<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>
      WPA – OpenSC
    </title><style type="text/css">
           @import url(trac.css);
          </style></head><body><div id="content" class="wiki">
      <div class="wikipage searchable">
        
          <h1 id="Wirelessauthentication">Wireless authentication</h1>
<p>
Wireless network used to be protected by the WEP standard, but WEP turned out to be insecure and thus useless.
These days wireless networks are usualy protected using WPA - Wi-Fi Protected Access.
</p>
<p>
Unfortunatly WPA is available in several flavors and versions, see
the <a class="ext-link" href="http://www.wi-fi.org/OpenSection/protected_access.asp" shape="rect"><span class="icon"> </span>Wi-Fi Alliance website</a> for details.
</p>
<p>
If your wireless network is set up to ask for authentication using client certificates,
then you can use it with those certificates and keys on your smart card.
</p>
<p>
For windows the windows build in WPA client should work well, if you have a CSP installed that works with OpenSC.
This is untested, please report your results.
</p>
<p>
For linux you can use the <a class="ext-link" href="http://hostap.epitest.fi/wpa_supplicant/" shape="rect"><span class="icon"> </span>WPA Supplicant</a> or <a class="ext-link" href="http://www.open1x.org/" shape="rect"><span class="icon"> </span>Xsupplicant</a> with OpenSC.
The support for smart cards is implemented in both via the <a href="http://www.opensc-project.org/engine_pkcs11/" shape="rect">PKCS#11 Engine for OpenSSL</a>.
</p>
<h2 id="WPASupplicant">WPA Supplicant</h2>
<p>
To use WPA Suppplicant with smart card authentication you need to compile it with smart card support. Your config file should include this line:
</p>
<pre class="wiki" xml:space="preserve"># Smartcard support (i.e., private key on a smartcard), e.g., with openssl
# engine.
CONFIG_SMARTCARD=y
</pre><p>
Also you need to edit wpa_supplicant.conf like this:
</p>
<pre class="wiki" xml:space="preserve"># OpenSSL Engine support
# These options can be used to load OpenSSL engines.
# make the pkcs11 engine available
pkcs11_engine_path=/usr/lib/engine/engine_pkcs11.so
# configure the path to the pkcs11 module required by the pkcs11 engine
pkcs11_module_path=/usr/lib/engine/opensc-pkcs11.so
</pre><h2 id="XSupplicant">X Supplicant</h2>
<p>
It looks like xsupplicant is always compiled with smart card support.
</p>
<p>
To enable it, edit the xsupplicant.conf config file and look for lines
like these:
</p>
<pre class="wiki" xml:space="preserve">     # this section configures the smartcard used with eap-tls
     # for now the smartcard PIN is handled the same way as the 
     # password for a private key
     smartcard {
        # this line actually enables the smartcard and makes xsupplicant use
        # the opensc engine
        engine_id = pkcs11
        # set the path to the engine
        opensc_so_path = "/usr/lib/engine/engine_pkcs11.so"
        # set the key id on the smartcard
        key_id = 45
     }
</pre><p>
FIXME: someone should test this and check if it works as advertised.
</p>

        
        
      </div>
    </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>