iwd/doc/8021x-wired-testing.txt

Virtual Ethernet Device
=======================

Virtual Ethernet device pairs are a pair of fake Ethernet devices that act
as a pipe, Traffic sent via one interface comes out the other. As these are
Ethernet devices and not point to point devices you can handle broadcast
traffic on these interfaces and use protocols other than IP.

To create a virtual ethernet pipe with one end called veth0 and the other
called veth1, use the following command:

	sudo ip link add veth0 type veth peer name veth1

The pair of interfaces are identical and act as a dumb pipe, there is no
master or slave end. Deleting either end will cause both interfaces to be
deleted. The pair of interfaces implement carrier detection and can tell
when one side of the link is in the 'DOWN' state. if the other link is in
the 'DOWN' state it will indicate 'NO-CARRIER' until the other end is
brought up:

	sudo ip link set veth0 up
	sudo ip link set veth1 up


Testing 802.1x on Virtual Ethernet Device
=========================================

It is based on hostapd and wpa_supplicant. To compile them, go in the
hostapd/wpa_supplicant directory, copy "defconfig" to ".config", for
hostapd uncomment the line "CONFIG_DRIVER_WIRED=y" and "make".

Using hostapd (the authenticator) and following hostapd.conf file:

	interface=veth0
	driver=wired
	ieee8021x=1
	use_pae_group_addr=1
	eap_server=1
	eap_user_file=hostapd.eap_user # replace with the right path
	ca_cert=newcertca.crt # replace with your CA certificate path
	server_cert=newcertca.crt # replace with your server certificate path (here I use the same as for the CA for simplicity)
	private_key=newkeyca.key # replace with your server private key path

A sample hostapd.eap_user that works is the following:

	# Phase 1 users
	*	PEAP
	# Phase 2
	"test"	MSCHAPV2	"password"	[2]

To execute hostapd (add "-dd" for debug mode):

	sudo ./hostapd hostapd.conf

Using wpa_supplicant (the supplicant, i.e., the client) with the following
wpa_supplicant.conf configuration file:

	ap_scan=0
	fast_reauth=1
	network={
		ssid=""
		scan_ssid=0
		key_mgmt=IEEE8021X
		eap=PEAP
		phase2="auth=MSCHAPV2"
		identity="test"
		password="password"
		ca_cert="newcertca.crt" # replace with your CA certificate path
	}

To run wpa_supplicant (add "-dd -K" for debugging):

	sudo ./wpa_supplicant -iveth1 -c./wpa_supplicant.conf -Dwired


Running Authenticator in a network namespace
============================================

In some cases it might be useful to run hostapd in a network namespace to
provide real separation between the two network interfaces. First create
the "hostap" named network namespace:

	sudo ip netns add hostap

Now move the network interface of hostapd into the "hostap" named network
namespace:

	sudo ip link set veth0 netns hostap

Inside the "hostap" named network namespace the loopback interface needs
to be brought up and also the network interface:

	sudo ip netns exec hostap ip link set lo up
	sudo ip netns exec hostap ip link set veth0 up

Then execute hostapd inside the network namespace:

	sudo ip netns exec hostap ./hostapd wired_hostapd.conf

After that run wpa_supplicant as described above.
doc: Add instructions for 802.1x wired testing 2018-09-14 13:55:36 +02:00			`Virtual Ethernet Device`
			`=======================`

			`Virtual Ethernet device pairs are a pair of fake Ethernet devices that act`
			`as a pipe, Traffic sent via one interface comes out the other. As these are`
			`Ethernet devices and not point to point devices you can handle broadcast`
			`traffic on these interfaces and use protocols other than IP.`

			`To create a virtual ethernet pipe with one end called veth0 and the other`
			`called veth1, use the following command:`

doc: Add notes about running hostapd in a network namespace 2018-10-16 17:46:33 +02:00			`sudo ip link add veth0 type veth peer name veth1`
doc: Add instructions for 802.1x wired testing 2018-09-14 13:55:36 +02:00
			`The pair of interfaces are identical and act as a dumb pipe, there is no`
			`master or slave end. Deleting either end will cause both interfaces to be`
			`deleted. The pair of interfaces implement carrier detection and can tell`
			`when one side of the link is in the 'DOWN' state. if the other link is in`
			`the 'DOWN' state it will indicate 'NO-CARRIER' until the other end is`
			`brought up:`

doc: Add notes about running hostapd in a network namespace 2018-10-16 17:46:33 +02:00			`sudo ip link set veth0 up`
			`sudo ip link set veth1 up`
doc: Add instructions for 802.1x wired testing 2018-09-14 13:55:36 +02:00

			`Testing 802.1x on Virtual Ethernet Device`
			`=========================================`

			`It is based on hostapd and wpa_supplicant. To compile them, go in the`
			`hostapd/wpa_supplicant directory, copy "defconfig" to ".config", for`
			`hostapd uncomment the line "CONFIG_DRIVER_WIRED=y" and "make".`

			`Using hostapd (the authenticator) and following hostapd.conf file:`

			`interface=veth0`
			`driver=wired`
			`ieee8021x=1`
doc: Document use_pae_group_addr=1 option for wired 802.1x testing 2018-10-16 14:51:29 +02:00			`use_pae_group_addr=1`
doc: Add instructions for 802.1x wired testing 2018-09-14 13:55:36 +02:00			`eap_server=1`
			`eap_user_file=hostapd.eap_user # replace with the right path`
			`ca_cert=newcertca.crt # replace with your CA certificate path`
			`server_cert=newcertca.crt # replace with your server certificate path (here I use the same as for the CA for simplicity)`
			`private_key=newkeyca.key # replace with your server private key path`

			`A sample hostapd.eap_user that works is the following:`

			`# Phase 1 users`
			`* PEAP`
			`# Phase 2`
			`"test" MSCHAPV2 "password" [2]`

			`To execute hostapd (add "-dd" for debug mode):`

			`sudo ./hostapd hostapd.conf`

			`Using wpa_supplicant (the supplicant, i.e., the client) with the following`
			`wpa_supplicant.conf configuration file:`

			`ap_scan=0`
			`fast_reauth=1`
			`network={`
			`ssid=""`
			`scan_ssid=0`
			`key_mgmt=IEEE8021X`
			`eap=PEAP`
			`phase2="auth=MSCHAPV2"`
			`identity="test"`
			`password="password"`
			`ca_cert="newcertca.crt" # replace with your CA certificate path`
			`}`

			`To run wpa_supplicant (add "-dd -K" for debugging):`

			`sudo ./wpa_supplicant -iveth1 -c./wpa_supplicant.conf -Dwired`

doc: Add notes about running hostapd in a network namespace 2018-10-16 17:46:33 +02:00
			`Running Authenticator in a network namespace`
			`============================================`

			`In some cases it might be useful to run hostapd in a network namespace to`
			`provide real separation between the two network interfaces. First create`
			`the "hostap" named network namespace:`

			`sudo ip netns add hostap`

			`Now move the network interface of hostapd into the "hostap" named network`
			`namespace:`

			`sudo ip link set veth0 netns hostap`

			`Inside the "hostap" named network namespace the loopback interface needs`
			`to be brought up and also the network interface:`

			`sudo ip netns exec hostap ip link set lo up`
			`sudo ip netns exec hostap ip link set veth0 up`

			`Then execute hostapd inside the network namespace:`

			`sudo ip netns exec hostap ./hostapd wired_hostapd.conf`

			`After that run wpa_supplicant as described above.`