From owner-freebsd-net@FreeBSD.ORG Thu Jun 18 17:36:06 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97D65106568D for ; Thu, 18 Jun 2009 17:36:06 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id 46C9C8FC2A for ; Thu, 18 Jun 2009 17:36:06 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from trouble.errno.com (trouble.errno.com [10.0.0.248]) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id n5IHa4GS088661 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Jun 2009 10:36:05 -0700 (PDT) (envelope-from sam@freebsd.org) Message-ID: <4A3A7B04.2020906@freebsd.org> Date: Thu, 18 Jun 2009 10:36:04 -0700 From: Sam Leffler Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.21 (X11/20090411) MIME-Version: 1.0 To: Vladimir Terziev References: <3a142e750906180355lf9bb1a9vd7133e878e57eff@mail.gmail.com> <1245323250.28444.48.camel@daemon2.partygaming.local> In-Reply-To: <1245323250.28444.48.camel@daemon2.partygaming.local> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-Misty-Metrics: ebb.errno.com; whitelist Cc: freebsd-net@freebsd.org, "Paul B. Mahol" Subject: Re: hostapd with 802.1X EAP-TLS/TTLS support X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2009 17:36:07 -0000 EAP/TLS and TTLS should be configured by default in HEAD. Not sure what is done in RELENG_7. Regardless you can trivially rebuild hostapd w/ the functionality you want by definitions to your src.conf: HOSTAPD_CFLAGS HOSTAPD_DPADD HOSTAPD_LDADD (looks like you use WPA_SUPPLICANT_* knobs in RELENG_7, check usr.sbin/wpa/hostapd/Makefile). As to what should be enabled by default, I can only say that I tried to choose the most common setup as the default. Choosing this configuration also balances between bloat and inclusion of code that might not be as well audited and/or tested as other code. Hence the default setup used to be WPA-PSK only but has since grown to include various EAP flavors. My assumption was that anyone building a system using these tools would want to go through and choose what they wanted anyway so enabling everything was a bad idea. Sam Vladimir Terziev wrote: > Hi Paul, > > is there some special reason behind this? Why the server is made part of > the main distribution with stripped functionality ? > > Also, how can i enable it ? > > Thanks, > > Vladimir > > > On Thu, 2009-06-18 at 13:55 +0300, Paul B. Mahol wrote: > >> On 6/18/09, Vladimir Terziev wrote: >> >>> Hi, >>> >>> i try to setup wireless access point at home, based on FreeBSD >>> 7.2R-i386, ral(4) wireless card and hostpad(8). >>> >>> I want my wireless AP to support 802.1x EAP-TLS/TTLS authentication. >>> >> I >> >>> issued a custom SSL certificate for the hostapd(8) and put the >>> >> following >> >>> directives in hostapd.conf: >>> >>> eap_server=0 >>> ca_cert=/usr/local/etc/myCA.crt.pem >>> server_cert=/usr/local/etc/hostapd.server.crt.pem >>> private_key=/usr/local/etc/hostapd.server.key.pem >>> private_key_passwd=some_pass >>> >>> When i tried to start the hostapd(8) i got the following errors: >>> >>> Line 15: unknown configuration item 'eap_server' >>> Line 16: unknown configuration item 'ca_cert' >>> Line 17: unknown configuration item 'server_cert' >>> Line 18: unknown configuration item 'private_key' >>> Line 19: unknown configuration item 'private_key_passwd' >>> >>> Does the stock FreeBSD's hostapd(8) support 802.1X EAP-TLS/TTLS at >>> >> all >> >>> and if "not" why ? >>> >> 802.1X EAP-TLS/TTLS is not enabled by default on FreeBSD's hostapd(8). >> >> -- >> Paul >> >> >> > > This email and any attachments are confidential, and may be legally privileged and protected by copyright. If you are not the intended recipient dissemination or copying of this email is prohibited. If you have received this in error, please notify the sender by replying by email and then delete the email completely from your system. > > Any views or opinions are solely those of the sender. This communication is not intended to form a binding contract unless expressly indicated to the contrary and properly authorised. Any actions taken on the basis of this email are at the recipient's own risk. > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > >