Personal-level authentication and Enterprise-level authentication

WPA is designed to have the following authentication methods:

• WPA-Personal / WPA2-Personal, which uses a preshared key that's the same passphrase shared by all network users
• WPA-Enterprise / WPA2-Enterprise, which uses an 802.1X authentication RADIUS-based server to authenticate each user

This section is about the Enterprise-level authentication.

The Enterprise-level authentication methods that have been selected for use within the Wi-Fi certification body are:

• EAP-TLS, which is the initially certified method. Both the server's certificates and the user's certificates are needed.
• EAP-TTLS/MSCHAPv2: TTLS is short for “Tunnelled TLS.” It works by first authenticating the server to the user via its CA certificate. The server and the user then establish a secure connection (the tunnel), and through the secure tunnel, the user gets authenticated. There are many ways of authenticating the user through the tunnel. The EAP-TTLS/MSCHAPv2 uses MSCHAPv2 for this authentication.
• PEAP/MSCHAPv2: PEAP is the secondmost widely supported EAP after EAP-TLS. It's similar to EAP-TTLS, however, it requires only a server-side CA certificate to create a secure tunnel to protect the user authentication. Again, there are many ways of authenticating the user through the tunnel. The PEAP/MSCHAPv2 again uses MSCHAPv2 for authentication.
• PEAP/GTC: This uses GTC as the authentication method through the PEAP tunnel.
• EAP-SIM: This is for the GSM mobile telecom industry.

The io-pkt manager supports all the above, except for EAP-SIM. Certificates are placed in /etc/cert/user.pem, and CA certificates in /etc/cert/root.pem. The following example is the network definition for wpa_supplicant for each of the above Enterprise-level authentication methods:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1

# 3.1.2 linksys -- WEP
network={
    ssid="linksys"
    key_mgmt=NONE
    wep_key0="LINKSYSWEPKEY"
}

# 3.1.3 linksys -- WPA
network={
    ssid="linksys"
    key_mgmt=WPA-PSK
    psk="LINKSYSWPAKEY"
}

# 3.1.4 linksys -- WPA2
network={
    ssid="linksys"
    proto=RSN
    key_mgmt=WPA-PSK
    psk="LINKSYS_RSN_KEY"
}

# 3.1.5.1 linksys -- EAP-TLS
network={
   ssid="linksys"
   key_mgmt=WPA-EAP
   eap=TLS
   identity="client1"
   ca_cert="/etc/cert/root.pem"
   client_cert="/etc/cert/client1.pem"
   private_key="/etc/cert/client1.pem"
   private_key_passwd="wzhang"
}

# 3.1.5.2 linksys -- PEAPv1/EAP-GTC
network={
   ssid="linksys"
   key_mgmt=WPA-EAP
   eap=PEAP
   identity="client1"
   password="wzhang"
   ca_cert="/etc/cert/root.pem"
   phase1="peaplabel=0"
   phase2="autheap=GTC"
}

# 3.1.5.3 linksys -- EAP-TTLS/MSCHAPv2
network={
   ssid="linksys"
   key_mgmt=WPA-EAP
   eap=TTLS
   identity="client1"
   password="wzhang"
   ca_cert="/etc/cert/root.pem"
   phase2="autheap=MSCHAPV2"
}

# 3.1.5.4 linksys -- PEAPv1/EAP-MSCHAPV2
network={
   ssid="linksys"
   key_mgmt=WPA-EAP
   eap=PEAP
   identity="client1"
   password="wzhang"
   ca_cert="/etc/cert/root.pem"
   phase1="peaplabel=0"
   phase2="auth=MSCHAPV2"
}

Run wpa_supplicant as follows:

wpa_supplicant -i if_name -c full_path_to_your_config_file

to pick up the configuration file and make the supplicant perform the required authentication to get access to the Wi-Fi network.