Tag/tag.png

Unsupported Version
This article applies to an unsupported version of Ubuntu. More info...

#format wiki #language en

Cisco CB21AG Howto

This document will outline how to configure the Cisco CB21AG to authenticate to an access point using LEAP. Other authentication methods will be added as the magic incantations are discovered and the appropriate furry animals are sacrificed.

Configuring LEAP

1) Install in Breezy V5.10 the WPA supplicant package:

sudo apt-get install wpasupplicant

2) Create a config similar to the following in /etc/wpa_supplicant.conf:

ap_scan=0

network={
       ssid="your_leap_ssid"
       eap=LEAP
       key_mgmt=IEEE8021X
       identity="your_username"
       password="your_hard_to_guess_password"
       scan_ssid=1
       auth_alg=LEAP
}

3) Plug in the CB21AG card.

4) Run wpa_supplicant:

sudo wpa_supplicant -Dmadwifi -c/etc/wpa_supplicant.conf -i ath0 

Configuration notes

1) On the root AP, make sure you have open authentication configured in addition to network-eap authentication (authentication type '127' in the authentication request) configured for the SSID used for LEAP. For example, on a Cisco AP:

dot11 ssid leap-ssid
 authentication open eap eap_methods
 authentication network-eap eap_methods

2) Don't have CKIP or CMIC configured as the encryption method on the SSID used for LEAP authentication. I've yet to find out how to enable these via wpa_supplicant.

3) The debug flag '-dd' passed to the wpa_supplicant command line may help in debugging any problems you encounter. It will at least give an indication of how far through the LEAP authentication the card is getting.

Configuring EAP-FAST

By default, EAP-FAST isn't configured in the wpa_supplicant package. Enabling EAP-FAST involves re-configuring and re-building both the wpa_supplicant and openssl packages.

  • Warning: the following will rebuild the openssl package with a third-party patch to enable EAP-FAST support - do the following at your own risk.

1) Get the wpa_supplicant and openssl source packages:

sudo apt-get source wpasupplicant
sudo apt-get source openssl

2) Patch the openssl source tree with the experimental patch from the wpa_supplicant package:

cd openssl-0.9.7e
sudo patch -p1 < ../wpasupplicant-0.3.8/openssl-tls-extensions.patch

3) Build the openssl debian binaries using fakeroot (you may need to install fakeroot using apt-get):

sudo dpkg-buildpackage -b

4) Install the modified openssl packages:

cd ..
sudo dpkg -i libssl0.9.7_0.9.7e-3_i386.deb openssl_0.9.7e-3_i386.deb libssl-dev_0.9.7e-3_i386.deb

5) Modify the wpa_supplicant source to include EAP-FAST in the build:

cd wpasupplicant-0.3.8/debian/patches
sudo vi 01_config.dpatch

Add the following to one line above the bottom entry in the file:

+CONFIG_EAP_FAST=y

6) Build the modified wpa_supplicant package

cd ../..
sudo dpkg-buildpackage -b

7) Install the wpa_supplicant package:

sudo dpkg -i wpasupplicant_0.3.8-1_i386.deb

Configuration notes

1) Tested against a Cisco AP1200, version 12.3(4)JA with a local radius server configured for only EAP-FAST user authentication. YMMV with other ACSs. 2) The tested configuration was using EAP-FAST coupled with WPA key management:

ap_scan=1

network={
       ssid="eap-fast-ssid"
       eap=FAST
       key_mgmt=WPA-EAP
       auth_alg=OPEN
       anonymous_identity="FAST-004096a1daa0"
       phase1="fast_provisioning=1"
       pac_file="/etc/wpa_supplicant.pac"
       identity="eap-fast-user"
       password="eap-fast-password"
       scan_ssid=1
}

The corresponding SSID/interface config on the AP was:

dot11 ssid super-secret-ssid
   authentication open eap eap_methods 
   authentication network-eap eap_methods 
   authentication key-management wpa

interface Dot11Radio0
 ...
 !
 encryption mode ciphers tkip 
 !
 ssid super-secret-ssid
 !


CategoryHardware CategoryNetworking CategoryWireless

WifiDocs/Device/CiscoCB21AG (last edited 2011-06-09 17:29:13 by 89)