Having Pairwise password between Mesh stations in an MBSS #64
Comments
|
Hi Sritam,
I believe the standard mentions pairwise *keys*, not passwords. All nodes
in a mesh share the same password, from which a separate key is derived for
each peer link.
Cheers,
Javier
…On Wed, Jul 5, 2017 at 5:11 PM, sritam2 ***@***.***> wrote:
Dear All,
Is it possible to have pairwise password between mesh stations in an MBSS.
Presently, I am using the same shared password among all nodes of the Mesh
configured in wpa_supplicant.conf
Is it possible to define pairwise password for each secured link that a
Mesh station forms. So, if a station has links to 3 different stations
which are at one-hop distance away from this station, then is it possible
that the Mesh station authenticates the 3 different stations (one-hop away)
using 3 different password pairs (one for each station).
According to IEEE 802.11-2012, it should be possible. If yes, then how to
implement it using wpa_supplicant ??
should there be multiple entries for "psk" field in wpa_supplicant.conf
file ??
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#64>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AApRVWdr7UoqcZSJA7FhrxhQ4rXhQsFYks5sLCYkgaJpZM4OPAx2>
.
|
|
Hi Javier, Thank you so much for your valuable feedback. I am attaching the document for reference. I again referred the IEEE 802.11-2012 specification. It has been specified that the password, required to authenticate in SAE, can be pairwise for each pair of Mesh stations in an MBSS. It is mentioned in section 11.5.11 (RSNA authentication in an MBSS) of the document. Has this functionality(pairwise password) been implemented by wpa_supplicant. If Yes, then how should I change the wpa_supplicant.conf file to have pairwise-password for each mesh peer link in the MBSS. Presently my wpa_supplicant file looks like this: mpm on userspaceuser_mpm=1 open mesh networknetwork={ Is there any way to implement 802.1X/EAP authentication for 802.11s Mesh networks. I have been asked to implement it. But I am facing difficulty. If you have any online resource material or document which will help me in implementing 802.1X/EAP authentication for 802.11s Mesh networks then please refer me to it. Looking forward to your valuable advise. Thanks and Regards, |
|
Hi Sritam,
Ah, nice, I just learned something. The section you refer to is very
clear. I don't think the current implementation in wpa_supplicant supports
that, but I have not looked at it in a while.
Cheers,
Javier
…On Thu, Jul 6, 2017 at 7:41 AM, sritam2 ***@***.***> wrote:
Hi Javier,
Thank you so much for your valuable feedback. I am attaching the document
for reference.
IEEE_802_11_2012_StandardSpecification.pdf
<https://github.com/o11s/open80211s/files/1128154/IEEE_802_11_2012_StandardSpecification.pdf>
I again referred the IEEE 802.11-2012 specification. It has been specified
that the password, required to authenticate in SAE, can be pairwise for
each pair of Mesh stations in an MBSS.
*It is mentioned in section 11.5.11 (RSNA authentication in an MBSS) of
the document.*
I am attaching the document for your reference. I have marked the
paragraph as red to high-lighten it.
Has this functionality(pairwise password) been implemented by
wpa_supplicant. If Yes, then how should I change the wpa_supplicant.conf
file to have pairwise-password for each mesh peer link in the MBSS.
Presently my wpa_supplicant file looks like this:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=adm
mpm on userspace
user_mpm=1
open mesh network
network={
ssid="mymesh" /* Replace $MESH_ID for your mesh ID, use same for all peers
*/ mode=5 /* Mode 5, is MESH (open80211s) for wpa_supplicant
*/ frequency=2437 /* Use the same frequency for all peers */
key_mgmt=SAE
psk="thisisreallysecret"
}
Is there any way to implement 802.1X/EAP authentication for 802.11s Mesh
networks. I have been asked to implement it. But I am facing difficulty. If
you have any online resource material or document which will help me in
implementing 802.1X/EAP authentication for 802.11s Mesh networks then
please refer me to it.
Please help me with your valuable advise.
Looking forward to your valuable advise.
Thanks and Regards,
Sritam Paltasingh.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#64 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AApRVa3ZdYCtbUuOeR1tkURXZC2BP06Jks5sLPIUgaJpZM4OPAx2>
.
|
|
Hi Javier, Thank you for your valuable feedback. Is there any way to implement 802.1X/EAP authentication for 802.11s Mesh networks. I have been asked to implement it. But I am facing difficulty. If you have any online resource material or document which will help me in implementing 802.1X/EAP authentication for 802.11s Mesh networks then please refer me to it. Please help me with your valuable advise. Looking forward to your valuable advise. Thanks and Regards, |
|
Hi Sritam,
Implementing 802.1X for mesh can be a fun task. I don't think anyone has
done this, so this is your chance to fame :)
Compared to SAE, probably the hardest part is dealing with the role
asymmetry: one of the peers in the exchange must have access to a AAA
server (let's call that peer peer_a, or authenticator). And this needs to
be know before initiating the peering. The other peer would play the role
of a supplicant, so I'll call it peer_s.
In essence, it involves the following steps:
1. When a new peer candidate is detected, asking for a secure mesh link,
but without PMK nor SAE capability, you would need to establish an initial
peering via the Mesh Peering Management (MPM) protocol.
2. At that point, only EAPOL frames should be allowed over that link, so
that peer_s can request 802.1X authentication, through the mesh (peer_a),
to the AAA server.
3. Once 802.1X is completed and an Master Session Key is obtained, it is
used as input to the Authenticated Mesh Peering Exchange (AMPE), instead of
the MPMK used in SAE. But the AMPE itself is identical in both scenarios.
The diagram below (lifted from the standard) outlines this flow.
[image: Inline image 2]
In terms of implementation, you will probably have to modify the MPM
implementation in the kernel, but most of the work should be in userspace.
It might be easier to develop first in authsae
<https://github.com/cozybit/authsae> as it is much smaller and easier to
modify than wpa_supplicant.
Good luck!
Javier
…On Thu, Jul 6, 2017 at 8:12 AM, sritam2 ***@***.***> wrote:
Hi Javier,
Thank you for your valuable feedback.
Is there any way to implement 802.1X/EAP authentication for 802.11s Mesh
networks. I have been asked to implement it. But I am facing difficulty. If
you have any online resource material or document which will help me in
implementing 802.1X/EAP authentication for 802.11s Mesh networks then
please refer me to it.
Please help me with your valuable advise.
Looking forward to your valuable advise.
Thanks and Regards,
Sritam Paltasingh.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#64 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AApRVXvbglpW1S19xRaTvUnB5NVqN0lcks5sLPlVgaJpZM4OPAx2>
.
|
Dear All,
Is it possible to have pairwise password between mesh stations in an MBSS. Presently, I am using the same shared password among all nodes of the Mesh configured in wpa_supplicant.conf
Is it possible to define pairwise password for each secured link that a Mesh station forms. So, if a station has links to 3 different stations which are at one-hop distance away from this station, then is it possible that the Mesh station authenticates the 3 different stations (one-hop away) using 3 different password pairs (one for each station).
According to IEEE 802.11-2012, it should be possible. If yes, then how to implement it using wpa_supplicant ??
should there be multiple entries for "psk" field in wpa_supplicant.conf file ??
The text was updated successfully, but these errors were encountered: