Contributed by jj on 2013-01-28 from the puffy-is-the-captain-of-the-wpa2-enterprise dept.

The recent rantings on misc@ made me look at getting this to work once more. And this time I got it to work, sortof.

The approach uses wpa_supplicant, but since the OpenBSD net80211 stack takes care of most of the key management (including the so-called 4-way handshake) we only really need it to do the IEEE 802.1X EAP authentication for us and have it insert the pairwise master key (PMK) into the net80211 stack. To do this I wrote a very simple OpenBSD "driver" for wpa_supplicant that implements the bare essentials.

As my driver doesn't support scanning for APs and configuring the interface you need to configure the interface yourself. Since you authenticate against a specific AP, it's best to explicitly configure the desired BSSID. You'll need to explicitly configure 802.1x authentication.



# ifconfig rsu0 nwid humppa bssid 11:22:33:44:55:66 wpa wpaakms 802.1x up

# wpa_supplicant -i rsu0 -c /etc/wpa_supplicant.conf

rsu0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully rsu0: CTRL-EVENT-CONNECTED - Connection to 11:22:33:44:55:66 completed [id=0 id_str=]

# $OpenBSD: wpa_supplicant.conf,v 1.1 2007/07/01 19:50:57 reyk Exp $ # Sample wpa_supplicant configuration file for wired IEEE 802.1x # port authentication. See wpa_supplicant.conf(5). ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel ap_scan=0 network={ ssid="humppa" key_mgmt=WPA-EAP eap=TTLS PEAP identity="user" password="password" }

CONFIG_DRIVER_OPENBSD=y CONFIG_DRIVER_WIRED=y CONFIG_IEEE8021X_EAPOL=y CONFIG_EAP_MD5=y CONFIG_EAP_MSCHAPV2=y CONFIG_EAP_TLS=y CONFIG_EAP_PEAP=y CONFIG_EAP_TTLS=y CONFIG_EAP_GTC=y CONFIG_EAP_OTP=y CONFIG_EAP_LEAP=y CONFIG_PKCS12=y CONFIG_SMARTCARD=y CONFIG_CTRL_IFACE=y CONFIG_BACKEND=file CONFIG_PEERKEY=y

After seeing discussions on misc@ about where wpa_supplicant would and would not work, Mark Kettenis (kettenis@) decided to take a look at wpa2-enterprise mode for wifi.This is what he wrote:You'll end up with something like:Give it a couple of seconds to associate with the AP, and start wpa_supplicant:The wpa_supplicant program will print some messages about the authenticaton process. If authentication is successful, this should end with something like:At that point ifconfig(8) should report the link status as "active". Here is my /etc/wpa_supplicant.conf. You'll probably have to tweak the "eap" line to match whatever the network you're connecting to is using. And obviously you'll have to change the "ssid", "identity" and "password" lines.Here is my .config file for building wpa_supplicant:The wpa_supplicant port was just updated to 2.0 with the appropriate patches applied.