7.3. Authenticator and Authentication Server

The authenticator described in this example allows wireless hosts to connect using X.509 certificates (EAP-TLS) or a username/password combination (EAP-PEAP). The SISO functions as both the Authenticator and the Authentication Server.

This section assumes that madwifi driver and hostapd authenticator daemon have been installed, as described in Section 4.10, “Wireless Driver (madwifi)” and Section 4.11, “Wireless Authenticator and Authentication Server (hostapd)”.

7.3.1. Import Certificates

The supplicant will always check that the authentication server is one that it trusts. It does this by verify that the authentication server's X.509 certificate is signed by a trusted CA. The supplicant's proves its identity with either a X.509 certificate, or with a username/password combination.

Generate a X.509 CA and a certificate for SISO as described in Section 7.2.2, “Create the certificates”. Then copy the certificate and unencrypted key to the rootfs, and create the 8-byte hash for the CA certificate, so that OpenSSL will recognize it.

mkdir -p $ROOTFS_DIR/etc/sysconfig/hostapd
pushd $ROOTFS_DIR/etc/sysconfig/hostapd/
  install -m 600 $SSL_DIR/certs/siso.vonk-cert.pem .
  install -m 600 $SSL_DIR/certs/siso.vonk-key.pem .
  install -m 600 $SSL_DIR/ca/CAcert.pem .
  install -m 600 $SSL_DIR/ca/CRL.pem .
  HASH=`openssl x509 -noout -hash -in CAcert.pem`
  ln -s CAcert.pem $HASH.0
  ln -s CRL.pem $HASH.r0

7.3.2. Configuration

Example configuration and the user password lists are: