Securing a Linux Wireless Access Point (Page 1 of 4 )
4.7 Making WPA2-Personal Almost As Good As WPA-Enterprise
Problem
You’re nervous about sitting there with an unsecured wireless access point, and you really want to lock it up before you do anything else. You’ve made sure that all of your wireless network interfaces support WPA2, so you’re ready to go. You don’t want to run a RADIUS authentication server, but using the same shared key for all clients doesn’t seem very secure. Isn’t there some kind of in-between option?
Solution
Yes, there is. Pyramid Linux comes with hostapd, which is a user space daemon for access point and authentication servers. This recipe will show you how to assign different pre-shared keys to your clients, instead of everyone using the same one. And, we’ll use a nice strong AES-CCMP encryption, instead of the weaker RC4-based ciphers that WPA and WEP use.
First, run/sbin/rwto make the Pyramid filesystem writeable, then create or edit the /etc/hostapd.conf file:
##/etc/hostapd.conf
interface=ath0
bridge=br0
driver=madwifi
debug=0
ssid=alrac-net
macaddr_acl=0
auth_algs=3
wpa=1
wpa_psk_file=/etc/hostapd_wpa_psk
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
Next, create /etc/hostapd_wpa_psk, which holds the shared plaintext passphrase:
00:00:00:00:00:00 waylongpassword
Then, edit /etc/network/interfaces so that hostapd starts when the br0 interface comes up. Add these lines to the end of your br0 entry:
up hostapd -B /etc/hostapd.conf
post-down killall hostapd
Run/sbin/ro, then restart networking:
pyramid:~# /etc/init.d/networking restart
Now, grab a Linux client PC for testing. On the client, create an /etc/wpa_supplicant.conf file with these lines, using your own ESSID and super-secret passphrase from /etc/hostapd_wpa_psk:
##/etc/wpa_supplicant.conf
network={
ssid="alrac-net"
psk="waylongpassword"
pairwise=CCMP
group=CCMP
key_mgmt=WPA-PSK
}
Shut down the client’s wireless interface, then test the key exchange:
# ifdown ath0
# wpa_supplicant -iath0 -c/etc/wpa_supplicant.conf -Dmadwifi -w
Trying to associate with 00:ff:4a:1e:a7:7d (SSID='alrac-net' freq=2412 MHz)
Associated with 00:ff:4a:1e:a7:7d
WPA: Key negotiation completed with 00:ff:4a:1e:a7:7d [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:2b:6f:4d:00:8e
This shows a successful key exchange, and it confirms that the CCMP cipher is being used, which you want to see because it is much stronger than the RC4 stream encryption used by WEP. Hit Ctrl-C to end the key exchange test. So, you can add more clients, giving each of them a unique key. All you do is line them up in /etc/hostapd_wpa_psk, and match their passphrases to their MAC addresses:
00:0D:44:00:83:CF uniquetextpassword
00:22:D6:01:01:E2 anothertextpassword
23:EF:11:00:DD:2E onemoretextpassword
Now, you have a good strong AES-CCMP based encryption, and if one user compromises her key, you don’t have to change all of them. Revoking a user’s access is as easy as commenting out or deleting their key.
You can make it permanent on the clients by configuring their wireless interfaces to call wpa_supplicant when they come up. On Debian, do this:
##/etc/network/interfaces
auto ath0
iface ath0 inet dhcp
pre-up wpa_supplicant -iath0 -Dmadwifi -Bw -c/etc/wpa_supplicant/wpa_supplicant.conf
post-down killall -q wpa_supplicant
On Fedora, add this line to /etc/sysconfig/network-scripts/ifup-wireless:
wpa_supplicant -ieth0 -c/etc/wpa_supplicant/wpa_supplicant.conf -Dmadwifi -Bw
Make sure your filepath to wpa_supplicant.conf is correct, that you specify the correct interface with-i, and that you specify the correct driver for your wireless interface with the-Doption.
Discussion
When you test the key exchange, you need to specify the driver for your WIC (in the example, it’s - Dmadwifi). man 8 wpa_supplicant lists all options. The wext driver is a generic Linux kernel driver. You’ll see documentation recommending that you use this. It’s better to try the driver for your interface first, then give wext a try if that causes problems.
The example passphrases are terrible, and should not be used in real life. Make yours the maximum length of 63 characters, no words or names, just random jumbles of letters and numbers. Avoid punctuation marks because some Windows clients don’t handle them correctly. There are all kinds of random password generators floating around if you want some help, which a quick web search will find.
Windows XP needs SP2 for WPA support, plus client software that comes with your wireless interfaces. Older Windows may be able to get all the necessary client software with their wireless interfaces. Or maybe not—shop carefully.
It takes some computational power to encrypt a plaintext passphrase, so using plaintext passphrases could slow things down a bit. You can use wpa_password to encrypt your passphrases, then copy the encrypted strings into place:
$ wpa_passphrase alrac-net w894uiernnfif98389rbbybdbyu8i3yenfig87bfop
network={
ssid="alrac-net"
#psk= "w894uiernnfif98389rbbybdbyu8i3yenfig87bfop"
psk= 48a37127e92b29df54a6775571768f5790e5df87944 c26583e1576b83390c56f
}
Now your clients and access point won’t have to expend so many CPU cycles on the passphrase. Encrypted keys do not have quotation marks in wpa_supplicant.conf; plaintext passphrases do.
In our original example, 00:00:00:00:00:00 means “accept all MAC addresses.”
You can see your keys in action with the iwlist ath0 key command on the access point and clients.
Your access point supports virtually all clients: Linux, Mac OS X, Windows, Unix, the BSDs...any client with a supplicant and support for the protocols will work.
NetworkManager and Kwlan are good graphical network management tools for Linux clients. NetworkManager is designed for all Linux desktops and window managers, and comes with Gnome; Kwlan is part of KDE. Both support profiles, key management, and easy network switching.
When you’re using an Ethernet bridge, make sure that you enter your wireless and bridge interfaces in /etc/hostapd.conf.
hostapd.conf supports access controls based on MAC addresses. You’re welcome to use these; however, I think they’re a waste of time because MAC addresses are so easy to spoof your cat can do it.
HostAP was originally a project that supported only Prism wireless chips, but now it supports these drivers:
- Host AP driver for Prism2/2.5/3
- madwifi (Atheros ar521x)
- Prism54.org (Prism GT/Duette/Indigo)
- BSD net80211 layer
See Also
- Pyramid Linux does not include manpages, so you should install the applications in this chapter on a PC to get the manpages, or rely on Google
- wlanconfig is part of MadWiFi-ng
- man 8 wlanconfig
The default hostapd.conf is full of informative comments
- The default wpa_supplicant.conf is helpful
- 802.11 Wireless Networks: The Definitive Guide, by Matthew Gast (O’Reilly)
- MadWiFi.org: http://madwifi.org/
