Personal-level authentication and Enterprise-level authentication
WPA is designed to have the following authentication methods:
- WPA-Personal / WPA2-Personal, which uses a preshared key that's the same passphrase shared by all network users
- WPA-Enterprise / WPA2-Enterprise, which uses an 802.1X authentication RADIUS-based server to authenticate each user
This section is about the Enterprise-level authentication.
The Enterprise-level authentication methods that have been selected for use within the Wi-Fi certification body are:
- EAP-TLS, which is the initially certified method. Both the server's certificates and the user's certificates are needed.
- EAP-TTLS/MSCHAPv2: TTLS is short for
Tunnelled TLS.
It works by first authenticating the server to the user via its CA certificate. The server and the user then establish a secure connection (the tunnel), and through the secure tunnel, the user gets authenticated. There are many ways of authenticating the user through the tunnel. The EAP-TTLS/MSCHAPv2 uses MSCHAPv2 for this authentication. - PEAP/MSCHAPv2: PEAP is the secondmost widely supported EAP after EAP-TLS. It's similar to EAP-TTLS, however, it requires only a server-side CA certificate to create a secure tunnel to protect the user authentication. Again, there are many ways of authenticating the user through the tunnel. The PEAP/MSCHAPv2 again uses MSCHAPv2 for authentication.
- PEAP/GTC: This uses GTC as the authentication method through the PEAP tunnel.
- EAP-SIM: This is for the GSM mobile telecom industry.
The io-pkt manager supports all the above, except for EAP-SIM. Certificates are placed in /etc/cert/user.pem, and CA certificates in /etc/cert/root.pem. The following example is the network definition for wpa_supplicant for each of the above Enterprise-level authentication methods:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1
# 3.1.2 linksys -- WEP
network={
ssid="linksys"
key_mgmt=NONE
wep_key0="LINKSYSWEPKEY"
}
# 3.1.3 linksys -- WPA
network={
ssid="linksys"
key_mgmt=WPA-PSK
psk="LINKSYSWPAKEY"
}
# 3.1.4 linksys -- WPA2
network={
ssid="linksys"
proto=RSN
key_mgmt=WPA-PSK
psk="LINKSYS_RSN_KEY"
}
# 3.1.5.1 linksys -- EAP-TLS
network={
ssid="linksys"
key_mgmt=WPA-EAP
eap=TLS
identity="client1"
ca_cert="/etc/cert/root.pem"
client_cert="/etc/cert/client1.pem"
private_key="/etc/cert/client1.pem"
private_key_passwd="wzhang"
}
# 3.1.5.2 linksys -- PEAPv1/EAP-GTC
network={
ssid="linksys"
key_mgmt=WPA-EAP
eap=PEAP
identity="client1"
password="wzhang"
ca_cert="/etc/cert/root.pem"
phase1="peaplabel=0"
phase2="autheap=GTC"
}
# 3.1.5.3 linksys -- EAP-TTLS/MSCHAPv2
network={
ssid="linksys"
key_mgmt=WPA-EAP
eap=TTLS
identity="client1"
password="wzhang"
ca_cert="/etc/cert/root.pem"
phase2="autheap=MSCHAPV2"
}
# 3.1.5.4 linksys -- PEAPv1/EAP-MSCHAPV2
network={
ssid="linksys"
key_mgmt=WPA-EAP
eap=PEAP
identity="client1"
password="wzhang"
ca_cert="/etc/cert/root.pem"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
Run wpa_supplicant as follows:
wpa_supplicant -i if_name -c full_path_to_your_config_file
to pick up the configuration file and make the supplicant perform the required authentication to get access to the Wi-Fi network.
Page updated: