1 |
hostapd and Wi-Fi Protected Setup (WPS) |
2 |
======================================= |
3 |
|
4 |
This document describes how the WPS implementation in hostapd can be |
5 |
configured and how an external component on an AP (e.g., web UI) is |
6 |
used to enable enrollment of client devices. |
7 |
|
8 |
|
9 |
Introduction to WPS |
10 |
------------------- |
11 |
|
12 |
Wi-Fi Protected Setup (WPS) is a mechanism for easy configuration of a |
13 |
wireless network. It allows automated generation of random keys (WPA |
14 |
passphrase/PSK) and configuration of an access point and client |
15 |
devices. WPS includes number of methods for setting up connections |
16 |
with PIN method and push-button configuration (PBC) being the most |
17 |
commonly deployed options. |
18 |
|
19 |
While WPS can enable more home networks to use encryption in the |
20 |
wireless network, it should be noted that the use of the PIN and |
21 |
especially PBC mechanisms for authenticating the initial key setup is |
22 |
not very secure. As such, use of WPS may not be suitable for |
23 |
environments that require secure network access without chance for |
24 |
allowing outsiders to gain access during the setup phase. |
25 |
|
26 |
WPS uses following terms to describe the entities participating in the |
27 |
network setup: |
28 |
- access point: the WLAN access point |
29 |
- Registrar: a device that control a network and can authorize |
30 |
addition of new devices); this may be either in the AP ("internal |
31 |
Registrar") or in an external device, e.g., a laptop, ("external |
32 |
Registrar") |
33 |
- Enrollee: a device that is being authorized to use the network |
34 |
|
35 |
It should also be noted that the AP and a client device may change |
36 |
roles (i.e., AP acts as an Enrollee and client device as a Registrar) |
37 |
when WPS is used to configure the access point. |
38 |
|
39 |
|
40 |
More information about WPS is available from Wi-Fi Alliance: |
41 |
http://www.wi-fi.org/wifi-protected-setup |
42 |
|
43 |
|
44 |
hostapd implementation |
45 |
---------------------- |
46 |
|
47 |
hostapd includes an optional WPS component that can be used as an |
48 |
internal WPS Registrar to manage addition of new WPS enabled clients |
49 |
to the network. In addition, WPS Enrollee functionality in hostapd can |
50 |
be used to allow external WPS Registrars to configure the access |
51 |
point, e.g., for initial network setup. In addition, hostapd can proxy a |
52 |
WPS registration between a wireless Enrollee and an external Registrar |
53 |
(e.g., Microsoft Vista or Atheros JumpStart) with UPnP. |
54 |
|
55 |
|
56 |
hostapd configuration |
57 |
--------------------- |
58 |
|
59 |
WPS is an optional component that needs to be enabled in hostapd build |
60 |
configuration (.config). Here is an example configuration that |
61 |
includes WPS support and uses madwifi driver interface: |
62 |
|
63 |
CONFIG_DRIVER_MADWIFI=y |
64 |
CFLAGS += -I/usr/src/madwifi-0.9.3 |
65 |
CONFIG_WPS=y |
66 |
CONFIG_WPS2=y |
67 |
CONFIG_WPS_UPNP=y |
68 |
|
69 |
Following parameter can be used to enable support for NFC config method: |
70 |
|
71 |
CONFIG_WPS_NFC=y |
72 |
|
73 |
|
74 |
Following section shows an example runtime configuration |
75 |
(hostapd.conf) that enables WPS: |
76 |
|
77 |
# Configure the driver and network interface |
78 |
driver=madwifi |
79 |
interface=ath0 |
80 |
|
81 |
# WPA2-Personal configuration for the AP |
82 |
ssid=wps-test |
83 |
wpa=2 |
84 |
wpa_key_mgmt=WPA-PSK |
85 |
wpa_pairwise=CCMP |
86 |
# Default WPA passphrase for legacy (non-WPS) clients |
87 |
wpa_passphrase=12345678 |
88 |
# Enable random per-device PSK generation for WPS clients |
89 |
# Please note that the file has to exists for hostapd to start (i.e., create an |
90 |
# empty file as a starting point). |
91 |
wpa_psk_file=/etc/hostapd.psk |
92 |
|
93 |
# Enable control interface for PBC/PIN entry |
94 |
ctrl_interface=/var/run/hostapd |
95 |
|
96 |
# Enable internal EAP server for EAP-WSC (part of Wi-Fi Protected Setup) |
97 |
eap_server=1 |
98 |
|
99 |
# WPS configuration (AP configured, do not allow external WPS Registrars) |
100 |
wps_state=2 |
101 |
ap_setup_locked=1 |
102 |
# If UUID is not configured, it will be generated based on local MAC address. |
103 |
uuid=87654321-9abc-def0-1234-56789abc0000 |
104 |
wps_pin_requests=/var/run/hostapd.pin-req |
105 |
device_name=Wireless AP |
106 |
manufacturer=Company |
107 |
model_name=WAP |
108 |
model_number=123 |
109 |
serial_number=12345 |
110 |
device_type=6-0050F204-1 |
111 |
os_version=01020300 |
112 |
config_methods=label display push_button keypad |
113 |
|
114 |
# if external Registrars are allowed, UPnP support could be added: |
115 |
#upnp_iface=br0 |
116 |
#friendly_name=WPS Access Point |
117 |
|
118 |
|
119 |
External operations |
120 |
------------------- |
121 |
|
122 |
WPS requires either a device PIN code (usually, 8-digit number) or a |
123 |
pushbutton event (for PBC) to allow a new WPS Enrollee to join the |
124 |
network. hostapd uses the control interface as an input channel for |
125 |
these events. |
126 |
|
127 |
The PIN value used in the commands must be processed by an UI to |
128 |
remove non-digit characters and potentially, to verify the checksum |
129 |
digit. "hostapd_cli wps_check_pin <PIN>" can be used to do such |
130 |
processing. It returns FAIL if the PIN is invalid, or FAIL-CHECKSUM if |
131 |
the checksum digit is incorrect, or the processed PIN (non-digit |
132 |
characters removed) if the PIN is valid. |
133 |
|
134 |
When a client device (WPS Enrollee) connects to hostapd (WPS |
135 |
Registrar) in order to start PIN mode negotiation for WPS, an |
136 |
identifier (Enrollee UUID) is sent. hostapd will need to be configured |
137 |
with a device password (PIN) for this Enrollee. This is an operation |
138 |
that requires user interaction (assuming there are no pre-configured |
139 |
PINs on the AP for a set of Enrollee). |
140 |
|
141 |
The PIN request with information about the device is appended to the |
142 |
wps_pin_requests file (/var/run/hostapd.pin-req in this example). In |
143 |
addition, hostapd control interface event is sent as a notification of |
144 |
a new device. The AP could use, e.g., a web UI for showing active |
145 |
Enrollees to the user and request a PIN for an Enrollee. |
146 |
|
147 |
The PIN request file has one line for every Enrollee that connected to |
148 |
the AP, but for which there was no PIN. Following information is |
149 |
provided for each Enrollee (separated with tabulators): |
150 |
- timestamp (seconds from 1970-01-01) |
151 |
- Enrollee UUID |
152 |
- MAC address |
153 |
- Device name |
154 |
- Manufacturer |
155 |
- Model Name |
156 |
- Model Number |
157 |
- Serial Number |
158 |
- Device category |
159 |
|
160 |
Example line in the /var/run/hostapd.pin-req file: |
161 |
1200188391 53b63a98-d29e-4457-a2ed-094d7e6a669c Intel(R) Centrino(R) Intel Corporation Intel(R) Centrino(R) - - 1-0050F204-1 |
162 |
|
163 |
Control interface data: |
164 |
WPS-PIN-NEEDED [UUID-E|MAC Address|Device Name|Manufacturer|Model Name|Model Number|Serial Number|Device Category] |
165 |
For example: |
166 |
<2>WPS-PIN-NEEDED [53b63a98-d29e-4457-a2ed-094d7e6a669c|02:12:34:56:78:9a|Device|Manuf|Model|Model Number|Serial Number|1-0050F204-1] |
167 |
|
168 |
When the user enters a PIN for a pending Enrollee, e.g., on the web |
169 |
UI), hostapd needs to be notified of the new PIN over the control |
170 |
interface. This can be done either by using the UNIX domain socket |
171 |
-based control interface directly (src/common/wpa_ctrl.c provides |
172 |
helper functions for using the interface) or by calling hostapd_cli. |
173 |
|
174 |
Example command to add a PIN (12345670) for an Enrollee: |
175 |
|
176 |
hostapd_cli wps_pin 53b63a98-d29e-4457-a2ed-094d7e6a669c 12345670 |
177 |
|
178 |
If the UUID-E is not available (e.g., Enrollee waits for the Registrar |
179 |
to be selected before connecting), wildcard UUID may be used to allow |
180 |
the PIN to be used once with any UUID: |
181 |
|
182 |
hostapd_cli wps_pin any 12345670 |
183 |
|
184 |
To reduce likelihood of PIN being used with other devices or of |
185 |
forgetting an active PIN available for potential attackers, expiration |
186 |
time in seconds can be set for the new PIN (value 0 indicates no |
187 |
expiration): |
188 |
|
189 |
hostapd_cli wps_pin any 12345670 300 |
190 |
|
191 |
If the MAC address of the enrollee is known, it should be configured |
192 |
to allow the AP to advertise list of authorized enrollees: |
193 |
|
194 |
hostapd_cli wps_pin 53b63a98-d29e-4457-a2ed-094d7e6a669c \ |
195 |
12345670 300 00:11:22:33:44:55 |
196 |
|
197 |
|
198 |
After this, the Enrollee can connect to the AP again and complete WPS |
199 |
negotiation. At that point, a new, random WPA PSK is generated for the |
200 |
client device and the client can then use that key to connect to the |
201 |
AP to access the network. |
202 |
|
203 |
|
204 |
If the AP includes a pushbutton, WPS PBC mode can be used. It is |
205 |
enabled by pushing a button on both the AP and the client at about the |
206 |
same time (2 minute window). hostapd needs to be notified about the AP |
207 |
button pushed event over the control interface, e.g., by calling |
208 |
hostapd_cli: |
209 |
|
210 |
hostapd_cli wps_pbc |
211 |
|
212 |
At this point, the client has two minutes to complete WPS negotiation |
213 |
which will generate a new WPA PSK in the same way as the PIN method |
214 |
described above. |
215 |
|
216 |
|
217 |
When an external Registrar is used, the AP can act as an Enrollee and |
218 |
use its AP PIN. A static AP PIN (e.g., one one a label in the AP |
219 |
device) can be configured in hostapd.conf (ap_pin parameter). A more |
220 |
secure option is to use hostapd_cli wps_ap_pin command to enable the |
221 |
AP PIN only based on user action (and even better security by using a |
222 |
random AP PIN for each session, i.e., by using "wps_ap_pin random" |
223 |
command with a timeout value). Following commands are available for |
224 |
managing the dynamic AP PIN operations: |
225 |
|
226 |
hostapd_cli wps_ap_pin disable |
227 |
- disable AP PIN (i.e., do not allow external Registrars to use it to |
228 |
learn the current AP settings or to reconfigure the AP) |
229 |
|
230 |
hostapd_cli wps_ap_pin random [timeout] |
231 |
- generate a random AP PIN and enable it |
232 |
- if the optional timeout parameter is given, the AP PIN will be enabled |
233 |
for the specified number of seconds |
234 |
|
235 |
hostapd_cli wps_ap_pin get |
236 |
- fetch the current AP PIN |
237 |
|
238 |
hostapd_cli wps_ap_pin set <PIN> [timeout] |
239 |
- set the AP PIN and enable it |
240 |
- if the optional timeout parameter is given, the AP PIN will be enabled |
241 |
for the specified number of seconds |
242 |
|
243 |
hostapd_cli get_config |
244 |
- display the current configuration |
245 |
|
246 |
hostapd_cli wps_config <new SSID> <auth> <encr> <new key> |
247 |
examples: |
248 |
hostapd_cli wps_config testing WPA2PSK CCMP 12345678 |
249 |
hostapd_cli wps_config "no security" OPEN NONE "" |
250 |
|
251 |
<auth> must be one of the following: OPEN WPAPSK WPA2PSK |
252 |
<encr> must be one of the following: NONE WEP TKIP CCMP |
253 |
|
254 |
|
255 |
Credential generation and configuration changes |
256 |
----------------------------------------------- |
257 |
|
258 |
By default, hostapd generates credentials for Enrollees and processing |
259 |
AP configuration updates internally. However, it is possible to |
260 |
control these operations from external programs, if desired. |
261 |
|
262 |
The internal credential generation can be disabled with |
263 |
skip_cred_build=1 option in the configuration. extra_cred option will |
264 |
then need to be used to provide pre-configured Credential attribute(s) |
265 |
for hostapd to use. The exact data from this binary file will be sent, |
266 |
i.e., it will have to include valid WPS attributes. extra_cred can |
267 |
also be used to add additional networks if the Registrar is used to |
268 |
configure credentials for multiple networks. |
269 |
|
270 |
Processing of received configuration updates can be disabled with |
271 |
wps_cred_processing=1 option. When this is used, an external program |
272 |
is responsible for creating hostapd configuration files and processing |
273 |
configuration updates based on messages received from hostapd over |
274 |
control interface. This will also include the initial configuration on |
275 |
first successful registration if the AP is initially set in |
276 |
unconfigured state. |
277 |
|
278 |
Following control interface messages are sent out for external programs: |
279 |
|
280 |
WPS-REG-SUCCESS <Enrollee MAC address <UUID-E> |
281 |
For example: |
282 |
<2>WPS-REG-SUCCESS 02:66:a0:ee:17:27 2b7093f1-d6fb-5108-adbb-bea66bb87333 |
283 |
|
284 |
This can be used to trigger change from unconfigured to configured |
285 |
state (random configuration based on the first successful WPS |
286 |
registration). In addition, this can be used to update AP UI about the |
287 |
status of WPS registration progress. |
288 |
|
289 |
|
290 |
WPS-NEW-AP-SETTINGS <hexdump of AP Setup attributes> |
291 |
For example: |
292 |
<2>WPS-NEW-AP-SETTINGS 10260001011045000c6a6b6d2d7770732d74657374100300020020100f00020008102700403065346230343536633236366665306433396164313535346131663462663731323433376163666462376633393965353466316631623032306164343438623510200006024231cede15101e000844 |
293 |
|
294 |
This can be used to update the externally stored AP configuration and |
295 |
then update hostapd configuration (followed by restarting of hostapd). |
296 |
|
297 |
|
298 |
WPS with NFC |
299 |
------------ |
300 |
|
301 |
WPS can be used with NFC-based configuration method. An NFC tag |
302 |
containing a password token from the Enrollee can be used to |
303 |
authenticate the connection instead of the PIN. In addition, an NFC tag |
304 |
with a configuration token can be used to transfer AP settings without |
305 |
going through the WPS protocol. |
306 |
|
307 |
When the AP acts as an Enrollee, a local NFC tag with a password token |
308 |
can be used by touching the NFC interface of an external Registrar. The |
309 |
wps_nfc_token command is used to manage use of the NFC password token |
310 |
from the AP. "wps_nfc_token enable" enables the use of the AP's NFC |
311 |
password token (in place of AP PIN) and "wps_nfc_token disable" disables |
312 |
the NFC password token. |
313 |
|
314 |
The NFC password token that is either pre-configured in the |
315 |
configuration file (wps_nfc_dev_pw_id, wps_nfc_dh_pubkey, |
316 |
wps_nfc_dh_privkey, wps_nfc_dev_pw) or generated dynamically with |
317 |
"wps_nfc_token <WPS|NDEF>" command. The nfc_pw_token tool from |
318 |
wpa_supplicant can be used to generate NFC password tokens during |
319 |
manufacturing (each AP needs to have its own random keys). |
320 |
|
321 |
The "wps_nfc_config_token <WPS/NDEF>" command can be used to build an |
322 |
NFC configuration token. The output value from this command is a hexdump |
323 |
of the current AP configuration (WPS parameter requests this to include |
324 |
only the WPS attributes; NDEF parameter requests additional NDEF |
325 |
encapsulation to be included). This data needs to be written to an NFC |
326 |
tag with an external program. Once written, the NFC configuration token |
327 |
can be used to touch an NFC interface on a station to provision the |
328 |
credentials needed to access the network. |
329 |
|
330 |
When the NFC device on the AP reads an NFC tag with a MIME media type |
331 |
"application/vnd.wfa.wsc", the NDEF message payload (with or without |
332 |
NDEF encapsulation) can be delivered to hostapd using the |
333 |
following hostapd_cli command: |
334 |
|
335 |
wps_nfc_tag_read <hexdump of payload> |
336 |
|
337 |
If the NFC tag contains a password token, the token is added to the |
338 |
internal Registrar. This allows station Enrollee from which the password |
339 |
token was received to run through WPS protocol to provision the |
340 |
credential. |