Client configuration to use TTLS+PAP for WPA



Linux wpa_supplicant

Install wpa_supplicant from http://hostap.epitest.fi/wpa_supplicant/. On Debian you can do

apt-get install wpa_supplicant

Now set up a configuration file ie. put following in /etc/wpa_supplicant.conf. Please adjust red entries to correspond to your config

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1
network={
        ssid="YOURSSID"
        key_mgmt=WPA-EAP
        eap=TTLS
        anonymous_identity="anonymous"
        identity="USERNAME"
        password="YOURSECRET"
        priority=2
        phase2="auth=PAP"
}

For extra security you can also point wpa_supplicant to the CA (Certificate Authority) certificate for the network you are using ie.

ca_cert="/etc/cert/ca.pem"

To start WPA Supplicant use following. For example with Intel Centrino you would put something like this

wpa_supplicant -c /etc/wpa_supplicant.conf -i wlan0 -D ipw

Change -D ipw if you are using something other than Centrino ie. ndiswrapper. Then you need to configure your IP via e.g. dhcp

pump -i wlan0

You are done.

Mac OS X

This is how you would configure a Mac OS X 10.3.x client to use TTLS+PAP to authenticate against WPA.

1. Click on the wireless icon.

2. Select "Open Internet Connect".

3. Click File then "New 802.1X Connection"

4. Click on 802.1X icon. Enter your username/password and the Wireless Network you want to connect to e.g.

OS X Internet Connect for WPA

4. Click on Configurations then Edit Configurations. You will be prompted to save the configuration. Name it ie. CS 802.11. You will then get a window as follows

 802.1x Configuration options

5. Check off everything other than TTLS.

6. Click on TTLS and click on Configure

7. Select PAP as TTLS Inner Authentication ie.

Configure TTLS inner tunnel

8. Click OK then OK again. Try to connect.

9. During authentication you will likely be prompted to accept certificate for the server.

WPA unknown certificate prompt

10. Click Accept All

11. That should be it.


Windows XP SecureW2 setup

Get the Windows Version of SecureW2 tool from the url given below.

http://www.securew2.com/uk/download/index.htm

Its a zip file. Unzip and run the installation file. You will be prompted to reboot. After reboot do following.

Right Click on the Wireless Connection Icon in the taskbar and select “View available Wireless Networks”





Click on Wireless Networks tab and Select your WPA network ie. CSWIRELESS-WPA and click on Properties.

SecureW2 window will show up.

Click on 'Configure' for DEFAULT profile. Go to Certificates Tab and check off "Verify server certificate"


Next click on Authentication tab and make sure that PAP is the select authentication method ie.


Next select "User account" tab and fill out the appropriate info or check off "Prompt user for credentials".



Click OK and then try to connect to

Authors: Vladimir Vuksan (E-mail me) and Venkataramana Nadimpalli