How to setup 802.1x authentication with Linux on the TU Delft wireless network

Kees Lemmens, Tu Delft, April 2006
Last modified, Sept. 26, 2006

1  Introduction

In most institutions like airports, many other universities, hotels and conference centers you can simply use a DHCP request to a nearby hotspot to connect to the wireless network and be on the Web immediately.

If you try the same inside the TU Delft you'll find that you can only connect to the website of the so-called ''luchthaven'' but there is no way to reach any external internet address.

Of course this is more secure than the average wireless network but also makes connecting (both for Windows and Linux users) more cumbersome. This document explains how to setup a wireless network inside the TU Delft using Linux.

The TU Delft provides 2 ways to connect through this wireless ''intranet'' and reach the outside world : VPN and 802.1x. Both will be discussed hereafter, but the focus of this document is on 802.1x as I think it is a much more elegant and safe solution than VPN.

2  VPN or ''Virtual Private Network''

For Linux this VPN software can be either :

• Cisco client : The rather clumsy Cisco VPN client software, that will insert a special kernel driver for IpSec and then tries to connect using a serviceaccount (userid + password). If the connection is succesful the original network device will disappear and all traffic wil use a new ipsec device.

• VPNC : An Open Source solution for the Cisco VPN client is VPNC :
  (http://nic.phys.ethz.ch/readme/96). For the latter you'll have to insert the ''tun'' driver in your kernel which is probably already available on your system. If not, you have to get another kernel or recompile your own.

2.1  Basic steps for VPN

1. Get your card recognized by the kernel by loading the appropriate driver.
2. Set the wireless network parameters for the network by using iwconfig (ESSID, WEP, MODE). For a hotspot these can be often left empty but the TU Delft won't allow you to connect with the wrong ESSID (for VPN : ESSID = Wnet1, Mode = Managed).
3. Set the standard network parameters by using DHCP.
4. Check if you can see the local TU Delft wireless network (www.gateway.luchthaven).
5. If this works you can now start a VPN-like connection.
6. Check if you can use the wireless network to access the world e.g. by connecting to www.google.nl.

Warning : if you use VPN (either wireless or wired) you'll get a new public IP address , even if you are working from behind a firewall , e.g. in your ADSL router ! This implies that the firewall on the router is completely bypassed and you have to rely on your local firewall. If you neglect this you are at serious risk for being compromised !

3  802.1x authentication (xsupplicant)

The 802.1x authentication mechanism is in many ways a lot more elegant than the clumsy VPN solution. One important thing is that it doesn't do more than necessary : no need for special kernel drivers like ipsec or tun. It just connects you to a secure network over a SSL layer from which you can work safely.

Note that the order in which it works is slightly different from VPN : you FIRST have to authenticate using 802.1x software that will setup a new SSL connection. Only AFTER this is done you can do a standard DHCP request. With VPN the order of these two is reversed.

For Linux this 802.1x software can be either :

• xsupplicant : This is what I used and seems to be working fine. Get it from http://open1x.sourceforge.net/
• wpasupplicant : This also seems to support WPA encryption but I have no experience with this as the TU Delft doesn't need it.

4  Basic steps for 802.1x

1. Get your card recognized by the kernel by loading the appropriate driver.
2. Set the wireless network parameters for the network by using iwconfig (ESSID, WEP, MODE). The TU Delft won't allow you to connect with the wrong ESSID (for 802.1x : ESSID = WLAN , Mode = Managed).
3. Start a 802.1x connection by using e.g. xsupplicant.
4. Set the standard network parameters by using DHCP.
5. Check if you can use the wireless network to access the world by connecting e.g. to www.google.nl.

All the above is mostly done in a script that runs suid, and that can e.g. be started by clicking a desktop icon (which is what we did).

4.1  Details for xsupplicant

This is the software I used and seems to working fine. Get it from http://open1x.sourceforge.net/ , then follow the instructions and compile.

To connect to the TU Delft 802.1x network I use the script hereafter. It loads the xsupplicant.conf file not from /etc/ but from the users local homedirectory. In that case it is possible to use the same laptop with different 802.1x acounts (one for every user).

Also note that the script must be run as root. To do this you have to start it using sudo start8021x.sh and make sure that the script is allowed to be executed by anyone on the laptop by putting the following lines in /etc/sudoers :

---------------------------

Cmnd_Alias WLAN=/sbin/dhcpcd,/opt/xsupplicant/scripts/start8021x.sh,\
/opt/xsupplicant/scripts/stop8021x.sh

ALL      ALL= NOPASSWD: WLAN

The script itself looks as follows :

---------------------------

#!/bin/sh
# Kees Lemmens, April 2006

XSUPDIR=/opt/xsupplicant
INTF=eth1
MTU=1500     # sometimes reliability is higher with mtu < 1500 (eg 1024)
SSID="WLAN"

test $# -gt 0 && INTF=$1

PATH=${PATH}:/sbin:/usr/sbin:${XSUPDIR}/sbin

# killall dhcpcd xsupplicant # stop a possible previous session

test $DISPLAY &&
  xmessage "Connecting to TU Delft 802.1x WLAN, please wait a few seconds ..."
& ||
  echo  "Connecting to TU Delft 802.1x WLAN, please wait a few seconds ..."

# For Intel wireless interface (this resets the driver to avoid problems):
#modprobe -r ipw2200
#sleep 2
#modprobe ipw2200

ifconfig $INTF up
iwconfig $INTF mode "Managed"
iwconfig $INTF ESSID $SSID
sleep 2

# Note that xsupplicant.conf can only contain a username and password
# for a single user account !
xsupplicant -c $HOME/etc/xsupplicant.conf -i $INTF -z
sleep 2

dhcpcd -d $INTF

# Show interface settings :
iwconfig $INTF
ifconfig $INTF

killall xmessage

And the xsupplicant.conf for the TU Delft network :

---------------------------

network_list = all
default_netname = WLAN

logfile = /var/log/xsupplicant.log

default_interface = eth1
friendly_warnings = yes

WLAN
{
  type = wireless

  allow_types = eap-ttls

  identity = "user@tudelft"

  eap-ttls
  {
    root_cert = /opt/xsupplicant/ssl/certs/SURFnet_PCA_Root_CA.pem
    root_dir = /opt/xsupplicant/ssl/certs/
    chunk_size = 1398
    random_file = /dev/urandom
    cncheck = pstnserv.tudelft.nl
    cnexact = yes
    phase2_type = pap

    pap
    {
      username = "user@tudelft"
      password = "xxxxxxx"
    }
  }
}

The PEM certificate for SURFNET can be found here : http://ta.twi.tudelft.nl/dv/users/lemmens/Wireless/SURFnet_PCA_Root_CA.pem

Without this certificate wireless on the TU Delft network won't work !

4.2  Working wireless cards for 802.1x

Even while most cheap wireless cards work fine under Linux for normal hotspots and even VPN, 802.1x with it's dynamic WEP keys causes extra problems that makes it more difficult to get the card being connected.

Thusfar I was succesful with :

1. Cisco Aironet 350/351 adapters These adapters work fine with xsupplicant at least with the driver in kernel 2.6.16.7 or newer. However, for older kernels you'll need to patch the airo driver to avoid the card being repeatedly reset when changing WEP keys. If xsupplicant keeps connecting over and over again, you probably have this problem.

   If you don't want to upgrade your kernel a simple patch for the airo driver will fix this problem as well. The patch is also on this site in case you can't find it yourself.

   http://ta.twi.tudelft.nl/dv/users/lemmens/Wireless/airo-340-350-tempkey.patch

   I won't explain how to patch and recompile the driver. If you can't find out how to do this yourself you'd better refrain from fiddling with your kernel altogether :-)

   Note that this problem is also reported for some other drivers (e.g. for orinoco).

2. Intel 2915 ABG Mini-PCI adapters These adapters which are popular for IBM Thinkpads and many other laptops also work fine with xsupplicant and the driver is easy to install and very reliable. You either have to use the ipw2100 or ipw2200 driver for the Intel based adapters.

   There are however 2 pitfalls :

   • These cards need extra firmware to be installed in /lib/firmware or /etc/hotplug/firmware. You also have to make sure that hotplug is running (chmod 755 /etc/rc.d/rc.hotplug on Slackware systems) or else the firmware can't be loaded into the card and the driver won't work.

     The firmware itself can be readily found on the internet and is called ipw2200-fw-2.4.tgz The version number may vary but this one works fine with the standard ipw2200 driver from a 2.6.16.7 kernel.

   • On IBM Thinkpads the cards sometimes won't work because of a silly BIOS problem introduced by IBM. After installing the card in the Mini PCI slot the system won't boot up again but instead shows a message like :

     ERROR 1802: Unauthorized network card is plugged in
     Power off and remove the miniPCI network card.
     

     I called the IBM helpdesk and spent about one hour talking with them but no one there was able to fix this problem (that also affects the MS-Windows laptops). The only thing they could think of was taking back all laptops and adapters to be checked and possibly repaired, but don't be so stupid to do such thing : on Google I found a simple C program under Linux and the problem was then solved in about 10 minutes and everything works fine since.

     One day later IBM Amsterdam assured me this quick and dirty hack wouldn't affect my warranty and that IBM is working on this themselves so I don't think you should be too afraid to try this yourself if you know what you're doing.

     Recipe for the mini PCI adapter fix on a Thinkpad X40 :

     1. Disable the card in the BIOS (use F1 to enter the BIOS) After this you can boot up without having to remove the card from the slot.
     2. Make sure you have the nvram driver configured in your kernel (or as a module). It is in in the kernel config menu under Device drivers -> Character devices -> /dev/nvram support.
     3. Get a Linux C program to modify the Thinkpad BIOS from the internet or use the copy on this system (only tested on Thinkpad X40 !!!) :

        http://ta.twi.tudelft.nl/dv/users/lemmens/Wireless/thinkpad_minipci_hack.c

     4. Compile it using : gcc thinkpad_minipci_hack.c -o thinkpad_minipci_hack
     5. Run this program as root on the Thinkpad laptop
     6. Shutdown the system, renable the card in the BIOS and reboot
     7. The system should now boot fine and the card should work using the ipw2200 driver and firmware (see above).

     If you ever have to reverse the change you can simply clear the MSB at CMOS address 0x5c using a similar C program.

3. Some people reported that several other cards work fine as well, but I had many problems with e.g. Conceptronic cards and the Dynalink DWL-G650+ (they both work fine on a normal hotspot or an accesspoint with WEP).

   Note that both the Linux driver for DWL650+ (acx100) and Conceptronic (RT61) are NOT in the kernel and must be compiled and installed separately together with firmware.

Success !