The George Washington University (where I work and study) has recently implemented 802.1X to secure its wireless networks. 802.1X defines support for EAP over Ethernet (including wireless) and the WPA standards define several modes of EAP that can be used.
Solaris (I’m referring to version 11, OpenSolaris, OpenIndiana, and Illumos) supports WPA. It modified an early version of wpa_supplicant and called it “wpad“. However, they seemed to make a point of stripping out all EAP support in wpad.
So when my Network Security instructor said we had to do a term project of our choosing relating to network security, I decided I’d try to get 802.1X working in Solaris. To do this, I decided I could either add the EAP bits back into wpad, or add the Solaris-specific bits to the latest version of wpa_supplicant. wpad is based on very old code. It’s not even clear which version of wpa_supplicant it is based on, and there is no record of the massive amount of changes they made. It would be too hard for me to figure out where to plug EAP back in, and who knows how many bugs and security vulnerabilities were fixed upstream that we’d be missing out on.
Fortunately, wpa_supplicant is very modular, and reasonably well documented. I was able to graft the older Solaris code onto the newer interfaces. The result of my work is currently maintained in my own branch at GitHub. It’s not perfect, but it works (and I’ll explain how). Solaris has a very limited public API for wireless support and my goal was to get wpa_supplicant working without having to modify any system libraries or the kernel. I struggled to figure out some idiosyncrasies such as:
- Events (association, disassociation, etc.) are only sent to wpa_supplicant when WPA is enabled in the driver.
- Full scan results are only available when WPA is disabled in the driver.
- Scan results don’t provide nearly as much information as their Linux counterparts do, such as access point capabilities, signal strength, noise levels, etc. I was very worried I wouldn’t be able to fill out the scan results structure fully and wpa_supplicant would refuse to work without complete information.
Here is how you can get 802.1X support working on your Solaris laptop:
- Install the wpa_supplicant package from my package repository:
# pkg set-publisher -p http://pkg.thestaticvoid.com/ # pkg install wpa_supplicant
-
Add the configuration for your protected wireless networks to /etc/wpa_supplicant.conf. Here is mine:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=0
network={
ssid="prey"
key_mgmt=WPA-PSK
psk="<network key>"
}
network={
ssid="GW1X"
key_mgmt=WPA-EAP
eap=TTLS
identity="jameslee"
anonymous_identity="anonymous"
password="<personal password>"
phase2="auth=PAP"
}The most important thing here is
ap_scan=0
. This tells wpa_supplicant not to do any scanning or association of its own. Those tasks will be handled by dladm and NWAM. -
Backup /usr/lib/inet/wpad and replace it with this script:
#!/bin/sh
interface=`echo $@ | /usr/bin/sed 's/.*-i *\([a-z0-9]*\).*/\1/'`
exec /usr/sbin/wpa_supplicant -Dsolaris -i$interface -c/etc/wpa_supplicant.conf -s &
Now connect to a wireless network with NWAM or dladm. When prompted for a network key, enter anything; it won’t be used. The actual keys will be looked up in /etc/wpa_supplicant.conf. Here is an example of me connecting to my 802.1X-secured network using dladm:
# dladm connect-wifi -e GW1X -s wpa -k nwam-GW1X iwh0 # dladm show-wifi LINK STATUS ESSID SEC STRENGTH MODE SPEED iwh0 connected GW1X wpa excellent g 54Mb
“-k nwam-GW1X” refers to a dummy key setup by NWAM. dladm will complain if it’s not supplied a key.
That should be it!
Future Directions
Obviously, the integration of wpa_supplicant and NWAM/dladm leaves a lot to be desired. If there is sufficient interest, I will start looking into how to modify the dladm security framework in Illumos to include EAP related configurations (keys, certificates, identities; it’s all much more complicated than the single pre-shared key that dladm supports now). My hope, though, is that Oracle is already working on this. Do you hear that Oracle?
Wow, brilliant,
I’ve just come from a customer who has 802.1x across the entire network. It made my Solaris laptop look a little er… “lacking” especially since it’s simply a click on a network tab on another popular MS based OS.
Is there _any_ way that this can be adapted for wired networks?
Thanks again
Keith
I’ve rebuilt my package with the wired driver, which has supposedly worked on Solaris for the past year. I have no way of testing it though. I’d love to hear if it works!
Pingback: nerds on site
I’m now sufficiently interested now that my place of work is about to go all 802.1X with certs. I just don’t want to go windows…..
Dear Sir
If possible author will use your version for solaris 11.3 on notebook
free wlan work ,but can not use university wlan
(suse and ubuntu work without problem)
Asked solaris ,they have in service/network/wpa but that is installed by author from
start …it it not work ,exist no wpa*in /etc and var/run
########
copy
Jouni Malinen
It looks like there is a github repository with some changes for Solaris
based on some old snapshot of wpa_supplicant. However, those changes
have not been contributed to the upstream project, so I cannot say much
about what version could be related to this effort. You’d need to ask
this from whoever has worked with that external repository. It would be
relevant to this mailing list only if someone were to contribute such
changes to the upstream project.