Voyage Linux - WRAP

From Stu2
Jump to navigation Jump to search

Voyage Linux is a linux distribution built for embedded wireless controllers, like the WRAP board from PC Engines. Hostapd provides WPA and 802.1x. No other free firmware for the WRAP provides this capability. The downside is it doesn't have a fancy gui, so it is very difficult for a newbie to configure. (Must use ssh.) pfSense is a better choice for field deployment.

Here are a few notes from my experiments. Make sure you check out the WRAP page for other related info/notes. Big Note - hostapd runs well with the atheros radio. The Prism radio (2511) needs updated firmware.

First Connect

In general, the install instructions are pretty good. Once the OS is loaded on the card, you need to configure the device via the command line. SSH is enabled by default. You can use a serial console, too. However, 'vi' wouldn't work right under gtkterm. I'm sure the terminal emulation is wrong.

Useful commands:

remountrw - remount the CF R/W so you can make changes to the configuration files
remountro

Setting up the Interfaces

I'm going for the following:

eth0
wlan0 - 802.11b/g Prism
ath0 - 802.11a Atheros

After much work, I built the following /etc/network/interfaces file:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 169.203.41.40
        netmask 255.255.255.192
        broadcast 169.203.41.0

# Set up the Prism card
auto wlan0
iface wlan0 inet static
        address 10.1.10.1
        netmask 255.255.255.0
        broadcast 10.1.10.255
        # wireless-x -> iwconfig iface command
        wireless-essid vortex
        wireless-mode Master
        wireless-channel 1
        wireless-txpower 17dbm
#        up nat.sh wlan0 eth0 "10.1.10.0/24"

# Atheros interface config
auto ath0
iface ath0 inet static
        address 192.168.10.1
        netmask 255.255.255.0
        broadcast 192.168.10.255
        # Build the wlanconfig command (see if-pre-up.d/madwifi)
        # Set to wifi0
        madwifi-base wifi0
        # Set mode (master=ap, sta=sta)
        madwifi-mode Master
        # Set parameters
        wireless-channel 40
        wireless-essid w7iy-1
        wireless-txpower 16dbm
        wireless-rate 54M
        # Send private ioctl to ath0 (1=11a, 0=autoselect)
        up iwpriv ath0 mode 1
#        up nat.sh ath0 eth0 "10.1.20.0/24"

The prism card uses the 'hostap' driver. Not to be confused with hostapd. The atheros card uses the madwifi-ng driver. There is a file in if-up-pre.d (madwifi), which builds the wlanconfig command.

$WLANCONFIG $IFACE create wlandev $IF_MADWIFI_BASE wlanmode $MODE


Getting WPA-PSK to Work

After hours of screwing with wlan0, I discovered the Prism 2511 card isn't compatible with hostapd. Everytime I would enable wpa (hostapd.conf) I would end up with a bogus interace. iwconfig showed wlan0ap_rename. I had to reboot, destroy ath0 and recreate by hand to get my radios back. So I found a page on flashing the firmware for the Prism radios and then tried all the wpa stuff using just the CM9 (atheros) card. After I disabled wlan0 (by removing it from the system,) it worked! I was able to make a secure (wpa-psk) connection from my windows XP workstation. Most of the following config has nothing to do with the wpa stuff. So I highlighted the statements that mattered. I found a config file on the voyage site which had the right config statments.

voyage:/etc/hostapd# grep -v ^# hostapd.conf|grep -v ^$
interface=ath0   # Changed to ath0 from wlan0
driver=madwifi   # Changed to use madwifi instead of hostap
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=vortex      # Must match the SSID of the interface!
max_num_sta=255
macaddr_acl=0
auth_algs=3  # Checked
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1
wpa=1                              # Turned on wpa
wpa_passphrase=secretpassphrase    # Set the passphrase - which matches the passphrase in windows (make this long and complex)
wpa_key_mgmt=WPA-PSK               # Made sure this was set to wpa-psk
wpa_pairwise=CCMP                  # Uses AES and CCMP

In the Windows client, I set the properties to wpa-psk, AES and entered the passphrase.

Getting WPA2 w/802.1x to Work

Hostapd web page with all the gory details. WPA2 is WPA with AES and 802.1x EAP.

This mode is significantly more complicated because it requires a radius server to resolve usernames and passwords.

Supported drivers include madwifi and hostap.

Create the Certificates

Create the CA key and self signed certificate:

cd /etc/pki/tls/certs
openssl genrsa -des3 -out cacert.key 1024
openssl req -new -key cacert.key -out cacert.csr
openssl x509 -req -days 365 -in cacert.csr -signkey cacert.key -out cacert.crt

or

cd/etc/pki/tls/certs
make cacert.key --- private key
make cacert.csr --- certificate signing request
make cacert.crt --- self signed certificate

We need server side certificates for the node:

# private key w/passphrase -- private key
make server.key  
# certificate request 
make server.csr  
# Sign the server key with the CA key
openssl x509 -req -days 365 -in server.csr -signkey cacert.key -out server.crt

Copy server.key, server.crt and cacert.crt over to the access point. Modify hostapd.conf to point to those files.

Hostapd.conf WPA2 Integrated EAP

A few more hours and voila! Here is the configuration file for hostapd.conf, which allows wpa2 and the integrated EAP server.

voyage:/etc/hostapd# grep -v ^# hostapd.conf|grep -v ^$
interface=ath0
driver=madwifi
logger_syslog=-1
logger_syslog_level=1
logger_stdout=-1
logger_stdout_level=2
debug=4
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=vortex
max_num_sta=255
macaddr_acl=0
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=1
eap_server=1
eap_user_file=/etc/hostapd/eap_user
ca_cert=/etc/hostapd/ca.crt
server_cert=/etc/hostapd/server.crt
private_key=/etc/hostapd/server.key
private_key_passwd=secretpassword
own_ip_addr=127.0.0.1
wpa=1
wpa_passphrase=secretpassphrase
wpa_key_mgmt=WPA-PSK WPA-EAP
wpa_pairwise=CCMP

Here is the eap_users file. Note the XP suplicant is a phase 2. (i.e. tunnelled within EAP-PEAP) So it requires two lines, one for a phase 1 anonymous user and one for the actual user.

voyage:/etc/hostapd# cat eap_user
*   PEAP,TTLS,TLS,SIM,AKA
"DOMAIN\user"  MSCHAPV2  "userpassword" [2]

On the XP client, configure the wireless AP to use WPA2, AES. Then on the Authentication Tab, choose EAP = Protected EAP. Configure EAP and deselect validate certificate and choose MSCHAPv2. Configure MSCHAP, deselect using windows login.

The user will need to 1) view the wireless networks, 2) connect and then 3) enter the credentials in the window.

If all this works, you can change the password in eap_user to match the windows logon information. Then re-configure the MSCHAPv2 setting in XP to use the windows logon information. On my workstation, the domain was available on the logon screen and the first letter of my user ID had to be capitalized in eap_user. Obviously, hooking into the enterprise radius server - fed by Active Directory - would be the best.

Debugging

You will need to set EnableFileTracing to 1 in WinXP registry
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EAPOL

The log file will be written to %windir\tracing\eapol.log

STA Mode

Use the atheros card to function as a client and connect to an access point.

http://madwifi.org/wiki/UserDocs/WPA_PSK_on_Both_Ends

Store a passphrase in /etc/wpa_supplicant.conf using this command:

wpa_passphrase My_WPA_Protected_AP_ESSID "Some_Decent_PassPhrase_of_up_64_Characters" >> /etc/wpa_supplicant.conf

Then edit the file and add the key_mgmt and proto statements.

voyage:~# cat /etc/wpa_supplicant.conf
network={
        ssid="woody"
        #psk="Some Decent Passphase used above"
        psk=d74da2b6d2ba792aaa1a8748277dc44e9db657bc561ca85f9060a38d7024db33
        key_mgmt=WPA-PSK
        #proto=WPA
        proto=RSN
}

Bring up the interface. This will scan for a matching ssid and negotiate the connection. (Command has debug enabled)

voyage:~# wpa_supplicant -dd -Dmadwifi -iath0 -c/etc/wpa_supplicant.conf

Check with iwconfig.

voyage:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wifi0     no wireless extensions.

ath0      IEEE 802.11g  ESSID:"woody"  Nickname:""
          Mode:Managed  Frequency:2.437 GHz  Access Point: 00:13:10:11:20:25   
          Bit Rate:48 Mb/s   Tx-Power:19 dBm   Sensitivity=0/3  
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:ED7F-C1EF-61E3-90CB-721F-ABFB-3811-5CCC   Security mode:restricted
          Power Management:off
          Link Quality=46/94  Signal level=-50 dBm  Noise level=-96 dBm
          Rx invalid nwid:5944  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0