| # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Try 802.1x authentication. |
| |
| { "name":"Check1x_TTLS", |
| "steps":[ # Channel [any] |
| [ "create", { "type": "hostap" } ], |
| [ "install_files", { "system": "router", |
| "files": |
| { "/tmp/hostapd_ca_cert" : |
| site_eap_certs.ca_cert_1, |
| "/tmp/hostapd_server_cert": |
| site_eap_certs.server_cert_1, |
| "/tmp/hostapd_private_key": |
| site_eap_certs.server_private_key_1, |
| "/tmp/hostapd_expired_server_cert": |
| site_eap_certs.server_expired_cert, |
| "/tmp/hostapd_expired_private_key": |
| site_eap_certs.server_expired_key, |
| "/tmp/hostapd_eap_user_file": |
| """* TTLS |
| "testuser-chapv2" MSCHAPV2 "password" [2] |
| "testuser-md5" MD5 "password" [2] |
| "testuser-tchapv2" TTLS-MSCHAPV2 "password" [2] |
| "testuser-tchap" TTLS-MSCHAP "password" [2] |
| "testuser-tpap" TTLS-PAP "password" [2]""" } } ], |
| [ "config", { "channel": "2412", |
| "mode": "11g", |
| "wpa": "1", |
| "wpa_key_mgmt": "WPA-EAP", |
| "eap_server": "1", |
| "wpa_pairwise":"CCMP", |
| "ieee8021x": "1", |
| "ca_cert": "/tmp/hostapd_ca_cert", |
| "server_cert": "/tmp/hostapd_server_cert", |
| "private_key": "/tmp/hostapd_private_key", |
| "eap_user_file": "/tmp/hostapd_eap_user_file"} ], |
| [ "install_files", { "system": "client", |
| "files": |
| { "/tmp/ca-cert.pem" : |
| site_eap_certs.ca_cert_1, |
| "/tmp/ca-cert-other.pem" : |
| site_eap_certs.ca_cert_2} } ], |
| [ "connect", { "security": "802_1x", |
| "psk": "EAP.Identity:testuser-chapv2" |
| ":EAP.Password:password" |
| ":EAP.CACert:/tmp/ca-cert.pem"} ], |
| [ "client_ping", { "count":"10" } ], |
| |
| [ "disconnect" ], |
| |
| # Try MD5 inner auth |
| [ "config", { "ssid_suffix": "t1" } ], |
| [ "connect", { "security": "802_1x", |
| "psk": "EAP.Identity:testuser-md5" |
| ":EAP.Password:password" |
| ":EAP.CACert:/tmp/ca-cert.pem"} ], |
| [ "client_ping", { "count": "10" } ], |
| |
| [ "disconnect" ], |
| |
| # |
| # Try authenticating using the wrong client password |
| [ "config", { "ssid_suffix": "t2" } ], |
| [ "!connect", { "security": "802_1x", |
| "psk": "EAP.Identity:testuser-chapv2" |
| ":EAP.Password:wrongpassword"} ], |
| |
| # Try authenticating to an AP with an expired server cert. |
| [ "config", { "ssid_suffix": "t3", |
| "ca_cert": "/tmp/hostapd_ca_cert", |
| "server_cert": "/tmp/hostapd_expired_server_cert", |
| "private_key": "/tmp/hostapd_expired_private_key"} ], |
| [ "!connect", { "security":"802_1x", |
| "psk": "EAP.Identity:testuser-chapv2" |
| ":EAP.Password:password" |
| ":EAP.CACert:/tmp/ca-cert.pem"}, |
| "TLS: Certificate verification failed, error 10 " |
| "\(certificate has expired\)" ], |
| # |
| # Try authenticating with the right client password but wrong CA |
| [ "config", { "ssid_suffix": "t4", |
| "server_cert": "/tmp/hostapd_server_cert", |
| "private_key": "/tmp/hostapd_private_key"} ], |
| [ "!connect", { "security": "802_1x", |
| "psk": "EAP.Identity:testuser-chapv2" |
| ":EAP.Password:password" |
| ":EAP.CACert:/tmp/ca-cert-other.pem"} ], |
| ] |
| |
| # Create a template for the rest of our attempts at EAP-TTLS types |
| + reduce(lambda x,y: x+y, map(list, zip( |
| list([ "config", { "ssid_suffix": "t" + suffix } ] |
| for suffix in map(str, range(4,7))), |
| list([ "connect", { "security":"802_1x", |
| "psk" : "EAP.Identity:" + user + |
| ":EAP.Password:" + password + |
| ":EAP.CACert:/tmp/ca-cert.pem" + |
| ":EAP.InnerEAP:" + auth } ] |
| for user, password, auth in [ |
| # This is the list of authentication attempts to perform |
| ("testuser-tchapv2", "password", "auth=MSCHAPV2" ), |
| ("testuser-tchap", "password", "auth=MSCHAP"), |
| ("testuser-tpap", "password", "auth=PAP") |
| ]), |
| [ [ "client_ping", { "count":"10" } ] ] * 3, |
| [ [ "disconnect" ] ] * 3 |
| ))) + |
| |
| [ [ "destroy" ] ], |
| } |
