what went wrong..

Open1x.authenticator (v1.0-beta) is still in beta phase. CVS snapshot had few minor bugs (off by one comparison and byte order errors) that I needed to fix. I'll send these to the author after some more testing and possibly some other patches. In addition, some configuration is still partially hardcoded in C code.

At the moment one would need to use some external mechanism for filtering packets (other than EAP) from stations that have not yet completed 802.1x auth, but I will probably add this to the Host AP driver and make a patch for open1x.authenticator to set this information based on auth status.

I did not test WEP key setting with 802.1x, but it will probably need some changes at least for re-keying. I try to reserve some time to test this more and patch open1x.authenticator to configure individual stations keys for Host AP.

As a conclusion, I would not yet call this polished enough for all use, but at least the programs are functional enough to show that IEEE 802.1X authentication can be done. It looked like quite minimal amount of additional work would be enough to get the system more or less usable for general use, so I would hope that adding 802.1x support to an access point using Host AP driver will be relatively easy in the near future.

-- 
Jouni Malinen                                            PGP id EFC895FA


This archive was generated by hypermail 2.1.4.