- Buy a WLAN Router supported by OpenWrt.
- With the original firmware configure the router as you like - configure everything (internet access ets.) especially (802.1X aka RADIUS) authentication with an IP of 127.0.0.1 and password testing123.
- Install OpenWrt and then do the following at its command line:
ipkg install nas
nvram set wl0_akm=wpa
ipkg install freeradius-mod-eap-tls
ipkg install freeradius-democerts
vi /etc/freeradius/eap.conf
Change line 22: md5 > tls
Comment line 60, 61
Uncomment line 122, 123, 124, 130, 133, 135, 136, 147, 157, 178
vi /etc/freeradius/radiusd.conf
Uncomment line 660, 1629, 1735
ln -s /etc/init.d/radiusd /etc/init.d/S99radiusd
ipkg install ntpclient
ipkg install vsftpd
ln -s /usr/lib /usr/libexec
nvram commit
reboot

The SFTP server is for easy exchange of the certificates. You can choose anything else. Use a SFTP client on your computer and download /etc/freeradius/certs/cert-clt.p12 (Password: whatever) and /etc/freeradius/certs/demoCA/cacert.pem. Import these two files into the appropriate places. For example for Mac OS X: Macintosh HD > Utilities > Keychain Access > File menu > Import and then AirPort menu > Other > WPA Enterprise > OK. Mac OS X will use the correct EAP type and the EAP-TLS certifactes automatically, so it is just: OK.

A complete test will fail, because the server certificate is out of date. Anyway you will have to replace everything in /etc/freeradius/certs/ with your own PKI data. See the various HowTos on the net for this step.

This is just a small lousy howto. There are better ways but this is a start. Just bought that router because I knew I could have EAP-TLS internal but I found no HowTo and it took a bit of time to figure out.

Question 1
Has anyone suceed with EAP-TLS with WEP (and not WPA)?

I /etc/init.d/radiusd stop and killall nas. Then start nas myself with 802.1X for WEP as said in the documentation as background process because OpenWrt's scripts have no support for it yet, then start radiusd -X. So far it works, my client finds the access point and starts a EAP-TLS session sucessfully with FreeRadius. Everything is fine: connected and usable.
But no re-keying happens. Played with the time parameters, nothing. Quite useless especially for insecure WEP...but I need WEP. Any idea?

Question 2
Could some one, please, add WEP+RADIUS support in /etc/init.d/S41wpa?

(Last edited by traud on 22 Aug 2006, 11:58)

I'm working with eap/tls + WEP
But I have Problems with the ssl handshake.

Here where it fails:

rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0240], Certificate
--> verify error:num=9:certificate is not yet valid
notBefore=
chain-depth=1,
error=9
--> User-Name = shark.network-crawler.de
--> BUF-Name = ?W?
--> subject = /C=DE/ST=Bavaria/O=network-crawler private
--> issuer  = /C=DE/ST=Bavaria/O=network-crawler private
--> verify return:0
  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert write:fatal:bad certificate
    TLS_accept:error in SSLv3 read client certificate B
781:error:140890B2:lib(20):func(137):reason(178):NA:0:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase

See the BUF-Name?

I tried the same configs an d server certificates with a SuSE 9.3
and everything was fine??

Do you know what went wrong?

thx

Oh ok, now it works.
I wonderd why you need the time protocol
Installed it and it worked. Why?

Because if the openwrt box is not set to the right time, there can be revocation problems. For instance the certificate of the router won't be valid because of the localtime.

Thanks a lot for this howto, it is pleasant to see that it can work quite out of the box

A certificate has a validity. FreeRadius checks the validity for its own certificate and the clients. For example in my testing with the faulty demo certificates if I set date to 2005, it failed. Setting the router to 2004 worked, but the clients complained of course. Setting all to 2004 worked great. So go for your own certificates.

Do you have working re-keying on your network? Without it, it makes nearly no sense to go for EAP-TLS.

Yes, I know that a certificate has a validity.
I have my own certificates. But it is strange
that "BUF-NAME" has a wrong value. That's
why I didn't realize the time. thx

Re-keying works fine - ich can email you my
config if you like.

At startup I get a warning that the ap uses the same
Key but if I have a look at my device "iwconfig eth1"
then I can see a diffent key.

I use xsupplicant to debug with debug level 99.
Have you tried this? You can find out a lot about
the handshacking...

Comment: You're right the first key works fine but
then my linksys does no rekeying

I Changed nvram to:
wl_net_reauth=60
wl0_net_reauth=60

But nothing happend.

(Last edited by dl1cbp on 19 Sep 2005, 19:57)

You can forget nvram totally when you use WEP+RADIUS because nas is not linked to nvram then. The script which reads nvram to start nas has no support for WEP+RADIUS yet. Or how do you create WEP+RADIUS? I have to start nas directly.

Personally I think the problem is nas - especially one of it parameters is wrong but I do not understand which one.

Just for the curious reader:
Just as described in the howto re-keying under WPA works. No manual patches needed.

I think thats th thing:
STATE] AUTHENTICATING -> AUTHENTICATED
[ALL] Canceled timer for 'authentication timer'!
[INT] Got an RTM_NEWLINK!

I set:
nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 32 -r <secret> -s linksys -w 1 -I 1 -K <key> -h 127.0.0.1 -p 1812 -t 36000 &
to:
nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 32 -r <secret> -s linksys -w 1 -I 1 -K <key> -h 127.0.0.1 -p 1812 -t 60 &

And he tries after approximatly 60 secounds
BUT:
ALL] Clock tick! authWhile=0 heldWhile=29 startWhen=0 curState=AUTHENTICATED
[ALL] Clearing rekey problem timer.  (This is harmless!)
[ALL] Canceled timer for 'rekey problem timer'!
[ALL] Clock tick! authWhile=0 heldWhile=28 startWhen=0 curState=AUTHENTICATED

Do you have the same?

(Last edited by dl1cbp on 19 Sep 2005, 23:42)

I played with parameter t, too. Nothing. Even added parameter g. Nothing.

Where is this log from? Did it work or not? Sorry, I do not understand. I am here on Apple Mac OS X and my supplicant is not very chatty - at least I haven't found its verbose mode yet. I am able to monitor the radius deamon on the router only.

Is there a way to have WEP+RADIUS without nas? Which script or application starts the normal WEP which needs no nas?

(Last edited by traud on 20 Sep 2005, 09:55)

This log is from xsupplicant. See above. I can see the rekey-problem when I set the highest Debuglevel.
Call:
xsupplicant -w -c /etc/xsupplicant.conf -i eth1 -d 99 -f

Note:
Xsupplicant is designed to work with Linux. Early versions of xsupplicant also supported *BSD and Mac OS X, but this support was pulled out when xsupplicant  was rewritten.

Perhaps you can find such an earlier Version. Xsupplicant is very chatty

Oh - RADIUS+WEP without nas:
I don't think so you must have a NAS(Network Access Server) in general because he must talk in PPP+EAP btw. block requests from the clients and he must route the certs to the right RADIUS-Server. If the cert is ok (signed with the private Key of the server) then the RADIUS gives ok to the NAS and he (the NAS) opens his Ports for the Client.

Thats the way I understood the thing - but maybe I'm wrong in details...

(Last edited by dl1cbp on 20 Sep 2005, 10:56)

You are right about nas. Just thought there might be something else because the docuementation says you need nas for WPA only. But I guess there is nothing else - was just a stupid asumption. So either nas in RC2/RC3 is faulty or we call it with wrong parameters.

Have I understood you correctly, the re-keying timing seems to follow parameter t? Have you played with parameter g? If that has no effect at all in the logs, we know at least for what parameter t is good for. OpenWrt seemed not to know yet.

Puzzling. I got so far and now hit the wall...

Has anyone tried EAP-TLS with WEP in the mean time?

Pushing it up again. Has anyone success with EAP-TLS (WEP) re-keying? I am calling NAS the following way:

nas -P /var/run/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 32 -r testing123 -s ConnectionPoint -w 1 -I 1 -h 127.000.000.001 -p 1812 -g 91 -t 91 -k 01234567890123456789ABCDEF -K 01234567890123456789ABCDEF 01234567890123456789ABCDEF 01234567890123456789ABCDEF 01234567890123456789ABCDEF

RADIUS can work as NAS?