OpenBSD 6.2 – WPA2-Enterprise

I’ve just setup WPA2-Enterprise (EAP-PEAP-MSCHAPv2), and just wanted to share the setup. I have also setup the more secure EAP-TLS, but opted for this setup as it offers the right balance of usability and security.

  • System Specifications:
    • Lenovo x230 running OpenBSD 6.2 (amd64)
    • 8GB RAM
    • 128GB SSD HDD
    • Laptop has an Intel chipset and therefore an Intel Wifi card.
    • Wifi interface is iwn0
    • Wifi AP is a TP-Link CAP 1759 v1.0 plugged into a switch spanning 3 VLANs (LAN, Internet only and Restricted)
    • RADIUS server is Windows Server 2016

My /etc/hostname.iwn0 contents:

nwid mySSID bssid 11:22:33:44:55:66 wpa wpaakms 802.1x
inet 192.168.xxx.10 255.255.255.0 192.168.xxx.255
inet6 autoconf
up

Please change the nwid, bssid and IP address to suit your environment (the inet6 autoconf will only be needed if you have IPv6 setup).

OpenBSD doesn’t support WPA2-Enterprise in the kernel and as a result we need to install and configure wpa_supplicant to ensure this phase is successful:

# pkg_add wpa_supplicant
# vi /etc/wpa_supplicant.conf
    (see below)

# $OpenBSD: wpa_supplicant.conf,v 1.4 2017/02/08 12:53:46 sthen Exp $
# Sample wpa_supplicant configuration file for wired IEEE 802.1x
# port authentication. See wpa_supplicant.conf(5).

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
 ssid="mySSID"
 scan_ssid=0
 key_mgmt=WPA-EAP
 eap=PEAP
 identity="u53rnam3"
 password="passw0rd"
 ca_cert="/etc/ssl/myinternalCA.crt"
 phase1="peaplabel=0"
 phase2="auth=MSCHAPV2"
}

Now we can test the

ifconfig iwn0 nwid mySSID bssid 11:22:33:44:55:66 wpa wpaakms 802.1x up

wpa_supplicant -i iwn0 -c /etc/wpa_supplicant.conf

We should see this:

Successfully initialized wpa_supplicant
iwn0: Associated with 11:22:33:44:55:66
WMM AC: Missing IEs
iwn0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
iwn0: CTRL-EVENT-EAP-STARTED EAP authentication started
iwn0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
iwn0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
iwn0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
iwn0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/DC=uk/DC=co/DC=MyADDomain/CN=MyCA-2016-CA-1' hash=xxxx
iwn0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=Server2016AAA.myADDomain.co.uk' hash=xxxx
iwn0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:Server2016AAA.myADDomain.co.uk
EAP-MSCHAPV2: Authentication succeeded
EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
iwn0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
iwn0: CTRL-EVENT-CONNECTED - Connection to 11:22:33:44:55:66 completed [id=0 id_str=]

 

 

 

Example OpenBSD 6.1 httpd.conf for SNI

I just wanted to share a pointer on how I have
setup httpd/SNI in OpenBSD 6.1 to work with HTTPS redirect and
acme-client. I used the following httpd.conf which works well:

# $OpenBSD: httpd.conf,v 1.14 2015/02/04 08:39:35 florian Exp $

server “example.com” {
listen on * port 80
listen on :: port 80
alias secure.example,com
alias www.example.com

log { access “example.com-access.log”, error “example.com-error.log” }

location “/.well-known/acme-challenge/*” {
root “/htdocs/example.com/acme”
root strip 2
}
location “/*” {
block return 301 “https://$SERVER_NAME$REQUEST_URI”
}
}

server “example.com” {
listen on * tls port 443
listen on :: tls port 443
alias secure.example.com
alias www.example.com

log { access “example.com-sslaccess.log”, error “example.com-sslerror.log” }

tls certificate “/etc/ssl/example.com.fullchain.pem”
tls key “/etc/ssl/private/example.com.key.pem”

directory { index “index.php” }
location “*.php” { fastcgi socket “/run/php-fpm.sock” }

root “/htdocs/example.com/”
}