4.7. Making WPA2-Personal Almost As Good As WPA-Enterprise

Problem

You're nervous about sitting there with an unsecured wireless access point, and you really want to lock it up before you do anything else. You've made sure that all of your wireless network interfaces support WPA2, so you're ready to go. You don't want to run a RADIUS authentication server, but using the same shared key for all clients doesn't seem very secure. Isn't there some kind of in-between option?

Solution

Yes, there is. Pyramid Linux comes with hostapd, which is a user space daemon for access point and authentication servers. This recipe will show you how to assign different pre-shared keys to your clients, instead of everyone using the same one. And, we'll use a nice strong AES-CCMP encryption, instead of the weaker RC4-based ciphers that WPA and WEP use.

First, run /sbin/rw to make the Pyramid filesystem writeable, then create or edit the /etc/hostapd.conf file:

	##/etc/hostapd.conf
	interface=ath0
	bridge=br0
	driver=madwifi
	debug=0
	ssid=alrac-net
	macaddr_acl=0
	auth_algs=3
	wpa=1
	wpa_psk_file=/etc/hostapd_wpa_psk
	wpa_key_mgmt=WPA-PSK
	wpa_pairwise=CCMP

Next, create /etc/hostapd_wpa_psk, which holds the shared plaintext passphrase:

	00:00:00:00:00:00 waylongpassword

Then, edit /etc/network/interfaces so that hostapd starts when the br0 interface comes up. Add these lines to the end of your br0 entry:

	up hostapd -B /etc/hostapd.conf
	post-down killall hostapd

Run /sbin/ro, then restart networking:

	pyramid:~# /etc/init.d/networking restart

Now, grab a Linux client PC for testing. On the client, create an /etc/wpa_supplicant.conf file with these lines, using your own ESSID and super-secret passphrase from /etc/hostapd_wpa_psk:

	##/etc/wpa_supplicant.conf
	network={
	   ssid="alrac-net"
	   psk="waylongpassword"
	   pairwise=CCMP
	   group=CCMP
	   key_mgmt=WPA-PSK
	}

Shut down the client's wireless interface, then test the key exchange:

	# ifdown ath0
	# wpa_supplicant -iath0 -c/etc/wpa_supplicant.conf -Dmadwifi -w
	  Trying to associate with 00:ff:4a:1e:a7:7d (SSID='alrac-net' freq=2412 MHz)
	  Associated with 00:ff:4a:1e:a7:7d
	  WPA: Key negotiation completed with 00:ff:4a:1e:a7:7d [PTK=CCMP GTK=CCMP]
	 CTRL-EVENT-CONNECTED - Connection to 00:2b:6f:4d:00:8e

This shows a successful key exchange, and it confirms that the CCMP cipher is being used, which you want to see because it is much stronger than the RC4 stream encryption used by WEP. Hit Ctrl-C to end the key exchange test. So, you can add more clients, giving each of them a unique key. All you do is line them up in /etc/hostapd_wpa_psk, and match their passphrases to their MAC addresses:

	00:0D:44:00:83:CF    uniquetextpassword
	00:22:D6:01:01:E2    anothertextpassword
	23:EF:11:00:DD:2E    onemoretextpassword

Now, you have a good strong AES-CCMP based encryption, and if one user compromises her key, you don't have to change all of them. Revoking a user's access is as easy as commenting out or deleting their key.

You can make it permanent on the clients by configuring their wireless interfaces to call wpa_supplicant when they come up. On Debian, do this:

	##/etc/network/interfaces
	auto ath0
	iface ath0 inet dhcp
	pre-up wpa_supplicant -iath0 -Dmadwifi -Bw -c/etc/wpa_supplicant/wpa_supplicant.conf
	post-down killall -q wpa_supplicant

On Fedora, add this line to /etc/sysconfig/network-scripts/ifup-wireless:

	wpa_supplicant -ieth0 -c/etc/wpa_supplicant/wpa_supplicant.conf -Dmadwifi -Bw

Make sure your filepath to wpa_supplicant.conf is correct, that you specify the correct interface with -i, and that you specify the correct driver for your wireless interface with the -D option.

Discussion

When you test the key exchange, you need to specify the driver for your WIC (in the example, it's -Dmadwifi). man8wpa_supplicant lists all options. The wext driver is a generic Linux kernel driver. You'll see documentation recommending that you use this. It's better to try the driver for your interface first, then give wext a try if that causes problems.

The example passphrases are terrible, and should not be used in real life. Make yours the maximum length of 63 characters, no words or names, just random jumbles of letters and numbers. Avoid punctuation marks because some Windows clients don't handle them correctly. There are all kinds of random password generators floating around if you want some help, which a quick web search will find.

Windows XP needs SP2 for WPA support, plus client software that comes with your wireless interfaces. Older Windows may be able to get all the necessary client software with their wireless interfaces. Or maybe not—shop carefully.

It takes some computational power to encrypt a plaintext passphrase, so using plaintext passphrases could slow things down a bit. You can use wpa_password to encrypt your passphrases, then copy the encrypted strings into place:

	$ wpa_passphrase alrac-net w894uiernnfif98389rbbybdbyu8i3yenfig87bfop
	network={
	        ssid="alrac-net"
	        #psk="w894uiernnfif98389rbbybdbyu8i3yenfig87bfop"
	        psk=48a37127e92b29df54a6775571768f5790e5df87944c26583e1576b83390c56f
	}

Now your clients and access point won't have to expend so many CPU cycles on the passphrase. Encrypted keys do not have quotation marks in wpa_supplicant.conf; plaintext passphrases do.

In our original example, 00:00:00:00:00:00 means "accept all MAC addresses."

You can see your keys in action with the iwlist ath0 key command on the access point and clients.

Your access point supports virtually all clients: Linux, Mac OS X, Windows, Unix, the BSDs…any client with a supplicant and support for the protocols will work.

NetworkManager and Kwlan are good graphical network management tools for Linux clients. NetworkManager is designed for all Linux desktops and window managers, and comes with Gnome; Kwlan is part of KDE. Both support profiles, key management, and easy network switching.

When you're using an Ethernet bridge, make sure that you enter your wireless and bridge interfaces in /etc/hostapd.conf.

hostapd.conf supports access controls based on MAC addresses. You're welcome to use these; however, I think they're a waste of time because MAC addresses are so easy to spoof your cat can do it.

HostAP was originally a project that supported only Prism wireless chips, but now it supports these drivers:

See Also