Forum

z4!
First of all You must choose radius server. I recommend to use FreeRADIUS 2.1.7 or older 2.0.2 from BT3F. This radius server support all EAP autehntication types: EAP-TLS, EAP-TTLS, EAP-PEAP. Using MS WinXP/Win7 supplicants is very restrictve.. only EAP-TLS, EAP-PEAP/MSCHAPv2, EAP-PEAP/Smartcards or certificate. . I recommend to use linux wpa supplicants. Before, You must generate CA root key and certificate, server, client certificates and keys as well. OpenVPN 2.2.1 package are very useful for this purpose, but if You ar familiar with openssl it wil be appropritae as well as. All of following wpa supplicant examples works nice in my testbed :))

#EAP-TLS
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TLS
proto=WPA2
pairwise=CCMP
group=TKIP
identity="client"
ca_cert="/mnt/sda1/OpenVPN/dsa_keys/ca.crt"
client_cert="/mnt/sda1/OpenVPN/dsa_keys/client.crt"
private_key="/mnt/sda1/OpenVPN/dsa_keys/client.key"
priority=1
}

#EAP-PEAP/MSCHAPV2
network={
ssid="ronis"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
proto=WPA2
pairwise=CCMP
group=CCMP
identity="User"
password="hello"
ca_cert="/mnt/sda1/OpenVPN/ca.crt"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
priority=1
}

#EAP-PEAP/MD5 Challenge
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="User"
password="hello"
ca_cert="/mnt/sda1/OpenVPN/dsa_keys/ca.crt"
phase1="peaplabel=0"
phase2="auth=MD5"
priority=3
}

#EAP-PEAP/GTC Challenge
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="User"
password="hello"
ca_cert="/mnt/sda1/OpenVPN/dsa_keys/ca.crt"
phase1="peaplabel=0"
phase2="auth=GTC"
priority=3
}

#EAP-TTLS/MD5 Challenge
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="User"
anonymous_identity="anonymous"
password="hello"
ca_cert="/mnt/sda1/OpenVPN/dsa_keys/ca.crt"
phase2="autheap=MD5"
priority=5
}

#EAP-TTLS/MSCHAPV2
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="User"
anonymous_identity="anonymous"
password="hello"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="autheap=MSCHAPV2"
priority=5
}

#EAP-TTLS/MSCHAP
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="User"
anonymous_identity="anonymous"
password="hello"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="autheap=MSCHAP"
priority=6
}

#EAP-TTLS/CHAP
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="User"
anonymous_identity="anonymous"
password="hello"
ca_cert="/mnt/sda1/OpenVPN/dsa_keys/ca.crt"
phase2="autheap=CHAP"
priority=7
}

#EAP-TTLS/PAP
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="User"
anonymous_identity="anonymous"
password="hello"
ca_cert="/mnt/sda1/OpenVPN/dsa_keys/ca.crt"
phase2="autheap=PAP"
priority=8
}

#EAP-TTLS/GTC
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="User"
anonymous_identity="anonymous"
password="hello"
ca_cert="/mnt/sda1/OpenVPN/dsa_keys/ca.crt"
phase2="autheap=GTC"
priority=8
}

#EAP-TTLS/TLS
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
anonymous_identity="anonymous"
ca_cert="/mnt/sda1/OpenVPN/ca.crt"
phase2="autheap=TLS"
identity="client"
ca_cert2="/mnt/sda1/OpenVPN/ca.crt"
client_cert2="/mnt/sda1/OpenVPN/client.crt"
private_key2="/mnt/sda1/OpenVPN/client.key"
priority=1
}

#EAP-PEAP/MSCHAPV2 with IEEE8021X key management
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=IEEE8021X
eap=PEAP
identity="User"
password="hello"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="auth=MSCHAPV2"
eapol_flags=3
priority=1
}

#EAP-TLS with IEEE8021X key management
network={
ssid="cuckoo"
scan_ssid=1
key_mgmt=IEEE8021X
eap=TLS
identity="client"
ca_cert="/mnt/sda1/OpenVPN/dsa_keys/ca.crt"
client_cert="/mnt/sda1/OpenVPN/dsa_keys/client.crt"
private_key="/mnt/sda1/OpenVPN/dsa_keys/client.key"
eapol_flags=3
priority=1
}