WiFi security with hostapd
Last week's post when over setting up a wireless access point using hostapd, however it didn't cover security. This post is going to go over adding encryption and authentication to an access point using WPA2.
WPA2 and Pre-shared Keys
WPA2 is one of the most widely used WiFi security protocols. A variety of different authentication methods can be used, however one of the simplist is a pre-shared key.
Below is some example
hostapd configuration which can be used to set up an
access point using
# AP details interface=wlan0 driver=nl80211 ssid="Pi AP" channel=1 macaddr_acl=0 # WPA2 setup auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_key_mgmt=WPA-PSK wpa_passphrase=change_me wpa_pairwise=CCMP rsn_pairwise=CCMP ieee80211n=1
Note: remember to change the pass phrase and restart the
before trying to connect.
Per device configuration
The configuration above uses the same key for every host that connects to the access point. The configuration can be tweaked slightly to look like the following:
# AP details interface=wlan0 driver=nl80211 ssid="Pi AP" channel=1 macaddr_acl=0 # WPA2 setup auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_key_mgmt=WPA-PSK wpa_psk_file=/etc/hostapd/psk wpa_pairwise=CCMP rsn_pairwise=CCMP ieee80211n=1
In addition to the config above, a pre-shared key file called
/etc/hostapd/psk also needs to be created. This file contains PSK/MAC address
pairs. Initially a wild card mac address can be used, this will apply to all
devices which connect to the access point:
Once the wild card mac address is working correctly, the key file can be updated to use different keys for specific mac addresses:
11:11:de:ad:be:ef first_psk 22:22:de:ad:be:ef another_psk
This makes it easy to change device specific pre-shared keys without having to update every device simultaneously. It is however fairly easy to spoof a MAC address, therefore it is important the pre-shared keys are not compromised.