WiFi security with hostapd

Last week's post when over setting up a wireless access point using hostapd, however it didn't cover security. This post is going to go over adding encryption and authentication to an access point using WPA2.

WPA2 and Pre-shared Keys

WPA2 is one of the most widely used WiFi security protocols. A variety of different authentication methods can be used, however one of the simplist is a pre-shared key.

Below is some example hostapd configuration which can be used to set up an access point using WPA2-PSK:

# AP details
interface=wlan0
driver=nl80211
ssid="Pi AP"
channel=1
macaddr_acl=0

# WPA2 setup
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=change_me
wpa_pairwise=CCMP
rsn_pairwise=CCMP
ieee80211n=1

Note: remember to change the pass phrase and restart the hostapd service before trying to connect.

Per device configuration

The configuration above uses the same key for every host that connects to the access point. The configuration can be tweaked slightly to look like the following:

# AP details
interface=wlan0
driver=nl80211
ssid="Pi AP"
channel=1
macaddr_acl=0

# WPA2 setup
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_psk_file=/etc/hostapd/psk
wpa_pairwise=CCMP
rsn_pairwise=CCMP
ieee80211n=1

In addition to the config above, a pre-shared key file called /etc/hostapd/psk also needs to be created. This file contains PSK/MAC address pairs. Initially a wild card mac address can be used, this will apply to all devices which connect to the access point:

00:00:00:00:00:00 change_me

Once the wild card mac address is working correctly, the key file can be updated to use different keys for specific mac addresses:

11:11:de:ad:be:ef first_psk
22:22:de:ad:be:ef another_psk

This makes it easy to change device specific pre-shared keys without having to update every device simultaneously. It is however fairly easy to spoof a MAC address, therefore it is important the pre-shared keys are not compromised.