February 28, 2014

wpa_supplicant with DoD PIV / CAC card

EAP-TLS and EAP-PEAP/MS-CHAPv2 authentications

For EAP-TLS, you will need to read the cert from the PIV card to a local file. You  can use the following command:
pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -r -y cert -d 01 -o cac-cert.der

wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
#ap_scan=1
#fast_reauth=0
pkcs11_engine_path=/usr/lib/ssl/engines/engine_pkcs11.so
pkcs11_module_path=/usr/local/lib/opensc-pkcs11.so

network={
    ssid="test"
    key_mgmt=WPA-EAP
    eap=PEAP
    proto=RSN
    pairwise=CCMP
    group=CCMP
    identity="myname"
    password="mschappass"
    ca_cert="CA.pem"
    phase1="peaplabel=0"
    phase2="auth=MSCHAPV2"
    priority=10
}

network={
    ssid="test-tls"
    key_mgmt=WPA-EAP
    eap=TLS
    proto=RSN
    pairwise=CCMP
    group=CCMP
    identity="john@abctech.com"
    ca_cert="CA.pem"
    client_cert="cac-cert.der"
    priority=10
    engine=1
    engine_id="pkcs11"
    key_id="1:01"
    pin="77777777"
}

#PEAP-EAP-TLS-SMARTCARD
network={
    ssid="test-peap-eap-tls"
    key_mgmt=WPA-EAP
    eap=PEAP
    proto=RSN
    pairwise=CCMP
    group=CCMP
    anonymous_identity="noname@noname.com"
    ca_cert="/etc/CA.pem"
    identity="sean"
    client_cert2="/tmp/cac-cert.der"
    phase1="peapver=0"
    phase2="auth=TLS"
    priority=10
    engine2=1
    engine2_id="pkcs11"
    key2_id="1:01"
    pin2="77777777"
}

#key_id 1:01 means card reader at slot #1, and key id 01 on the card

To convert JTIC CA files to PEM format:

openssl pkcs7 -print_certs -in Certificates_PKCS7_v4.0.1_JITC.pem.p7b -out JITC-CA.pem


To Valid pin, have the card sign a simple file:

pkcs11-tool --sign  -m SHA1-RSA-PKCS --input-file /etc/passwd --output-file /tmp/signature --pin 12345678

If signed successfully, then the pin is correct.



---Just for testing purpose---

To test your openssl engine

run: openssl, then


> engine -vvvv dynamic -pre SO_PATH:/usr/lib/ssl/engines/engine_pkcs11.so \
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre VERBOSE \
-pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so  

> req -engine pkcs11 -new -key 1:01 -keyform engine -x509 -out cert.pem -text

it will ask you for the PIN, and should generate a cert.pem if everything works.


------------Hostapd (including functioning as WiFi AP and RADIUS server)-----
hostapd.conf:
interface=wlan0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=test-tls
hw_mode=g
channel=1
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=./JITC-CA.pem
server_cert=./hostapd.server.pem
private_key=./hostapd.server.key
private_key_passwd=mypass
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=radiussecret
radius_server_clients=./hostapd.radius_clients
radius_server_auth_port=1812
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
rsn_pairwise=CCMP



hostapd.eap_user:

#john uses EAP-TLS and PEAP, everyone else uses PEAP and MSCHAPv2
"john@abctech.com"        TLS
* PEAP
"john"        MSCHAPV2        "mschappass"    [2]

hostapd.radius_clients:
# RADIUS client configuration for the RADIUS server
127.0.0.1 radiussecret

No comments:

Post a Comment