|
Unsupported Version |
#format wiki #language en
Cisco CB21AG Howto
This document will outline how to configure the Cisco CB21AG to authenticate to an access point using LEAP. Other authentication methods will be added as the magic incantations are discovered and the appropriate furry animals are sacrificed.
Configuring LEAP
1) Install in Breezy V5.10 the WPA supplicant package:
sudo apt-get install wpasupplicant
2) Create a config similar to the following in /etc/wpa_supplicant.conf:
ap_scan=0 network={ ssid="your_leap_ssid" eap=LEAP key_mgmt=IEEE8021X identity="your_username" password="your_hard_to_guess_password" scan_ssid=1 auth_alg=LEAP }
3) Plug in the CB21AG card.
4) Run wpa_supplicant:
sudo wpa_supplicant -Dmadwifi -c/etc/wpa_supplicant.conf -i ath0
Configuration notes
1) On the root AP, make sure you have open authentication configured in addition to network-eap authentication (authentication type '127' in the authentication request) configured for the SSID used for LEAP. For example, on a Cisco AP:
dot11 ssid leap-ssid authentication open eap eap_methods authentication network-eap eap_methods
2) Don't have CKIP or CMIC configured as the encryption method on the SSID used for LEAP authentication. I've yet to find out how to enable these via wpa_supplicant.
3) The debug flag '-dd' passed to the wpa_supplicant command line may help in debugging any problems you encounter. It will at least give an indication of how far through the LEAP authentication the card is getting.
Configuring EAP-FAST
By default, EAP-FAST isn't configured in the wpa_supplicant package. Enabling EAP-FAST involves re-configuring and re-building both the wpa_supplicant and openssl packages.
Warning: the following will rebuild the openssl package with a third-party patch to enable EAP-FAST support - do the following at your own risk.
1) Get the wpa_supplicant and openssl source packages:
sudo apt-get source wpasupplicant sudo apt-get source openssl
2) Patch the openssl source tree with the experimental patch from the wpa_supplicant package:
cd openssl-0.9.7e sudo patch -p1 < ../wpasupplicant-0.3.8/openssl-tls-extensions.patch
3) Build the openssl debian binaries using fakeroot (you may need to install fakeroot using apt-get):
sudo dpkg-buildpackage -b
4) Install the modified openssl packages:
cd .. sudo dpkg -i libssl0.9.7_0.9.7e-3_i386.deb openssl_0.9.7e-3_i386.deb libssl-dev_0.9.7e-3_i386.deb
5) Modify the wpa_supplicant source to include EAP-FAST in the build:
cd wpasupplicant-0.3.8/debian/patches sudo vi 01_config.dpatch
Add the following to one line above the bottom entry in the file:
+CONFIG_EAP_FAST=y
6) Build the modified wpa_supplicant package
cd ../.. sudo dpkg-buildpackage -b
7) Install the wpa_supplicant package:
sudo dpkg -i wpasupplicant_0.3.8-1_i386.deb
Configuration notes
1) Tested against a Cisco AP1200, version 12.3(4)JA with a local radius server configured for only EAP-FAST user authentication. YMMV with other ACSs. 2) The tested configuration was using EAP-FAST coupled with WPA key management:
ap_scan=1 network={ ssid="eap-fast-ssid" eap=FAST key_mgmt=WPA-EAP auth_alg=OPEN anonymous_identity="FAST-004096a1daa0" phase1="fast_provisioning=1" pac_file="/etc/wpa_supplicant.pac" identity="eap-fast-user" password="eap-fast-password" scan_ssid=1 }
The corresponding SSID/interface config on the AP was:
dot11 ssid super-secret-ssid authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa interface Dot11Radio0 ... ! encryption mode ciphers tkip ! ssid super-secret-ssid !