hostapd EAP-TLS and WPA-PSK during migration
by tomschuring from LinuxQuestions.org on (#57HY5)
I've been able to setup hostapd.conf so it can setup either a PSK AP:
Code:interface=uap0
driver=nl80211
ssid=MyPskAp
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=12345678
wpa_key_mgmt=WPA-PSKor a EAP-TLS AP:
Code:interface=uap0
ctrl_interface=/var/run/hostapd
ssid=testAPUsingEAPTLS
driver=nl80211
hw_mode=g
channel=10
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
eap_reauth_period=0
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
rsn_pairwise=CCMP
macaddr_acl=0
auth_algs=1
own_ip_addr=127.0.0.1
ieee8021x=1
eap_server=1
eapol_version=1
# Path for EAP server user database
eap_user_file=/etc/hostapd_eap_user
ca_cert=/usr/ssl/wifi/ca-chain.cert.pem
server_cert=/usr/ssl/wifi/device.cert.pem
private_key=/usr/ssl/wifi/device.key.pemThis all works, so all good.
Is there a way so, that during a transition period,
i can configure hostapd so the AP on the devices allows both
simultaneously?
so if there is a new client that has already received their
client certificates, they can use EAP-TLS and if they haven't
they can still use their old password.
then once everyone is 'over' i'll switch off the WPA-PSK
option.
i've tried to add a fall through (* MD5) in the hostapd_eap_user file for the EAP-TLS case like:
Code:"device1" TLS
* MD5 "12345678"but that doesn't seem to work
thanks, tom
Code:interface=uap0
driver=nl80211
ssid=MyPskAp
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=12345678
wpa_key_mgmt=WPA-PSKor a EAP-TLS AP:
Code:interface=uap0
ctrl_interface=/var/run/hostapd
ssid=testAPUsingEAPTLS
driver=nl80211
hw_mode=g
channel=10
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
eap_reauth_period=0
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
rsn_pairwise=CCMP
macaddr_acl=0
auth_algs=1
own_ip_addr=127.0.0.1
ieee8021x=1
eap_server=1
eapol_version=1
# Path for EAP server user database
eap_user_file=/etc/hostapd_eap_user
ca_cert=/usr/ssl/wifi/ca-chain.cert.pem
server_cert=/usr/ssl/wifi/device.cert.pem
private_key=/usr/ssl/wifi/device.key.pemThis all works, so all good.
Is there a way so, that during a transition period,
i can configure hostapd so the AP on the devices allows both
simultaneously?
so if there is a new client that has already received their
client certificates, they can use EAP-TLS and if they haven't
they can still use their old password.
then once everyone is 'over' i'll switch off the WPA-PSK
option.
i've tried to add a fall through (* MD5) in the hostapd_eap_user file for the EAP-TLS case like:
Code:"device1" TLS
* MD5 "12345678"but that doesn't seem to work
thanks, tom