EAP-PSK

What is Expansion of EAP-PSK?

EAP-PSK stands for Extensible Authentication Protocol - Pre-Shared Key.

What is EAP-PSK?

EAP-PSK is an authentication method for EAP that uses a symmetric pre-shared key for mutual authentication between client and server without requiring certificates.

Why is EAP-PSK useful?

• Simpler to deploy — no need for certificate infrastructure.

• Provides mutual authentication and session key derivation.

• Useful in constrained environments (e.g., IoT, embedded systems).

• Lightweight and secure (when used with strong PSKs).

How it works?

• Both client and server share a pre-established key.

• EAP-PSK defines a 4-phase handshake: 1. Identity exchange. 2. Exchange of nonces and mutual authentication using the PSK. 3. Key derivation and confirmation. 4. Success notification.

• Protects against replay and man-in-the-middle attacks.

Where is EAP-PSK used?

• IoT devices and constrained networks.

• Environments where certificate management is not feasible.

• Secure wireless or VPN authentication where simplicity is key.

Which OSI layer does this protocol belong to?

• Operates at the Application Layer (Layer 7).

• Encapsulated within EAP, which is carried over lower layers like EAPOL or RADIUS.

IS EAP-PSK Windows specific?

• No, it is not Windows-specific.

• It can be implemented on any OS that supports EAP frameworks.

IS EAP-PSK Linux Specific?

• No, EAP-PSK is not Linux-specific.

• It is available across platforms, although not always supported by default in some supplicants.

Which Transport Protocol is used by EAP-PSK?

• Transported via EAP over LAN (EAPOL), RADIUS, or other EAP-capable transports.

• Backend communication often uses UDP (RADIUS) or TCP (Diameter).

Which Port is used by EAP-PSK?

• Uses standard RADIUS ports: * UDP 1812 (Authentication) * UDP 1813 (Accounting)

Is EAP-PSK using Client server model?

• Yes, it uses a client-server architecture: * Client: Supplicant * Server: RADIUS or EAP-compliant authentication server

Whether EAP-PSK protocol uses certificates?

• No.

• It uses symmetric keys (pre-shared) instead of digital certificates.

How many frame exchanges are seen during connection for EAP-PSK protocol?

• Typically involves 4 main EAP message exchanges.

• Additional EAPOL or RADIUS messages may be included depending on infrastructure.

Whether EAP-PSK Protocol uses client certificates?

• No, it does not use client certificates.

• Authentication relies solely on the pre-shared key.

Whether EAP-PSK Protocol uses Server Certificates?

• No.

• No certificates are used on either side.

IS EAP-PSK Protocol depends on TCP?

• No, EAP-PSK itself does not require TCP.

• Backend communication (e.g., Diameter) might use TCP, but EAP-PSK is agnostic.

IS EAP-PSK Protocol depends on UDP?

• Yes, commonly.

• When transported via RADIUS, EAP-PSK relies on UDP 1812.

What are the roles involved when testing EAP-PSK Protocol?

• Supplicant (Client device)

• Authenticator (e.g., access point or switch)

• Authentication Server (e.g., FreeRADIUS)

Does EAP-PSK Protocol work with FreeRADIUS server on Linux?

• Yes, FreeRADIUS supports EAP-PSK.

• Requires proper module configuration and key management.

Does EAP-PSK Protocol work with Internal radius server of hostapd?

• No, hostapd’s internal server does not support EAP-PSK.

• You need an external RADIUS server like FreeRADIUS.

What is the RFC version use for EAP-PSK Protocol?

• EAP-PSK is defined in RFC 4764.

During Connection Procedure which EPoL Packets are encrypted?

• EAPOL packets themselves are not encrypted.

• However, key material exchanged via EAP-PSK is protected using cryptographic primitives like AES-128.

Can you Explain different stages of Connection Procedure for EAP-PSK Protocol?

• Stage 1: EAP-Request/Identity → EAP-Response/Identity

• Stage 2: Server sends random challenge (RAND_S)

• Stage 3: Client responds with RAND_P, MAC_P

• Stage 4: Server verifies MAC_P and sends MAC_S

• Stage 5: Session key is derived and Success sent

What is the final output of Connection Procedure?

• A shared Master Session Key (MSK) is generated for securing subsequent communication.

What is the format of the key generate after the connection procedure?

• The MSK is 64 bytes (512 bits), derived from the pre-shared key and exchanged nonces.

Where the use of PMK generated by the Connection Procedure?

• PMK is derived from the MSK and used in WPA2/WPA3 enterprise mode.

• It helps generate encryption keys like PTK for data protection.

Topics in this section,

• Learnings in this section

• Terminology

• Version Info

• EAP_PSK Version&IEEE Details

• EAP_PSK FreeRadius Basic Setup on Ubuntu (2 Machines)

• EAP_PSK FreeRadius Basic Setup on Ubuntu (3 Machines)

• EAP_PSK Internal Radius Server Basic Setup on Ubuntu (2 Machines)

  • STEP 1: Bring up AP

  • STEP 2: Bring up STA

• EAP_PSK Protocol Packet Details

• EAP_PSK Usecases

• EAP_PSK Basic Features

• Reference links

Learnings in this section

• In this section, you are going to learn

Terminology

• Terminology

Version Info

• Version Info

EAP_PSK Version&RFC Details

• rfc details

Internal Radius Server Basic Setup on Ubuntu (2 Machines)

STEP 1: Bring up AP using hostapd

Run AP mode operation with hostapd

AP : Download hostapd

Note Make sure internet is available in laptop to download hostapd package

test:~$ wget http://w1.fi/releases/hostapd-2.9.tar.gz

AP: Install required packages

test:~$ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev

AP : Extract hostapd

test:~$ tar -xzvf hostapd-2.9.tar.gz

AP : Change directory to hostapd

test:~$ cd hostapd-2.9/hostapd/

AP : Check the current working directory using pwd command

Note Make sure your current working directory is hostapd

test:~$ pwd /home/test/hostapd-2.9/hostapd

AP : Copy the contents of defconfig file to .config file

Note .config file is required for make to start compilation of hostapd

test:~$ sudo cp defconfig .config See the full configuration of hostapd # Example hostapd build time configuration # # This file lists the configuration options that are used when building the # hostapd binary. All lines starting with # are ignored. Configuration option # lines must be commented out complete, if they are not to be included, i.e., # just setting VARIABLE=n is not disabling that variable. # # This file is included in Makefile, so variables like CFLAGS and LIBS can also # be modified from here. In most cass, these lines should use += in order not # to override previous values of the variables. # Driver interface for Host AP driver CONFIG_DRIVER_HOSTAP=y # Driver interface for wired authenticator #CONFIG_DRIVER_WIRED=y # Driver interface for drivers using the nl80211 kernel interface CONFIG_DRIVER_NL80211=y CONFIG_DRIVER_WIRED=y CONFIG_IEEE8021X_EAPOL=y CONFIG_RADIUS_SERVER=y CONFIG_TLS=openssl CONFIG_EAP=y CONFIG_TLSV11=y CONFIG_TLSV12=y CONFIG_EAP_TLS=y CONFIG_EAP_MSCHAPV2=y CONFIG_EAP_PEAP=y CONFIG_EAP_MD5=y CONFIG_EAP_PAX=y CONFIG_EAP_PSK=y # QCA vendor extensions to nl80211 #CONFIG_DRIVER_NL80211_QCA=y # driver_nl80211.c requires libnl. If you are compiling it yourself # you may need to point hostapd to your version of libnl. # #CFLAGS += -I$<path to libnl include files> #LIBS += -L$<path to libnl library files> # Use libnl v2.0 (or 3.0) libraries. #CONFIG_LIBNL20=y # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) CONFIG_LIBNL32=y # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) #CONFIG_DRIVER_BSD=y #CFLAGS += -I/usr/local/include #LIBS += -L/usr/local/lib #LIBS_p += -L/usr/local/lib #LIBS_c += -L/usr/local/lib # Driver interface for no driver (e.g., RADIUS server only) #CONFIG_DRIVER_NONE=y # WPA2/IEEE 802.11i RSN pre-authentication CONFIG_RSN_PREAUTH=y # Support Operating Channel Validation #CONFIG_OCV=y # Integrated EAP server CONFIG_EAP=y # EAP Re-authentication Protocol (ERP) in integrated EAP server CONFIG_ERP=y # EAP-MD5 for the integrated EAP server CONFIG_EAP_MD5=y # EAP-TLS for the integrated EAP server CONFIG_EAP_TLS=y # EAP-MSCHAPv2 for the integrated EAP server CONFIG_EAP_MSCHAPV2=y # EAP-PEAP for the integrated EAP server CONFIG_EAP_PEAP=y # EAP-GTC for the integrated EAP server CONFIG_EAP_GTC=y # EAP-TTLS for the integrated EAP server CONFIG_EAP_TTLS=y # EAP-SIM for the integrated EAP server #CONFIG_EAP_SIM=y # EAP-AKA for the integrated EAP server #CONFIG_EAP_AKA=y # EAP-AKA' for the integrated EAP server # This requires CONFIG_EAP_AKA to be enabled, too. #CONFIG_EAP_AKA_PRIME=y # EAP-PAX for the integrated EAP server #CONFIG_EAP_PAX=y # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) #CONFIG_EAP_PSK=y # EAP-pwd for the integrated EAP server (secure authentication with a password) #CONFIG_EAP_PWD=y # EAP-SAKE for the integrated EAP server #CONFIG_EAP_SAKE=y # EAP-GPSK for the integrated EAP server #CONFIG_EAP_GPSK=y # Include support for optional SHA256 cipher suite in EAP-GPSK #CONFIG_EAP_GPSK_SHA256=y # EAP-FAST for the integrated EAP server #CONFIG_EAP_FAST=y # EAP-TEAP for the integrated EAP server # Note: The current EAP-TEAP implementation is experimental and should not be # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number # of conflicting statements and missing details and the implementation has # vendor specific workarounds for those and as such, may not interoperate with # any other implementation. This should not be used for anything else than # experimentation and interoperability testing until those issues has been # resolved. #CONFIG_EAP_TEAP=y # Wi-Fi Protected Setup (WPS) #CONFIG_WPS=y # Enable UPnP support for external WPS Registrars #CONFIG_WPS_UPNP=y # Enable WPS support with NFC config method #CONFIG_WPS_NFC=y # EAP-IKEv2 #CONFIG_EAP_IKEV2=y # Trusted Network Connect (EAP-TNC) #CONFIG_EAP_TNC=y # EAP-EKE for the integrated EAP server #CONFIG_EAP_EKE=y # PKCS#12 (PFX) support (used to read private key and certificate file from # a file that usually has extension .p12 or .pfx) CONFIG_PKCS12=y # RADIUS authentication server. This provides access to the integrated EAP # server from external hosts using RADIUS. #CONFIG_RADIUS_SERVER=y # Build IPv6 support for RADIUS operations CONFIG_IPV6=y # IEEE Std 802.11r-2008 (Fast BSS Transition) #CONFIG_IEEE80211R=y # Use the hostapd's IEEE 802.11 authentication (ACL), but without # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) #CONFIG_DRIVER_RADIUS_ACL=y # Wireless Network Management (IEEE Std 802.11v-2011) # Note: This is experimental and not complete implementation. #CONFIG_WNM=y # IEEE 802.11ac (Very High Throughput) support #CONFIG_IEEE80211AC=y # IEEE 802.11ax HE support # Note: This is experimental and work in progress. The definitions are still # subject to change and this should not be expected to interoperate with the # final IEEE 802.11ax version. #CONFIG_IEEE80211AX=y # Remove debugging code that is printing out debug messages to stdout. # This can be used to reduce the size of the hostapd considerably if debugging # code is not needed. #CONFIG_NO_STDOUT_DEBUG=y # Add support for writing debug log to a file: -f /tmp/hostapd.log # Disabled by default. #CONFIG_DEBUG_FILE=y # Send debug messages to syslog instead of stdout #CONFIG_DEBUG_SYSLOG=y # Add support for sending all debug messages (regardless of debug verbosity) # to the Linux kernel tracing facility. This helps debug the entire stack by # making it easy to record everything happening from the driver up into the # same file, e.g., using trace-cmd. #CONFIG_DEBUG_LINUX_TRACING=y # Remove support for RADIUS accounting #CONFIG_NO_ACCOUNTING=y # Remove support for RADIUS #CONFIG_NO_RADIUS=y # Remove support for VLANs #CONFIG_NO_VLAN=y # Enable support for fully dynamic VLANs. This enables hostapd to # automatically create bridge and VLAN interfaces if necessary. #CONFIG_FULL_DYNAMIC_VLAN=y # Use netlink-based kernel API for VLAN operations instead of ioctl() # Note: This requires libnl 3.1 or newer. #CONFIG_VLAN_NETLINK=y # Remove support for dumping internal state through control interface commands # This can be used to reduce binary size at the cost of disabling a debugging # option. #CONFIG_NO_DUMP_STATE=y # Enable tracing code for developer debugging # This tracks use of memory allocations and other registrations and reports # incorrect use with a backtrace of call (or allocation) location. #CONFIG_WPA_TRACE=y # For BSD, comment out these. #LIBS += -lexecinfo #LIBS_p += -lexecinfo #LIBS_c += -lexecinfo # Use libbfd to get more details for developer debugging # This enables use of libbfd to get more detailed symbols for the backtraces # generated by CONFIG_WPA_TRACE=y. #CONFIG_WPA_TRACE_BFD=y # For BSD, comment out these. #LIBS += -lbfd -liberty -lz #LIBS_p += -lbfd -liberty -lz #LIBS_c += -lbfd -liberty -lz # hostapd depends on strong random number generation being available from the # operating system. os_get_random() function is used to fetch random data when # needed, e.g., for key generation. On Linux and BSD systems, this works by # reading /dev/urandom. It should be noted that the OS entropy pool needs to be # properly initialized before hostapd is started. This is important especially # on embedded devices that do not have a hardware random number generator and # may by default start up with minimal entropy available for random number # generation. # # As a safety net, hostapd is by default trying to internally collect # additional entropy for generating random data to mix in with the data # fetched from the OS. This by itself is not considered to be very strong, but # it may help in cases where the system pool is not initialized properly. # However, it is very strongly recommended that the system pool is initialized # with enough entropy either by using hardware assisted random number # generator or by storing state over device reboots. # # hostapd can be configured to maintain its own entropy store over restarts to # enhance random number generation. This is not perfect, but it is much more # secure than using the same sequence of random numbers after every reboot. # This can be enabled with -e<entropy file> command line option. The specified # file needs to be readable and writable by hostapd. # # If the os_get_random() is known to provide strong random data (e.g., on # Linux/BSD, the board in question is known to have reliable source of random # data from /dev/urandom), the internal hostapd random pool can be disabled. # This will save some in binary size and CPU use. However, this should only be # considered for builds that are known to be used on devices that meet the # requirements described above. #CONFIG_NO_RANDOM_POOL=y # Should we attempt to use the getrandom(2) call that provides more reliable # yet secure randomness source than /dev/random on Linux 3.17 and newer. # Requires glibc 2.25 to build, falls back to /dev/random if unavailable. #CONFIG_GETRANDOM=y # Should we use poll instead of select? Select is used by default. #CONFIG_ELOOP_POLL=y # Should we use epoll instead of select? Select is used by default. #CONFIG_ELOOP_EPOLL=y # Should we use kqueue instead of select? Select is used by default. #CONFIG_ELOOP_KQUEUE=y # Select TLS implementation # openssl = OpenSSL (default) # gnutls = GnuTLS # internal = Internal TLSv1 implementation (experimental) # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) # none = Empty template #CONFIG_TLS=openssl # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) # can be enabled to get a stronger construction of messages when block ciphers # are used. #CONFIG_TLSV11=y # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) # can be enabled to enable use of stronger crypto algorithms. #CONFIG_TLSV12=y # Select which ciphers to use by default with OpenSSL if the user does not # specify them. #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of # LibTomMath can be used. See beginning of libtommath.c for details on benefits # and drawbacks of this option. #CONFIG_INTERNAL_LIBTOMMATH=y #ifndef CONFIG_INTERNAL_LIBTOMMATH #LTM_PATH=/usr/src/libtommath-0.39 #CFLAGS += -I$(LTM_PATH) #LIBS += -L$(LTM_PATH) #LIBS_p += -L$(LTM_PATH) #endif # At the cost of about 4 kB of additional binary size, the internal LibTomMath # can be configured to include faster routines for exptmod, sqr, and div to # speed up DH and RSA calculation considerably #CONFIG_INTERNAL_LIBTOMMATH_FAST=y # Interworking (IEEE 802.11u) # This can be used to enable functionality to improve interworking with # external networks. #CONFIG_INTERWORKING=y # Hotspot 2.0 #CONFIG_HS20=y # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file #CONFIG_SQLITE=y # Enable Fast Session Transfer (FST) #CONFIG_FST=y # Enable CLI commands for FST testing #CONFIG_FST_TEST=y # Testing options # This can be used to enable some testing options (see also the example # configuration file) that are really useful only for testing clients that # connect to this hostapd. These options allow, for example, to drop a # certain percentage of probe requests or auth/(re)assoc frames. # #CONFIG_TESTING_OPTIONS=y # Automatic Channel Selection # This will allow hostapd to pick the channel automatically when channel is set # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in # similar way. # # Automatic selection is currently only done through initialization, later on # we hope to do background checks to keep us moving to more ideal channels as # time goes by. ACS is currently only supported through the nl80211 driver and # your driver must have survey dump capability that is filled by the driver # during scanning. # # You can customize the ACS survey algorithm with the hostapd.conf variable # acs_num_scans. # # Supported ACS drivers: # * ath9k # * ath5k # * ath10k # # For more details refer to: # https://wireless.wiki.kernel.org/en/users/documentation/acs # #CONFIG_ACS=y # Multiband Operation support # These extensions facilitate efficient use of multiple frequency bands # available to the AP and the devices that may associate with it. #CONFIG_MBO=y # Client Taxonomy # Has the AP retain the Probe Request and (Re)Association Request frames from # a client, from which a signature can be produced which can identify the model # of client device like "Nexus 6P" or "iPhone 5s". #CONFIG_TAXONOMY=y # Fast Initial Link Setup (FILS) (IEEE 802.11ai) #CONFIG_FILS=y # FILS shared key authentication with PFS #CONFIG_FILS_SK_PFS=y # Include internal line edit mode in hostapd_cli. This can be used to provide # limited command line editing and history support. #CONFIG_WPA_CLI_EDIT=y # Opportunistic Wireless Encryption (OWE) # Experimental implementation of draft-harkins-owe-07.txt #CONFIG_OWE=y # Airtime policy support #CONFIG_AIRTIME_POLICY=y # Override default value for the wpa_disable_eapol_key_retries configuration # parameter. See that parameter in hostapd.conf for more details. #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 # Wired equivalent privacy (WEP) # WEP is an obsolete cryptographic data confidentiality algorithm that is not # considered secure. It should not be used for anything anymore. The # functionality needed to use WEP is available in the current hostapd # release under this optional build parameter. This functionality is subject to # be completely removed in a future release. #CONFIG_WEP=y # Remove all TKIP functionality # TKIP is an old cryptographic data confidentiality algorithm that is not # considered secure. It should not be used anymore. For now, the default hostapd # build includes this to allow mixed mode WPA+WPA2 networks to be enabled, but # that functionality is subject to be removed in the future. #CONFIG_NO_TKIP=y # Pre-Association Security Negotiation (PASN) # Experimental implementation based on IEEE P802.11z/D2.6 and the protocol # design is still subject to change. As such, this should not yet be enabled in # production use. # This requires CONFIG_IEEE80211W=y to be enabled, too. #CONFIG_PASN=y # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect) CONFIG_DPP=y # DPP version 2 support CONFIG_DPP2=y # DPP version 3 support (experimental and still changing; do not enable for # production use) #CONFIG_DPP3=y

AP : Complile hostapd

Note Compile hostapd by running make command

test:~$ make

AP : Check for the binaries created

Note Make sure hostapd and hostapd_cli are present

test:~$ ls hostapd hostapd_cli

AP : Create a hostapd.conf file in /etc/hostapd folder with below content

test:~$ sudo vim /etc/hostapd/hostapd.conf ctrl_interface=/var/run/hostapd interface=enp0s8 driver=wired logger_stdout=1 logger_stdout_level=1 ieee8021x=1 eap_server=1 eap_user_file=/etc/hostapd/hostapd.eap_user eap_reauth_period=3600 auth_algs=1 macaddr_acl=0

AP : Create a file eap_user in /etc/hostapd/ folder with below content

test:~$ sudo vim /etc/hostapd/hostapd.eap_user See the file of eap_user "user1" PAX e5d83872d145f206c46149f5c5ce2ae4 "user2" SAKE "b7962e84c816c4a1644f1366344338aa" "user3" PSK "1234567890123456"

AP : Run hostapd

test:~$ sudo ./hostapd /etc/hostapd/hostapd.conf enp0s8: interface state UNINITIALIZED->ENABLED enp0s8: AP-ENABLED

STEP 2: Bring up STA

STA : Download wpa_supplicant

Note Make sure internet is available in laptop to download supplicant package

test:~$ wget https://w1.fi/releases/wpa_supplicant-2.9.tar.gz

STA: Install required packages

test:~$ sudo apt install libnl-genl-3-dev libnl-3-dev libdbus-glib-1-dev

STA : Extract wpa_supplicant

test:~$ tar -xvf wpa_supplicant-2.9.tar.gz

STA : Change directory to wpa_supplicant

test:~$ cd wpa_supplicant-2.9/wpa_supplicant/

STA : Check the current working directory using pwd command

Note Make sure your current working directory is wpa_supplicant

test:~$ pwd /home/test/wpa_supplicant-2.9/wpa_supplicant

STA : Copy the contents of defconfig file to .config file

Note .config file is required for make to start compilation of supplicant

test:~$ cp defconfig .config See the full configuration of wpa_supplicant # Example wpa_supplicant build time configuration # # This file lists the configuration options that are used when building the # wpa_supplicant binary. All lines starting with # are ignored. Configuration # option lines must be commented out complete, if they are not to be included, # i.e., just setting VARIABLE=n is not disabling that variable. # # This file is included in Makefile, so variables like CFLAGS and LIBS can also # be modified from here. In most cases, these lines should use += in order not # to override previous values of the variables. # Uncomment following two lines and fix the paths if you have installed OpenSSL # or GnuTLS in non-default location #CFLAGS += -I/usr/local/openssl/include #LIBS += -L/usr/local/openssl/lib # Some Red Hat versions seem to include kerberos header files from OpenSSL, but # the kerberos files are not in the default include path. Following line can be # used to fix build issues on such systems (krb5.h not found). #CFLAGS += -I/usr/include/kerberos # Driver interface for generic Linux wireless extensions # Note: WEXT is deprecated in the current Linux kernel version and no new # functionality is added to it. nl80211-based interface is the new # replacement for WEXT and its use allows wpa_supplicant to properly control # the driver to improve existing functionality like roaming and to support new # functionality. CONFIG_DRIVER_WEXT=y # Driver interface for Linux drivers using the nl80211 kernel interface CONFIG_DRIVER_NL80211=y CONFIG_DRIVER_WIRED=y CONFIG_IEEE8021X_EAPOL=y CONFIG_RADIUS_SERVER=y CONFIG_TLS=openssl CONFIG_EAP=y CONFIG_TLSV11=y CONFIG_TLSV12=y CONFIG_EAP_TLS=y CONFIG_EAP_MSCHAPV2=y CONFIG_EAP_PEAP=y CONFIG_EAP_MD5=y CONFIG_EAP_PAX=y CONFIG_EAP_PSK=y # QCA vendor extensions to nl80211 #CONFIG_DRIVER_NL80211_QCA=y # driver_nl80211.c requires libnl. If you are compiling it yourself # you may need to point hostapd to your version of libnl. # #CFLAGS += -I$<path to libnl include files> #LIBS += -L$<path to libnl library files> # Use libnl v2.0 (or 3.0) libraries. #CONFIG_LIBNL20=y # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) CONFIG_LIBNL32=y # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) #CONFIG_DRIVER_BSD=y #CFLAGS += -I/usr/local/include #LIBS += -L/usr/local/lib #LIBS_p += -L/usr/local/lib #LIBS_c += -L/usr/local/lib # Driver interface for Windows NDIS #CONFIG_DRIVER_NDIS=y #CFLAGS += -I/usr/include/w32api/ddk #LIBS += -L/usr/local/lib # For native build using mingw #CONFIG_NATIVE_WINDOWS=y # Additional directories for cross-compilation on Linux host for mingw target #CFLAGS += -I/opt/mingw/mingw32/include/ddk #LIBS += -L/opt/mingw/mingw32/lib #CC=mingw32-gcc # By default, driver_ndis uses WinPcap for low-level operations. This can be # replaced with the following option which replaces WinPcap calls with NDISUIO. # However, this requires that WZC is disabled (net stop wzcsvc) before starting # wpa_supplicant. # CONFIG_USE_NDISUIO=y # Driver interface for wired Ethernet drivers CONFIG_DRIVER_WIRED=y # Driver interface for MACsec capable Qualcomm Atheros drivers #CONFIG_DRIVER_MACSEC_QCA=y # Driver interface for Linux MACsec drivers CONFIG_DRIVER_MACSEC_LINUX=y # Driver interface for the Broadcom RoboSwitch family #CONFIG_DRIVER_ROBOSWITCH=y # Driver interface for no driver (e.g., WPS ER only) #CONFIG_DRIVER_NONE=y # Solaris libraries #LIBS += -lsocket -ldlpi -lnsl #LIBS_c += -lsocket # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or # MACsec is included) CONFIG_IEEE8021X_EAPOL=y # EAP-MD5 CONFIG_EAP_MD5=y # EAP-MSCHAPv2 CONFIG_EAP_MSCHAPV2=y # EAP-TLS CONFIG_EAP_TLS=y # EAL-PEAP CONFIG_EAP_PEAP=y # EAP-TTLS CONFIG_EAP_TTLS=y # EAP-FAST CONFIG_EAP_FAST=y # EAP-TEAP # Note: The current EAP-TEAP implementation is experimental and should not be # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number # of conflicting statements and missing details and the implementation has # vendor specific workarounds for those and as such, may not interoperate with # any other implementation. This should not be used for anything else than # experimentation and interoperability testing until those issues has been # resolved. #CONFIG_EAP_TEAP=y # EAP-GTC CONFIG_EAP_GTC=y # EAP-OTP CONFIG_EAP_OTP=y # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) #CONFIG_EAP_SIM=y # Enable SIM simulator (Milenage) for EAP-SIM #CONFIG_SIM_SIMULATOR=y # EAP-PSK (experimental; this is _not_ needed for WPA-PSK) #CONFIG_EAP_PSK=y # EAP-pwd (secure authentication using only a password) CONFIG_EAP_PWD=y # EAP-PAX CONFIG_EAP_PAX=y # LEAP CONFIG_EAP_LEAP=y # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) #CONFIG_EAP_AKA=y # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). # This requires CONFIG_EAP_AKA to be enabled, too. #CONFIG_EAP_AKA_PRIME=y # Enable USIM simulator (Milenage) for EAP-AKA #CONFIG_USIM_SIMULATOR=y # EAP-SAKE CONFIG_EAP_SAKE=y # EAP-GPSK CONFIG_EAP_GPSK=y # Include support for optional SHA256 cipher suite in EAP-GPSK CONFIG_EAP_GPSK_SHA256=y # EAP-TNC and related Trusted Network Connect support (experimental) CONFIG_EAP_TNC=y # Wi-Fi Protected Setup (WPS) CONFIG_WPS=y # Enable WPS external registrar functionality #CONFIG_WPS_ER=y # Disable credentials for an open network by default when acting as a WPS # registrar. #CONFIG_WPS_REG_DISABLE_OPEN=y # Enable WPS support with NFC config method #CONFIG_WPS_NFC=y # EAP-IKEv2 CONFIG_EAP_IKEV2=y # EAP-EKE #CONFIG_EAP_EKE=y # MACsec CONFIG_MACSEC=y # PKCS#12 (PFX) support (used to read private key and certificate file from # a file that usually has extension .p12 or .pfx) CONFIG_PKCS12=y # Smartcard support (i.e., private key on a smartcard), e.g., with openssl # engine. CONFIG_SMARTCARD=y # PC/SC interface for smartcards (USIM, GSM SIM) # Enable this if EAP-SIM or EAP-AKA is included #CONFIG_PCSC=y # Support HT overrides (disable HT/HT40, mask MCS rates, etc.) #CONFIG_HT_OVERRIDES=y # Support VHT overrides (disable VHT, mask MCS rates, etc.) #CONFIG_VHT_OVERRIDES=y # Development testing #CONFIG_EAPOL_TEST=y # Select control interface backend for external programs, e.g, wpa_cli: # unix = UNIX domain sockets (default for Linux/*BSD) # udp = UDP sockets using localhost (127.0.0.1) # udp6 = UDP IPv6 sockets using localhost (::1) # named_pipe = Windows Named Pipe (default for Windows) # udp-remote = UDP sockets with remote access (only for tests systems/purpose) # udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose) # y = use default (backwards compatibility) # If this option is commented out, control interface is not included in the # build. CONFIG_CTRL_IFACE=y # Include support for GNU Readline and History Libraries in wpa_cli. # When building a wpa_cli binary for distribution, please note that these # libraries are licensed under GPL and as such, BSD license may not apply for # the resulting binary. #CONFIG_READLINE=y # Include internal line edit mode in wpa_cli. This can be used as a replacement # for GNU Readline to provide limited command line editing and history support. #CONFIG_WPA_CLI_EDIT=y # Remove debugging code that is printing out debug message to stdout. # This can be used to reduce the size of the wpa_supplicant considerably # if debugging code is not needed. The size reduction can be around 35% # (e.g., 90 kB). #CONFIG_NO_STDOUT_DEBUG=y # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save # 35-50 kB in code size. #CONFIG_NO_WPA=y # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support # This option can be used to reduce code size by removing support for # converting ASCII passphrases into PSK. If this functionality is removed, the # PSK can only be configured as the 64-octet hexstring (e.g., from # wpa_passphrase). This saves about 0.5 kB in code size. #CONFIG_NO_WPA_PASSPHRASE=y # Simultaneous Authentication of Equals (SAE), WPA3-Personal CONFIG_SAE=y # Disable scan result processing (ap_scan=1) to save code size by about 1 kB. # This can be used if ap_scan=1 mode is never enabled. #CONFIG_NO_SCAN_PROCESSING=y # Select configuration backend: # file = text file (e.g., wpa_supplicant.conf; note: the configuration file # path is given on command line, not here; this option is just used to # select the backend that allows configuration files to be used) # winreg = Windows registry (see win_example.reg for an example) CONFIG_BACKEND=file # Remove configuration write functionality (i.e., to allow the configuration # file to be updated based on runtime configuration changes). The runtime # configuration can still be changed, the changes are just not going to be # persistent over restarts. This option can be used to reduce code size by # about 3.5 kB. #CONFIG_NO_CONFIG_WRITE=y # Remove support for configuration blobs to reduce code size by about 1.5 kB. #CONFIG_NO_CONFIG_BLOBS=y # Select program entry point implementation: # main = UNIX/POSIX like main() function (default) # main_winsvc = Windows service (read parameters from registry) # main_none = Very basic example (development use only) #CONFIG_MAIN=main # Select wrapper for operating system and C library specific functions # unix = UNIX/POSIX like systems (default) # win32 = Windows systems # none = Empty template #CONFIG_OS=unix # Select event loop implementation # eloop = select() loop (default) # eloop_win = Windows events and WaitForMultipleObject() loop #CONFIG_ELOOP=eloop # Should we use poll instead of select? Select is used by default. #CONFIG_ELOOP_POLL=y # Should we use epoll instead of select? Select is used by default. #CONFIG_ELOOP_EPOLL=y # Should we use kqueue instead of select? Select is used by default. #CONFIG_ELOOP_KQUEUE=y # Select layer 2 packet implementation # linux = Linux packet socket (default) # pcap = libpcap/libdnet/WinPcap # freebsd = FreeBSD libpcap # winpcap = WinPcap with receive thread # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y) # none = Empty template #CONFIG_L2_PACKET=linux # Disable Linux packet socket workaround applicable for station interface # in a bridge for EAPOL frames. This should be uncommented only if the kernel # is known to not have the regression issue in packet socket behavior with # bridge interfaces (commit 'bridge: respect RFC2863 operational state')'). #CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y # Support Operating Channel Validation #CONFIG_OCV=y # Select TLS implementation # openssl = OpenSSL (default) # gnutls = GnuTLS # internal = Internal TLSv1 implementation (experimental) # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) # none = Empty template #CONFIG_TLS=openssl # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) # can be enabled to get a stronger construction of messages when block ciphers # are used. It should be noted that some existing TLS v1.0 -based # implementation may not be compatible with TLS v1.1 message (ClientHello is # sent prior to negotiating which version will be used) #CONFIG_TLSV11=y # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) # can be enabled to enable use of stronger crypto algorithms. It should be # noted that some existing TLS v1.0 -based implementation may not be compatible # with TLS v1.2 message (ClientHello is sent prior to negotiating which version # will be used) #CONFIG_TLSV12=y # Select which ciphers to use by default with OpenSSL if the user does not # specify them. #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of # LibTomMath can be used. See beginning of libtommath.c for details on benefits # and drawbacks of this option. #CONFIG_INTERNAL_LIBTOMMATH=y #ifndef CONFIG_INTERNAL_LIBTOMMATH #LTM_PATH=/usr/src/libtommath-0.39 #CFLAGS += -I$(LTM_PATH) #LIBS += -L$(LTM_PATH) #LIBS_p += -L$(LTM_PATH) #endif # At the cost of about 4 kB of additional binary size, the internal LibTomMath # can be configured to include faster routines for exptmod, sqr, and div to # speed up DH and RSA calculation considerably #CONFIG_INTERNAL_LIBTOMMATH_FAST=y # Include NDIS event processing through WMI into wpa_supplicant/wpasvc. # This is only for Windows builds and requires WMI-related header files and # WbemUuid.Lib from Platform SDK even when building with MinGW. #CONFIG_NDIS_EVENTS_INTEGRATED=y #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib" # Add support for new DBus control interface # (fi.w1.wpa_supplicant1) CONFIG_CTRL_IFACE_DBUS_NEW=y # Add introspection support for new DBus control interface CONFIG_CTRL_IFACE_DBUS_INTRO=y # Add support for loading EAP methods dynamically as shared libraries. # When this option is enabled, each EAP method can be either included # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn). # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to # be loaded in the beginning of the wpa_supplicant configuration file # (see load_dynamic_eap parameter in the example file) before being used in # the network blocks. # # Note that some shared parts of EAP methods are included in the main program # and in order to be able to use dynamic EAP methods using these parts, the # main program must have been build with the EAP method enabled (=y or =dyn). # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries # unless at least one of them was included in the main build to force inclusion # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included # in the main build to be able to load these methods dynamically. # # Please also note that using dynamic libraries will increase the total binary # size. Thus, it may not be the best option for targets that have limited # amount of memory/flash. #CONFIG_DYNAMIC_EAP_METHODS=y # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode CONFIG_IEEE80211R=y # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) CONFIG_DEBUG_FILE=y # Send debug messages to syslog instead of stdout CONFIG_DEBUG_SYSLOG=y # Set syslog facility for debug messages #CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON # Add support for sending all debug messages (regardless of debug verbosity) # to the Linux kernel tracing facility. This helps debug the entire stack by # making it easy to record everything happening from the driver up into the # same file, e.g., using trace-cmd. #CONFIG_DEBUG_LINUX_TRACING=y # Add support for writing debug log to Android logcat instead of standard # output #CONFIG_ANDROID_LOG=y # Enable privilege separation (see README 'Privilege separation' for details) #CONFIG_PRIVSEP=y # Enable mitigation against certain attacks against TKIP by delaying Michael # MIC error reports by a random amount of time between 0 and 60 seconds #CONFIG_DELAYED_MIC_ERROR_REPORT=y # Enable tracing code for developer debugging # This tracks use of memory allocations and other registrations and reports # incorrect use with a backtrace of call (or allocation) location. #CONFIG_WPA_TRACE=y # For BSD, uncomment these. #LIBS += -lexecinfo #LIBS_p += -lexecinfo #LIBS_c += -lexecinfo # Use libbfd to get more details for developer debugging # This enables use of libbfd to get more detailed symbols for the backtraces # generated by CONFIG_WPA_TRACE=y. #CONFIG_WPA_TRACE_BFD=y # For BSD, uncomment these. #LIBS += -lbfd -liberty -lz #LIBS_p += -lbfd -liberty -lz #LIBS_c += -lbfd -liberty -lz # wpa_supplicant depends on strong random number generation being available # from the operating system. os_get_random() function is used to fetch random # data when needed, e.g., for key generation. On Linux and BSD systems, this # works by reading /dev/urandom. It should be noted that the OS entropy pool # needs to be properly initialized before wpa_supplicant is started. This is # important especially on embedded devices that do not have a hardware random # number generator and may by default start up with minimal entropy available # for random number generation. # # As a safety net, wpa_supplicant is by default trying to internally collect # additional entropy for generating random data to mix in with the data fetched # from the OS. This by itself is not considered to be very strong, but it may # help in cases where the system pool is not initialized properly. However, it # is very strongly recommended that the system pool is initialized with enough # entropy either by using hardware assisted random number generator or by # storing state over device reboots. # # wpa_supplicant can be configured to maintain its own entropy store over # restarts to enhance random number generation. This is not perfect, but it is # much more secure than using the same sequence of random numbers after every # reboot. This can be enabled with -e<entropy file> command line option. The # specified file needs to be readable and writable by wpa_supplicant. # # If the os_get_random() is known to provide strong random data (e.g., on # Linux/BSD, the board in question is known to have reliable source of random # data from /dev/urandom), the internal wpa_supplicant random pool can be # disabled. This will save some in binary size and CPU use. However, this # should only be considered for builds that are known to be used on devices # that meet the requirements described above. #CONFIG_NO_RANDOM_POOL=y # Should we attempt to use the getrandom(2) call that provides more reliable # yet secure randomness source than /dev/random on Linux 3.17 and newer. # Requires glibc 2.25 to build, falls back to /dev/random if unavailable. #CONFIG_GETRANDOM=y # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) CONFIG_IEEE80211AC=y # Wireless Network Management (IEEE Std 802.11v-2011) # Note: This is experimental and not complete implementation. #CONFIG_WNM=y # Interworking (IEEE 802.11u) # This can be used to enable functionality to improve interworking with # external networks (GAS/ANQP to learn more about the networks and network # selection based on available credentials). CONFIG_INTERWORKING=y # Hotspot 2.0 CONFIG_HS20=y # Enable interface matching in wpa_supplicant #CONFIG_MATCH_IFACE=y # Disable roaming in wpa_supplicant #CONFIG_NO_ROAMING=y # AP mode operations with wpa_supplicant # This can be used for controlling AP mode operations with wpa_supplicant. It # should be noted that this is mainly aimed at simple cases like # WPA2-Personal while more complex configurations like WPA2-Enterprise with an # external RADIUS server can be supported with hostapd. CONFIG_AP=y # P2P (Wi-Fi Direct) # This can be used to enable P2P support in wpa_supplicant. See README-P2P for # more information on P2P operations. CONFIG_P2P=y # Enable TDLS support CONFIG_TDLS=y # Wi-Fi Display # This can be used to enable Wi-Fi Display extensions for P2P using an external # program to control the additional information exchanges in the messages. CONFIG_WIFI_DISPLAY=y # Autoscan # This can be used to enable automatic scan support in wpa_supplicant. # See wpa_supplicant.conf for more information on autoscan usage. # # Enabling directly a module will enable autoscan support. # For exponential module: #CONFIG_AUTOSCAN_EXPONENTIAL=y # For periodic module: #CONFIG_AUTOSCAN_PERIODIC=y # Password (and passphrase, etc.) backend for external storage # These optional mechanisms can be used to add support for storing passwords # and other secrets in external (to wpa_supplicant) location. This allows, for # example, operating system specific key storage to be used # # External password backend for testing purposes (developer use) #CONFIG_EXT_PASSWORD_TEST=y # File-based backend to read passwords from an external file. #CONFIG_EXT_PASSWORD_FILE=y # Enable Fast Session Transfer (FST) #CONFIG_FST=y # Enable CLI commands for FST testing #CONFIG_FST_TEST=y # OS X builds. This is only for building eapol_test. #CONFIG_OSX=y # Automatic Channel Selection # This will allow wpa_supplicant to pick the channel automatically when channel # is set to "0". # # TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative # to "channel=0". This would enable us to eventually add other ACS algorithms in # similar way. # # Automatic selection is currently only done through initialization, later on # we hope to do background checks to keep us moving to more ideal channels as # time goes by. ACS is currently only supported through the nl80211 driver and # your driver must have survey dump capability that is filled by the driver # during scanning. # # TODO: In analogy to hostapd be able to customize the ACS survey algorithm with # a newly to create wpa_supplicant.conf variable acs_num_scans. # # Supported ACS drivers: # * ath9k # * ath5k # * ath10k # # For more details refer to: # http://wireless.kernel.org/en/users/Documentation/acs #CONFIG_ACS=y # Support Multi Band Operation #CONFIG_MBO=y # Fast Initial Link Setup (FILS) (IEEE 802.11ai) #CONFIG_FILS=y # FILS shared key authentication with PFS #CONFIG_FILS_SK_PFS=y # Support RSN on IBSS networks # This is needed to be able to use mode=1 network profile with proto=RSN and # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None). CONFIG_IBSS_RSN=y # External PMKSA cache control # This can be used to enable control interface commands that allow the current # PMKSA cache entries to be fetched and new entries to be added. #CONFIG_PMKSA_CACHE_EXTERNAL=y # Mesh Networking (IEEE 802.11s) #CONFIG_MESH=y # Background scanning modules # These can be used to request wpa_supplicant to perform background scanning # operations for roaming within an ESS (same SSID). See the bgscan parameter in # the wpa_supplicant.conf file for more details. # Periodic background scans based on signal strength CONFIG_BGSCAN_SIMPLE=y # Learn channels used by the network and try to avoid bgscans on other # channels (experimental) #CONFIG_BGSCAN_LEARN=y # Opportunistic Wireless Encryption (OWE) # Experimental implementation of draft-harkins-owe-07.txt #CONFIG_OWE=y # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect) CONFIG_DPP=y # DPP version 2 support CONFIG_DPP2=y # DPP version 3 support (experimental and still changing; do not enable for # production use) #CONFIG_DPP3=y # Wired equivalent privacy (WEP) # WEP is an obsolete cryptographic data confidentiality algorithm that is not # considered secure. It should not be used for anything anymore. The # functionality needed to use WEP is available in the current wpa_supplicant # release under this optional build parameter. This functionality is subject to # be completely removed in a future release. #CONFIG_WEP=y # Remove all TKIP functionality # TKIP is an old cryptographic data confidentiality algorithm that is not # considered secure. It should not be used anymore for anything else than a # backwards compatibility option as a group cipher when connecting to APs that # use WPA+WPA2 mixed mode. For now, the default wpa_supplicant build includes # support for this by default, but that functionality is subject to be removed # in the future. #CONFIG_NO_TKIP=y # Pre-Association Security Negotiation (PASN) # Experimental implementation based on IEEE P802.11z/D2.6 and the protocol # design is still subject to change. As such, this should not yet be enabled in # production use. #CONFIG_PASN=y

STA : Compile wpa_supplicant

Note Compile supplicant by running make command.

test:~$ make

STA: You might get errors while make regarding openssl headers in that case install the openssl headers and then do make clean and then do make again.

test:~$ sudo apt install libssl-dev test:~$ make clean test:~$ make

STA : Check for the binaries created

Note Make sure wpa_supplicant and wpa_cli are present

test:~$ ls wpa_supplicant wpa_cli

STA: Copy required certificates from hostapd to wpa_supplicant

STA : Create wpa_supplicant.conf

test:~$ sudo vim wpa_supplicant.conf ctrl_interface=/run/wpa_supplicant update_config=1 network={ key_mgmt=WPA-EAP eap=PSK identity="user3" password="1234567890123456" }

STA : Run wpa_supplicant

test:~$ sudo ./wpa_supplicant -D wired -i enp0s8 -c wpa_supplicant.conf enp0s8: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully

STA: Test

test:sudo ./wpa_cli -i enp0s8 > status

Wireshark Output

• Download file to check wireshark output

  Packet capture in EAP_PSK

EAP_PSK FreeRadius Basic Setup on Ubuntu (3 Machines)

• setup

EAP_PSK FreeRadius Basic Setup on Ubuntu (2 Machines)

• setup

EAP_PSK Protocol Packet Details

• packet details

EAP_PSK Usecases

• usecases

EAP_PSK Basic Features

• features

Reference links

• Reference links