4.7 Making WPA2-Personal Almost As Good As WPA-Enterprise
Youíre nervous about sitting there with an unsecured wireless access point, and you really want to lock it up before you do anything else. Youíve made sure that all of your wireless network interfaces support WPA2, so youíre ready to go. You donít want to run a RADIUS authentication server, but using the same shared key for all clients doesnít seem very secure. Isnít there some kind of in-between option?
Yes, there is. Pyramid Linux comes with hostapd, which is a user space daemon for access point and authentication servers. This recipe will show you how to assign different pre-shared keys to your clients, instead of everyone using the same one. And, weíll use a nice strong AES-CCMP encryption, instead of the weaker RC4-based ciphers that WPA and WEP use.
First, run/sbin/rwto make the Pyramid filesystem writeable, then create or edit the /etc/hostapd.conf file:
Next, create /etc/hostapd_wpa_psk, which holds the shared plaintext passphrase:
Then, edit /etc/network/interfaces so that hostapd starts when the br0 interface comes up. Add these lines to the end of your br0 entry:
up hostapd -B /etc/hostapd.conf
Run/sbin/ro, then restart networking:
pyramid:~# /etc/init.d/networking restart
Now, grab a Linux client PC for testing. On the client, create an /etc/wpa_supplicant.conf file with these lines, using your own ESSID and super-secret passphrase from /etc/hostapd_wpa_psk:
Shut down the clientís wireless interface, then test the key exchange:
# ifdown ath0
This shows a successful key exchange, and it confirms that the CCMP cipher is being used, which you want to see because it is much stronger than the RC4 stream encryption used by WEP. Hit Ctrl-C to end the key exchange test. So, you can add more clients, giving each of them a unique key. All you do is line them up in /etc/hostapd_wpa_psk, and match their passphrases to their MAC addresses:
Now, you have a good strong AES-CCMP based encryption, and if one user compromises her key, you donít have to change all of them. Revoking a userís access is as easy as commenting out or deleting their key.
You can make it permanent on the clients by configuring their wireless interfaces to call wpa_supplicant when they come up. On Debian, do this:
On Fedora, add this line to /etc/sysconfig/network-scripts/ifup-wireless:
wpa_supplicant -ieth0 -c/etc/wpa_supplicant/wpa_supplicant.conf -Dmadwifi -Bw
Make sure your filepath to wpa_supplicant.conf is correct, that you specify the correct interface with-i, and that you specify the correct driver for your wireless interface with the-Doption.
When you test the key exchange, you need to specify the driver for your WIC (in the example, itís - Dmadwifi). man 8 wpa_supplicant lists all options. The wext driver is a generic Linux kernel driver. Youíll see documentation recommending that you use this. Itís better to try the driver for your interface first, then give wext a try if that causes problems.
The example passphrases are terrible, and should not be used in real life. Make yours the maximum length of 63 characters, no words or names, just random jumbles of letters and numbers. Avoid punctuation marks because some Windows clients donít handle them correctly. There are all kinds of random password generators floating around if you want some help, which a quick web search will find.
Windows XP needs SP2 for WPA support, plus client software that comes with your wireless interfaces. Older Windows may be able to get all the necessary client software with their wireless interfaces. Or maybe notóshop carefully.
It takes some computational power to encrypt a plaintext passphrase, so using plaintext passphrases could slow things down a bit. You can use wpa_password to encrypt your passphrases, then copy the encrypted strings into place:
$ wpa_passphrase alrac-net w894uiernnfif98389rbbybdbyu8i3yenfig87bfop
Now your clients and access point wonít have to expend so many CPU cycles on the passphrase. Encrypted keys do not have quotation marks in wpa_supplicant.conf; plaintext passphrases do.
In our original example, 00:00:00:00:00:00 means ďaccept all MAC addresses.Ē
You can see your keys in action with the iwlist ath0 key command on the access point and clients.
Your access point supports virtually all clients: Linux, Mac OS X, Windows, Unix, the BSDs...any client with a supplicant and support for the protocols will work.
NetworkManager and Kwlan are good graphical network management tools for Linux clients. NetworkManager is designed for all Linux desktops and window managers, and comes with Gnome; Kwlan is part of KDE. Both support profiles, key management, and easy network switching.
When youíre using an Ethernet bridge, make sure that you enter your wireless and bridge interfaces in /etc/hostapd.conf.
hostapd.conf supports access controls based on MAC addresses. Youíre welcome to use these; however, I think theyíre a waste of time because MAC addresses are so easy to spoof your cat can do it.
HostAP was originally a project that supported only Prism wireless chips, but now it supports these drivers:
blog comments powered by Disqus