EAP-IKEv2 Project

EAP-IKEv2 Project

Latest news

EAP-IKEv2: New release 0.2.1 available!

Sun, 03 Sep 2006 20:56:57 -0000

<div class="markdown_content"><p>New version of libeap-ikev2 has been released. This version adds support for fast rekeying protocol run. All major requirements of 11 draft version has been met.</p> <p>Along with library patches for wpa_supplicant 0.5.5 and FreeRADIUS 1.1.3 has been released.</p></div>

View more news...

Introduction

Aim of this project is to develop an implementation of the EAP-IKEv2 authentication method (as specified in http://www.ietf.org/internet-drafts/draft-tschofenig-eap-ikev2-12.txt) for wpa_supplicant and freeRADIUS software.

Current implementation conform to the rules described in draft-tschofenig-eap-ikev2-11.txt.

EAP-IKEv2 is an EAP authentication method based on the Internet Key Exchange Protocol version 2 (IKEv2). It provides mutual authentication and session key establishment between an EAP peer and an EAP server. It supports authentication techniques that are based on the following types of credentials:

It is possible to use a different authentication credential (and thereby technique) in each direction. For example that the EAP server authenticates itself using public/private key pair and the EAP client using symmetric key. In particular, the following combinations are expected to be used in practice:

EAP server EAP peer
asym. key pairasym. key pair
asym. key pairsymmetric key
asym. key pairpassword
symmetric keysymmetric key

Currently project consists of three main parts:

  1. The libeap-ikev2 library with core functionality implementation of EAP-IKEv2 authentication method.
  2. The patch for wpa_supplicant that provides interface between original wpa_supplicant code and libeap-ikev2 library. This patch allows to deploy EAP-IKEv2 method on the client side.
  3. The patch for freeRADIUS server that provides interface between original freeRADIUS code and libeap-ikev2 library. This patch allows to delploy EAP-IKEv2 method on the server side.
Elements of authentication
   architecture

Elements of authentication architecture

Project architecture

Project architecture

Features

Plans

[Back to top]

Download

Old releases are available here

Daily snapshots

Last uploaded: Mon, 04 Dec 2006 02:33:30 +0000

[Back to top]

Installation instructions

libeap-ikev2

Requirements

OpenSSL v.0.9.7 with header files

Linux simple installation

If you do not need to modify the default configuration, take the following steps to build and install the library:
$ ./configure
$ make
$ make install
As a result library will be located in: /usr/local/lib/
And library header files will be located in: /usr/local/include/EAPIKEv2/

Windows simple installation

To install and compile under Windows you need install MinGW/MSYS software. Detailed instruction about MinGW/MSYS installation available on MinGW project page

Run MSYS terminal, and go to directory with library sources. Then take the following steps to install the library:

$ ./configure --prefix=/mingw/
$ make
$ make install
As a result library will be located in: /mingw/lib/
And library header files will be located in: /mingw/include/EAPIKEv2/

Custom installation (Linux and Windows)

By default, make install will install the package's files in /usr/local/bin, /usr/local/man, etc. You can specify an installation prefix other than /usr/local by giving configure the option --prefix=PATH.

If you have your OpenSSL installation in some non standard location, then you can use --with-openssl-includes=DIR to specify their location.

If you want use features for developer use --enable-developer. This option will turn on super-duper-extra-compile-warnings when using gcc and adds debugging symbols to result library.

freeRADIUS with EAP-IKEv2 support

wpa_supplicant with EAP-IKEv2 support

Linux installation

Windows installation

[Back to top]

Configuration

EAP-IKEv2 method for freeRADIUS configuration

Insert following subsection into eap section in /usr/local/etc/raddb/eap.conf file.
# Sample configuration for EAP-IKEV2 method
ikev2 {

    # Server auth type 
    # Allowed values are:
    #  cert   - for certificate based server authentication,
    #           other required settings for this type are 'private_key_file' and 'certificate_file'
    #  secret - for shared secret based server authentication, 
    #           other required settings for this type is 'id'
    # Default value of this option is 'secret'
#     server_authtype=cert

    # Allowed default client auth types
    # Allowed values are:
    #   secret - for shared secret based client authentication
    #   cert   - for certificate based client authentication
    #   both   - shared secret and certificate is allowed
    #   none   - authentication will always fail
    # Default value for this option is 'both'. This option could be overwritten
    # within 'usersfile' file by EAP-IKEv2-Auth option. 
#   default_authtype = both

    # path to trusted CA certificate file
    CA_file="/path/to/CA/cacert.pem"

    # path to CRL file, if not set, then there will be no checks against CRL
#   crl_file="/path/to/crl.pem"

    # path to file with user settings 
    # default ${confdir}/users  (/usr/local/etc/raddb/users)
#   usersfile=${confdir}/users

    # path to  file with server private key
    private_key_file="/path/to/srv-private-key.pem"
    
    # password to private key file
    private_key_password="passwd"

    # path to file with server certificate
    certificate_file="/path/to/srv-cert.pem"

    # server identity string
    id="deMaio"

    # Server identity type. Allowed values are:
    # IPV4_ADDR, FQDN, RFC822_ADDR, IPV6_ADDR, ASN1_DN, ASN1_GN, KEY_ID 
    # Default value is: KEY_ID
#   id_type = KEY_ID


    # MTU (default: 1398)
#   fragment_size = 1398
    
    # option which is used to control whenever send CERT REQ payload or not.
    # Allowed values for this option are "yes" or "no". Default values is "no".
#   certreq = "yes"

    # maximal allowed number of resends SA_INIT after receiving 'invalid KE'
    # notification (default 3)
#   DH_counter_max = 3

    # option which is used to control performing of DH exchange during fast
    # rekeying protocol run. Allowed values for this option are "yes" or "no".
    # Default value is "no"
#   fast_DH_exchange = "yes"

    # Option which is used to set up expiration time of inactive IKEv2 session.
    # After selected period of time (in seconds), inactive session data will be
    # deleted. Default value of this option is set to 900 seconds (15 minuets).
#   fast_timer_expire = 3600

    # list of server proposals of available cryptographic
    # suites
    proposals {

        # proposal number #1 
        proposal {

                # Supported transforms types: encryption,
                # prf, integrity, dhgroup. For multiple
                # transforms just simple repeat key (i.e.
                # integity).

                # encryption algorithm
                # supported algorithms:
                # null,3des,aes_128_cbc,aes_192_cbc,aes_256_cbc,idea
                # blowfish:n, where n range from 8 to 448 bits, step 8 bits
                # cast:n, where n range from 40 to 128 bits, step 8 bits 
                encryption = 3des

                # pseudo random function. Supported prf's:
                # hmac_md5, hmac_sha1, hmac_tiger
                prf = hmac_sha1
                
                # integrity algorithm. Supported algorithms:
                # hmac_md5_96, hmac_sha1_96,des_mac
                integrity = hmac_sha1_96
                integrity = hmac_md5_96

                # Diffie-Hellman groups:
                # modp768, modp1024, modp1536, modp2048, 
                # modp3072, modp4096, modp6144, modp8192
                dhgroup = modp2048 
        }
                
        # proposal number #2 
        proposal {
                encryption = 3des
                prf = hmac_md5
                integrity = hmac_md5_96
                dhgroup = modp1024
        }       

        # proposal number #3 
        proposal {
                encryption=3des
                prf=hmac_md5
                integrity=hmac_md5_96
                dhgroup=modp2048
        } 
    }
}

Insert following section into /usr/local/etc/raddb/users (or other file which is pointed by usersfile variable in eap.conf) file to configure clients credentials.

## Sample entry for EAP-IKEv2 exchange.
## Used attributes are defined in
## /usr/local/share/freeradius/dictionary.eap_ikev2 file.

username  EAP-IKEv2-IDType:=KEY_ID,  EAP-IKEv2-Secret:="tajne"

## where:
## username           - client user name from IKE-AUTH (IDr)  or CommonName from
##                      x509 certificate
## EAP-IKEv2-IDType   - ID Type - same as in expected IDType payload
##                      allowable attributes for EAP-IKEv2-IDType:
##                      IPV4_ADDR FQDN RFC822_ADDR IPV6_ADDR DER_ASN1_DN DER_ASN1_GN KEY_ID 
## EAP-IKEv2-Secret   - shared secret
## EAP-IKEv2-AuthType - optional parameter which defines expected client auth
##                      type. Allowed values are: secret,cert,both,none. For the meaning of this values 
##                      please read description of 'default_authtype' in eap.conf file. This attribute
##                      can overwrite 'default_authtype' value.

EAP-IKEv2 method for wpa_supplicant configuration

Prepare wpa_supplicant.conf file:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
eapol_version=1
ap_scan=1

network={
    ssid="ssid_name"
    key_mgmt=WPA-EAP

    eap=IKEV2
    anonymous_identity="fake_identity"
    
    identity="neo"
    password="anderson"
    #server_using_sk=1
    idtype="key_id"
    ike_proposal1="3des prf_hmac_sha1 hmac_sha1_96 hmac_md5_96 modp2048"
    ike_proposal2="3des prf_hmac_md5 hmac_md5_96 modp1024"
    ca_cert="/home/bobo/CA/demoCA/cacert.pem"
    private_key="/home/bobo/CA/some2.key"
    client_cert="/home/bobo/CA/some2.crt"

    ike_idi="neo"
    ike_iditype="key_id"
    #certreq=yes
    #fast_DH_exchange=yes	
    fragment_size=200
}
Where:


NOTICE: all id's and pwd's could be set in binary format like this:

    identity="0x6E656F"
    password="0x616E646572736F6E"
    #identity="neo"
    #password="anderson"

Hashed lines are equivalent to previous ones. After '0x' only 0-9 and A-F (uppercase) letters are allowed. If this condition is not met, string is treated as normal ASCII.

[Back to top]

Performance tests

FreeRADIUS was successfully tested using configuration where EAP-IKEv2 module was in use for scenario 1 and scenario 4. Scenario 1 (both sides use asymetric keys). Scenario 4 (both sides use symetric key). Using our environment thousands of connections were generated, but we could get only 8 simultaneously connections in maximium. It was about 2 connections/second in scenario 1 and 2.2 connections/second in scenario 4. What interesting is, there was no workload of the processor (CPU usgae) caused by FreeRADIUS process.

Results for scenario 1 (both sides use asymetric keys).

No concurent connections conn/s standard deviation
1 0,69881 0,00573
3 1,55941 0,00221
6 2,04151 0,02439
8 2,07501 0,00432

Results for scenario 4 (both sides use symetric key).

No concurent connections conn/s standard deviation
1 0,67087 0,03441
3 1,60987 0,03170
6 2,19026 0,00795
8 2,20058 0,00432
[Back to top]

References

[Back to top]

Links

[Back to top]

Licensing

[Back to top]

Copyright

Copyright (C) 2005-2006 Krzysztof Rzecki -
Copyright (C) 2005-2006 Rafal Mijal -
Copyright (C) 2005-2006 Piotr Marnik -
Copyright (C) 2005-2006 Pawel Matejski -
krz bobo kwazi madej
[Back to top]

Mirrors

Copy of this page is also available at following addresses:

Valid HTML 4.01 Transitional Valid CSS!