diff options
Diffstat (limited to 'contrib/wpa/hostapd/README-WPS')
-rw-r--r-- | contrib/wpa/hostapd/README-WPS | 79 |
1 files changed, 77 insertions, 2 deletions
diff --git a/contrib/wpa/hostapd/README-WPS b/contrib/wpa/hostapd/README-WPS index 74f2113..87a6f91 100644 --- a/contrib/wpa/hostapd/README-WPS +++ b/contrib/wpa/hostapd/README-WPS @@ -63,8 +63,13 @@ includes WPS support and uses madwifi driver interface: CONFIG_DRIVER_MADWIFI=y CFLAGS += -I/usr/src/madwifi-0.9.3 CONFIG_WPS=y +CONFIG_WPS2=y CONFIG_WPS_UPNP=y +Following parameter can be used to enable support for NFC config method: + +CONFIG_WPS_NFC=y + Following section shows an example runtime configuration (hostapd.conf) that enables WPS: @@ -119,6 +124,13 @@ pushbutton event (for PBC) to allow a new WPS Enrollee to join the network. hostapd uses the control interface as an input channel for these events. +The PIN value used in the commands must be processed by an UI to +remove non-digit characters and potentially, to verify the checksum +digit. "hostapd_cli wps_check_pin <PIN>" can be used to do such +processing. It returns FAIL if the PIN is invalid, or FAIL-CHECKSUM if +the checksum digit is incorrect, or the processed PIN (non-digit +characters removed) if the PIN is valid. + When a client device (WPS Enrollee) connects to hostapd (WPS Registrar) in order to start PIN mode negotiation for WPS, an identifier (Enrollee UUID) is sent. hostapd will need to be configured @@ -171,10 +183,17 @@ hostapd_cli wps_pin any 12345670 To reduce likelihood of PIN being used with other devices or of forgetting an active PIN available for potential attackers, expiration -time can be set for the new PIN: +time in seconds can be set for the new PIN (value 0 indicates no +expiration): hostapd_cli wps_pin any 12345670 300 +If the MAC address of the enrollee is known, it should be configured +to allow the AP to advertise list of authorized enrollees: + +hostapd_cli wps_pin 53b63a98-d29e-4457-a2ed-094d7e6a669c \ + 12345670 300 00:11:22:33:44:55 + After this, the Enrollee can connect to the AP again and complete WPS negotiation. At that point, a new, random WPA PSK is generated for the @@ -221,6 +240,17 @@ hostapd_cli wps_ap_pin set <PIN> [timeout] - if the optional timeout parameter is given, the AP PIN will be enabled for the specified number of seconds +hostapd_cli get_config +- display the current configuration + +hostapd_cli wps_config <new SSID> <auth> <encr> <new key> +examples: + hostapd_cli wps_config testing WPA2PSK CCMP 12345678 + hostapd_cli wps_config "no security" OPEN NONE "" + +<auth> must be one of the following: OPEN WPAPSK WPA2PSK +<encr> must be one of the following: NONE WEP TKIP CCMP + Credential generation and configuration changes ----------------------------------------------- @@ -251,7 +281,7 @@ WPS-REG-SUCCESS <Enrollee MAC address <UUID-E> For example: <2>WPS-REG-SUCCESS 02:66:a0:ee:17:27 2b7093f1-d6fb-5108-adbb-bea66bb87333 -This can be used to tricker change from unconfigured to configured +This can be used to trigger change from unconfigured to configured state (random configuration based on the first successful WPS registration). In addition, this can be used to update AP UI about the status of WPS registration progress. @@ -263,3 +293,48 @@ For example: This can be used to update the externally stored AP configuration and then update hostapd configuration (followed by restarting of hostapd). + + +WPS with NFC +------------ + +WPS can be used with NFC-based configuration method. An NFC tag +containing a password token from the Enrollee can be used to +authenticate the connection instead of the PIN. In addition, an NFC tag +with a configuration token can be used to transfer AP settings without +going through the WPS protocol. + +When the AP acts as an Enrollee, a local NFC tag with a password token +can be used by touching the NFC interface of an external Registrar. The +wps_nfc_token command is used to manage use of the NFC password token +from the AP. "wps_nfc_token enable" enables the use of the AP's NFC +password token (in place of AP PIN) and "wps_nfc_token disable" disables +the NFC password token. + +The NFC password token that is either pre-configured in the +configuration file (wps_nfc_dev_pw_id, wps_nfc_dh_pubkey, +wps_nfc_dh_privkey, wps_nfc_dev_pw) or generated dynamically with +"wps_nfc_token <WPS|NDEF>" command. The nfc_pw_token tool from +wpa_supplicant can be used to generate NFC password tokens during +manufacturing (each AP needs to have its own random keys). + +The "wps_nfc_config_token <WPS/NDEF>" command can be used to build an +NFC configuration token. The output value from this command is a hexdump +of the current AP configuration (WPS parameter requests this to include +only the WPS attributes; NDEF parameter requests additional NDEF +encapsulation to be included). This data needs to be written to an NFC +tag with an external program. Once written, the NFC configuration token +can be used to touch an NFC interface on a station to provision the +credentials needed to access the network. + +When the NFC device on the AP reads an NFC tag with a MIME media type +"application/vnd.wfa.wsc", the NDEF message payload (with or without +NDEF encapsulation) can be delivered to hostapd using the +following hostapd_cli command: + +wps_nfc_tag_read <hexdump of payload> + +If the NFC tag contains a password token, the token is added to the +internal Registrar. This allows station Enrollee from which the password +token was received to run through WPS protocol to provision the +credential. |