1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>WPA - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Wireless authentication</h1>
<p>
Wireless network used to be protected by the WEP standard, but WEP turned out to be insecure and thus useless.
These days wireless networks are usualy protected using WPA - Wi-Fi Protected Access.
</p>
<p>
Unfortunatly WPA is available in several flavors and versions, see
the <a class="ext-link" title="http://www.wi-fi.org/OpenSection/protected_access.asp" href="http://www.wi-fi.org/OpenSection/protected_access.asp" shape="rect">Wi-Fi Alliance website</a> for details.
</p>
<p>
If your wireless network is set up to ask for authentication using client certificates,
then you can use it with those certificates and keys on your smart card.
</p>
<p>
For windows the windows build in WPA client should work well, if you have a CSP installed that works with OpenSC.
This is untested, please report your results.
</p>
<p>
For linux you can use the <a class="ext-link" title="http://hostap.epitest.fi/wpa_supplicant/" href="http://hostap.epitest.fi/wpa_supplicant/" shape="rect">WPA Supplicant</a> or <a class="ext-link" title="http://www.open1x.org/" href="http://www.open1x.org/" shape="rect">Xsupplicant</a> with OpenSC.
The support for smart cards is implemented in both via the <a class="ext-link" title="http://www.opensc-project.org/engine_pkcs11/" href="http://www.opensc-project.org/engine_pkcs11/" shape="rect">PKCS#11 Engine for OpenSSL</a>.
</p>
<h2>WPA Supplicant</h2>
<p>
To use WPA Suppplicant with smart card authentication you need to compile it with smart card support. Your config file should include this line:
</p>
<pre class="wiki" xml:space="preserve"># Smartcard support (i.e., private key on a smartcard), e.g., with openssl
# engine.
CONFIG_SMARTCARD=y
</pre><p>
Also you need to edit wpa_supplicant.conf like this:
</p>
<pre class="wiki" xml:space="preserve"># OpenSSL Engine support
# These options can be used to load OpenSSL engines.
# make the pkcs11 engine available
pkcs11_engine_path=/usr/lib/engine/engine_pkcs11.so
# configure the path to the pkcs11 module required by the pkcs11 engine
pkcs11_module_path=/usr/lib/engine/opensc-pkcs11.so
</pre><h2>X Supplicant</h2>
<p>
It looks like xsupplicant is always compiled with smart card support.
</p>
<p>
To enable it, edit the xsupplicant.conf config file and look for lines
like these:
</p>
<pre class="wiki" xml:space="preserve"> # this section configures the smartcard used with eap-tls
# for now the smartcard PIN is handled the same way as the
# password for a private key
smartcard {
# this line actually enables the smartcard and makes xsupplicant use
# the opensc engine
engine_id = pkcs11
# set the path to the engine
opensc_so_path = "/usr/lib/engine/engine_pkcs11.so"
# set the key id on the smartcard
key_id = 45
}
</pre><p>
FIXME: someone should test this and check if it works as advertised.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
|
