http://[email protected]+13603801618[PST,GMT-8]

LANforgeWiFiAPandStationswithHS20andEAP-SIM

Goal:UseLANforgetocreateAP,RADIUSserver,andStationthatsupportsHotSpot2.0(HS20)andEAP-SIMauthentication.

RequiresLANforge5.2.11orlater.CreateaVirtualAPconfiguredforHotSpot2.0andRADIUS(802.1x)authentication.CreateaMAC-VLANinterfacetoactasRADIUSserverusinghostapd.Configureback-endtoolsauthenticateEAP-SIM.CreateandconfigureLANforgeWiFistationtotestauthentication.ThisexampleusestwoLANforgeCT520systemsbuttheprocedureshouldworkonallCT520,CT523,CT524andCT525systems.Informationhereshouldbeusefulfornon-LANforgeuserscreatingtheirownAPusingthehostapdprogram.

ThisexampleusesLANforgeforallcomponents,soitisboththetestgearandthesystemundertest.ThiscookbookisprimarilyintendedtorecordinformationonhowtosetupvariouscomponentsofanHS20EAP-SIMnetworkfordemopurposes.Usersmaychoosetoimplementsub-sectionsofthiscookbookandreplaceotherswiththird-partyAPs,RADIUSservers,etc.

NetworkTestingandEmulationSolutions

1. CreateavirtualAPonwiphy0ofResource1.A. GotothePortManagertab,selectwiphy0onproperresource,clickCreate,filloutappropriateinformationandcreatebasicVirtualAPinterface.

B. ThenewVAPshouldappearinthePort-Mgrtable.Double-clicktomodify.ConfigureIPAddressinformation,SSIDandselectWPA2:

C. SelecttheAdvancedConfigurationtabinthePort-Modifywindowandconfigurethe802.1x,802.11u,HotSpot2.0,RADIUSandotherinformation.Notethatthe3GPPCellNetentrymustcorrespondtotheIMSIweenterasthestation'sidentityandtheIMSIinformationinthehlr_auc_gwconfigfile.Also,notethattheRealmmustcontaintheEAPMethodType18(EAP-SIM)asdescribedinhttp://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4:

D. UseNetsmithtocreateVirtual-Router.AddthevapXinterfacetotheVirtualrouter,configuretheVirtualRouterportobjecttoserveDHCP.Optionally,addexternalEthernetinterfacetovirtualroutersothatitcanroutetoupstreamnetworks.YoucouldalsosetuptheVAPinbridgemodeanduseexternalDHCPserverifpreferred.

E. Forthosedoingthismanually,thehostapd.conffilelookslikethis:

interface=vap1driver=nl80211logger_syslog=-1logger_syslog_level=2logger_stdout=-1logger_stdout_level=2dump_file=/home/lanforge/wifi/hostapd_vap0.dumpctrl_interface=/var/run/hostapdctrl_interface_group=0ssid=ABCD-1234

bssid=00:0e:8e:c3:19:79country_code=USieee80211d=1ieee80211h=0ieee80211w=0hw_mode=aieee80211n=1beacon_int=240dtim_period=2max_num_sta=2007rts_threshold=2347fragm_threshold=2346preamble=0macaddr_acl=0auth_algs=1ignore_broadcast_ssid=0#EnableHTmodesifyouwant300Mbps+throughput.#ht_capab=[HT20][HT40-][HT40+][GF][SHORT-GI-20][SHORT-GI-40]#[TX-STBC][RX-STBC123][MAX-AMSDU-7935][DSSS_CCK-40][PSMP][LSIG-TXOP-PROT]ht_capab=[HT20][HT40+][SHORT-GI-40][SHORT-GI-20]#vht_capab=[HT20][HT80+][HT80-][SHORT-GI-80]wmm_enabled=1wmm_ac_bk_cwmin=4wmm_ac_bk_cwmax=10wmm_ac_bk_aifs=7wmm_ac_bk_txop_limit=0wmm_ac_bk_acm=0wmm_ac_be_aifs=3wmm_ac_be_cwmin=4wmm_ac_be_cwmax=10wmm_ac_be_txop_limit=0wmm_ac_be_acm=0wmm_ac_vi_aifs=2wmm_ac_vi_cwmin=3wmm_ac_vi_cwmax=4wmm_ac_vi_txop_limit=94wmm_ac_vi_acm=0wmm_ac_vo_aifs=2wmm_ac_vo_cwmin=2wmm_ac_vo_cwmax=3wmm_ac_vo_txop_limit=47wmm_ac_vo_acm=0channel=149ieee8021x=1own_ip_addr=127.0.0.1auth_server_addr=127.0.0.1auth_server_port=1812auth_server_shared_secret=lanforgewpa=2wpa_pairwise=CCMPwpa_key_mgmt=WPA-EAPWPA-EAP-SHA256#802.11uconfigurationinterworking=1access_network_type=4

internet=1asra=1esr=1uesa=1venue_group=2venue_type=1hessid=00:00:00:00:00:33venue_name=eng:LANforgeTestVenuenetwork_auth_type=00ipaddr_type_availability=04domain_name=mytest.comanqp_3gpp_cell_net=123,20nai_realm=0,mytest.com,13:[5:6],18:[5:1][5:2],21:[5:7]#HotSpot2.0configurationhs20=1hs20_oper_friendly_name=eng:LANforgeHotSpot2.0hs20_wan_metrics=01:8000:1000:80:240:3000hs20_operating_class=517C

FormoreinformationseeLANforgeUser'sGuide:Ports(Interfaces) ,VAPBridgeModeCookbook,VirtualRouterwithDHCPCookbook(SkiptheWanLinkportion)

2. CreateaMAC-VLANinterfaceoneth1ofResource1toactasRADIUSserver.A. GotothePortManagertab,selecteth1ontheproperresource,clickCreate,filloutappropriateinformationandcreateabasicMAC-VLANinterface.

B. ThenewinterfaceshouldappearinthePort-Mgrtable.Double-clicktomodify.ConfigureIPAddressinformationandselecttheRADIUScheckboxwhichwillallowahostapdbasedRADIUSserverontheinterfaceusingtheconfigfile/home/lanforge/wifi/hostapd_eth1#0.conf:

C. WearejustusingLANforgetostart/stopthehostapdprocessassociatedwiththeMAC-VLANinterface.Allinterestingconfigurationisinthecustomconfigfile,whichshouldappearsimilartothis:

interface=eth1#0driver=wiredlogger_syslog=-1logger_syslog_level=2logger_stdout=-1logger_stdout_level=2#dump_file=/home/lanforge/wifi/hostapd_eth1#0.dumpctrl_interface=/var/run/hostapdctrl_interface_group=0ieee8021x=1eapol_key_index_workaround=0eap_server=1eap_user_file=/etc/hostapd.eap_userserver_id=lf0301.mytest.comeap_sim_db=unix:/tmp/hlr_auc_gw.sockradius_server_auth_port=1812radius_server_clients=/etc/hostapd.radius_clients

ca_cert=/etc/raddb/certs/ca.pemserver_cert=/etc/raddb/certs/server.pemprivate_key=/etc/raddb/certs/server.keyprivate_key_passwd=lanforge

D. CreateRADIUSclientauthenticationfileontheLANforgemachinecalled/etc/hostapd.radius_clientswithcontentssimilarto:

192.168.100.0/24lanforge127.0.0.1/24lanforge

E. Createthe/etc/hostap.eap_userfile,withcontentssimilartothis:

"*@mytest.com"TLS"0"*SIM,TTLS,TLS,PEAP,AKA"1"*SIM,TTLS,TLS,PEAP,AKA

3. Configureback-endauthenticatorforEAP-SIM.

A. OntheLANforgemachine,useyourfavoriteeditortocreatethefile/etc/hlr_auc_gw.milenage_dbItshouldhavecontentssimilarto:

#ParametersforMilenage(ExamplealgorithmsforAKA).#TheexampleKi,OPc,andAMFvaluesherearefrom3GPPTS35.208v6.0.0#4.3.20TestSet20.SQNisthelastusedSQNvalue.#ThesevaluescanbeusedforbothUMTS(EAP-AKA)andGSM(EAP-SIM)#authentication.IncaseofGSM/EAP-SIM,AMFandSQNvaluesarenotused,but#dummyvalueswillneedtobeincludedinthisfile.#IMSIKiOPcAMFSQN23201000000000090dca4eda45b53cf0f12d7c9c3bc6a89cb9cccc4b9258e6dca4760379fb8258161df000000000000

#ThesevaluesarefromTestSet19whichhastheAMFseparationbitsetto1#andassuch,issuitableforEAP-AKA'test.5554443332221115122250214c33e723a5dd523fc145fc0981d464c7c52eb6e5036234984ad0bcfc3ab16f3b3f70fc1

B. Asrootuser,startthehlr_auc_gwtool:

cd/home/lanforge.lanforge.profilehlr_auc_gw-m/etc/hlr_auc_gw.milenage_db>/tmp/hlr_auc_gw.log&

NOTE:Ifthehlr_auc_gwdoesnotstart,youmayhavetoremovethefile/tmp/hlr_auc_gw.sockfirst.

C. IntheLANforge-GUI,selecttheMAC-VLANinterface(eth1#0inourexample)andclickResettorestartthehostapdRADIUSprocessnowthatthehlr_auc_gwprogramisrunning.

4. CreateWiFiStationonsecondwiphy(and/orsecondLANforge)totestconnectivityA. GotothePortManagertab,selectwiphyXonproperresource,clickCreate,filloutappropriateinformationandcreateabasicVirtualStationinterface.

B. ThenewStationshouldappearinthePort-Mgrtable.Double-clicktomodify.SettheSSIDto[BLANK],andSelectWPA2.TheSSIDandKey/PassworddonotneedtobeconfiguredwhenusingHotSpot2.0:

C. SelecttheAdvancedConfigurationtabinthePort-Modifywindowandconfigurethe802.1x,802.11u,HotSpot2.0andotherinformation.TheEAPIdentityandEAPPasswordmustmatchtheconfigurationonyourRADIUSserver,andinthiscase,thatmeansitmustmatchthehlr_auc_gwconfigurationweenteredearlier.TheHS20RealmandDomainshouldbeconfiguredtomatchtheHS20AP.

D. VerifyStationconnectstotheAPandobtainsDHCPIPAddressconfiguration.Ifitdoesnotwork,lookattheStation'ssupplicantlogs,theAPlogs,theRADIUSserverlogs,andthehlr_auc_gwlogs.

E. Forthosedoingthismanually,thewpa_supplicant.conffilelookslikethis:

ctrl_interface=/var/run/wpa_supplicantfast_reauth=1concurrent_assoc_ok=1scan_cur_freq=1min_scan_gap=5p2p_disabled=1

#802.11u/Interworkingconfiguration.interworking=1hessid=00:00:00:00:00:33auto_interworking=1access_network_type=0#HotSpot2.0configurationhs20=1bss_max_count=2000network={interworking_defaults=1disable_ht=0disable_vht=1disable_ht40=0disable_sgi=0ht_mcs=""disable_max_amsdu=-1ampdu_factor=-1ampdu_density=-1}cred={username="[email protected]"password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581"realm="mytest.com"domain="mytest.com"eap=SIM}

FormoreinformationseeWiFiStationCookbookCandelaTechnologies,Inc.,2417MainStreet,Suite201,Ferndale,WA98248,USA

www.candelatech.com|[email protected]|+1.360.380.1618