pmeerw's blog

May 2016

Tue, 17 May 2016

IEEE 802.1x port authentication

Run wpa_supplicant using sudo wpa_supplicant -i eth7 -D wired -c /tmp/802/wpa_supplicant.conf

Notes
HP 1920 switch: configure to CHAP to make MD5 work
Zyxel GS1900 switch: local authentication doesn't seem to work
wpa_supplicant MD5
ap_scan=0
eapol_version=2
network={
    key_mgmt=IEEE8021X
    identity="test"
    password="test"
    eap=MD5
}
wpa_supplicant EAP-TLS
Generate keys using Debian/Ubuntu's /usr/share/doc/freeradius/examples/certs; here is an edited variant without requiring passphrases
DH_KEY_SIZE	= 2048
CA_DEFAULT_DAYS = 3650

.PHONY: all
all: index.txt serial dh random server client ca

.PHONY: client
client: client.pem

.PHONY: ca
ca: ca.der

.PHONY: server
server: server.pem

#  Diffie-Hellman parameters
dh:
	openssl gendh -out dh -2 $(DH_KEY_SIZE)

#  Create a new self-signed CA certificate
ca.key ca.pem: ca.cnf
	@[ -f index.txt ] || $(MAKE) index.txt
	@[ -f serial ] || $(MAKE) serial
	openssl req -nodes -new -x509 -keyout ca.key -out ca.pem \
		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf

ca.der: ca.pem
	openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der

#  Create a new server certificate, signed by the above CA.
server.csr server.key: server.cnf
	openssl req -nodes -new -out server.csr -keyout server.key -config ./server.cnf

server.crt: server.csr ca.key ca.pem
	openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf

server.p12: server.crt
	openssl pkcs12 -nodes -export -in server.crt -inkey server.key -out server.p12 -passout pass:

server.pem: server.p12
	openssl pkcs12 -nodes -in server.p12 -out server.pem -passin pass:

#  Create a new client certificate, signed by the the above CA
client.csr client.key: client.cnf
	openssl req -nodes -new -out client.csr -keyout client.key -config ./client.cnf

client.crt: client.csr ca.pem ca.key
	openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

client.p12: client.crt
	openssl pkcs12 -nodes -export -in client.crt -inkey client.key -out client.p12 -passout pass:

client.pem: client.p12
	openssl pkcs12 -nodes -in client.p12 -out client.pem -passin pass:

#  Miscellaneous rules.
index.txt:
	@touch index.txt

serial:
	@echo '001' > serial

random:
	@if [ -c /dev/urandom ] ; then \
		dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \
	else \
		date > ./random; \
	fi

print:
	openssl x509 -text -in server.crt

printca:
	openssl x509 -text -in ca.pem

ap_scan=0
eapol_version=2
network={
    key_mgmt=IEEE8021X
    identity="test"
    password="test"
    eap=TLS
    ca_cert="/tmp/802/ca.pem"
    client_cert="/tmp/802/client.pem"
    private_key="/tmp/802/client.key"
}
Debugging
wireshark filter: eap || eapol

posted at: 00:06 | path: /projects | permanent link

Made with PyBlosxom