3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-18 09:12:43 +01:00
iwd/doc/8021x-wired-testing.txt

101 lines
3.1 KiB
Plaintext
Raw Normal View History

Virtual Ethernet Device
=======================
Virtual Ethernet device pairs are a pair of fake Ethernet devices that act
as a pipe, Traffic sent via one interface comes out the other. As these are
Ethernet devices and not point to point devices you can handle broadcast
traffic on these interfaces and use protocols other than IP.
To create a virtual ethernet pipe with one end called veth0 and the other
called veth1, use the following command:
sudo ip link add veth0 type veth peer name veth1
The pair of interfaces are identical and act as a dumb pipe, there is no
master or slave end. Deleting either end will cause both interfaces to be
deleted. The pair of interfaces implement carrier detection and can tell
when one side of the link is in the 'DOWN' state. if the other link is in
the 'DOWN' state it will indicate 'NO-CARRIER' until the other end is
brought up:
sudo ip link set veth0 up
sudo ip link set veth1 up
Testing 802.1x on Virtual Ethernet Device
=========================================
It is based on hostapd and wpa_supplicant. To compile them, go in the
hostapd/wpa_supplicant directory, copy "defconfig" to ".config", for
hostapd uncomment the line "CONFIG_DRIVER_WIRED=y" and "make".
Using hostapd (the authenticator) and following hostapd.conf file:
interface=veth0
driver=wired
ieee8021x=1
use_pae_group_addr=1
eap_server=1
eap_user_file=hostapd.eap_user # replace with the right path
ca_cert=newcertca.crt # replace with your CA certificate path
server_cert=newcertca.crt # replace with your server certificate path (here I use the same as for the CA for simplicity)
private_key=newkeyca.key # replace with your server private key path
A sample hostapd.eap_user that works is the following:
# Phase 1 users
* PEAP
# Phase 2
"test" MSCHAPV2 "password" [2]
To execute hostapd (add "-dd" for debug mode):
sudo ./hostapd hostapd.conf
Using wpa_supplicant (the supplicant, i.e., the client) with the following
wpa_supplicant.conf configuration file:
ap_scan=0
fast_reauth=1
network={
ssid=""
scan_ssid=0
key_mgmt=IEEE8021X
eap=PEAP
phase2="auth=MSCHAPV2"
identity="test"
password="password"
ca_cert="newcertca.crt" # replace with your CA certificate path
}
To run wpa_supplicant (add "-dd -K" for debugging):
sudo ./wpa_supplicant -iveth1 -c./wpa_supplicant.conf -Dwired
Running Authenticator in a network namespace
============================================
In some cases it might be useful to run hostapd in a network namespace to
provide real separation between the two network interfaces. First create
the "hostap" named network namespace:
sudo ip netns add hostap
Now move the network interface of hostapd into the "hostap" named network
namespace:
sudo ip link set veth0 netns hostap
Inside the "hostap" named network namespace the loopback interface needs
to be brought up and also the network interface:
sudo ip netns exec hostap ip link set lo up
sudo ip netns exec hostap ip link set veth0 up
Then execute hostapd inside the network namespace:
sudo ip netns exec hostap ./hostapd wired_hostapd.conf
After that run wpa_supplicant as described above.