hostapd authenticates but dhcpd doesn't give out address
Derek Schuff
schuffdl
Tue Jun 15 06:54:17 PDT 2004
On Tuesday 15 June 2004 09:38 am, Bob Beers wrote:
> Hi list, (I'm re-posting this, so apologies if it does finally
> show up twice)
>
> I am running a custom 2.4.20 kernel and the 0.2.2 hostap
> driver, and all is well: I can associate all 802.11b
> stations (hostap and windows) that I try with the hostap AP
> and then get dynamic IP assignment via dhcpd on the AP.
This is with static WEP?
> But, when I try to implement the hostapd and a remote radius
> server for authentication I can associate stations, but the
> dhcpd daemon on the AP never seems to get the dhcp requests.
Is this just 802.1x or WPA?
I assume you are getting sucessful authentications from the RADIUS server. you
may want to verify that port on the AP is getting opened to traffic. (someone
else will have to give you more details, as I don't run in AP mode at the
moment)
>
> Can someone point me to some more reading or example config files
> so that I can get this working correctly, please? Maybe I'm
> forgetting something on the station side also?
>
>
> What I think I want is to allow stations to associate,
> but until after opening a browser for username password validation
> on a T&C page, not allow them any connectivity. Am I headed in
> the right direction here?
I'm not sure you can do this with just an 802.1x authenticator. The
Authenticator only has control over whether the port is open or closed. If
closed (before sucessful authentication), nothing gets through at all (well,
other than EAP), so no DHCP or HTTP or anything. once RADIUS/EAP
authentication succeeds, then it's open an everything gets through.
(Someone correct me if I'm wrong)
>
> here's my hostapd.conf:
>
> bash-2.05# cat /etc/hostapd.conf | grep = | grep -v ^#
> interface=wlan0
> logger_syslog=-1
> logger_syslog_level=2
> logger_stdout=-1
> logger_stdout_level=2
> debug=2
> dump_file=/tmp/hostapd.dump
> daemonize=1
> ssid=edgeRM
> macaddr_acl=2
> auth_algs=1
> ieee8021x=1
> minimal_eap=1
> eap_message=hello
> wep_key_len_broadcast=5
> wep_key_len_unicast=5
> wep_rekey_period=300
> eapol_key_index_workaround=0
> own_ip_addr=172.16.1.201
> auth_server_addr=172.16.1.200
> auth_server_port=1812
> auth_server_shared_secret=secret
> acct_server_addr=172.16.1.200
> acct_server_port=1813
> acct_server_shared_secret=secret
>
> here's some of the log messages I get on the AP:
>
> in /var/log/messages:
>
> Jun 10 16:24:16 rack001 hostapd: wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11:
> disassociated due to inactivity
> Jun 10 16:24:17 rack001 hostapd: wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11:
> deauthenticated due to inactivity
> Jun 10 16:24:17 rack001 hostapd: wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11:
> authenticated
> Jun 10 16:24:17 rack001 hostapd: wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11:
> associated (aid 1)
>
> in /var/log/debug: (I think this first line is about the dhcp request)
>
> Jun 10 16:24:15 rack001 kernel: wifi0: dropped frame to unauthorized port
> (IEEE 802.1X): ethertype=0x0000
> Jun 10 16:24:15 rack001 kernel: wifi0: TX len=24 jiffies=1143809
> Jun 10 16:24:15 rack001 kernel: FC=0x020a (type=2:0) [FromDS] dur=0x0000
> seq=0x0000
> Jun 10 16:24:15 rack001 kernel: A1=00:09:5b:2f:f6:b4
> A2=00:09:5b:41:10:b4 A3=00:09:5b:41:10:b4
> Jun 10 16:24:17 rack001 kernel: wifi0: Could not find STA 00:09:5b:2f:f6:b4
> for this TX error (@1144012)
> Jun 10 16:24:18 rack001 kernel: wifi0: TX: IEEE 802.1X - passing
> unencrypted EAPOL frame
> Jun 10 16:24:49 rack001 kernel: wifi0: TX: IEEE 802.1X - passing
> unencrypted EAPOL frame
>
> here's what I see when running 'hostapd -d /etc/hostapd.conf':
>
>
> Configuration file: /etc/hostapd.conf
> Opening raw packet socket for ifindex 16
> Using interface wlan0ap with hwaddr 00:09:5b:41:10:b4 and ssid 'edgeRM'
> wlan0: RADIUS Authentication server 172.16.1.200:1812
> wlan0: RADIUS Accounting server 172.16.1.200:1813
> Sending RADIUS message to accounting server
> RADIUS message: code=4 (Accounting-Request) identifier=0 length=70
> Attribute 40 (Acct-Status-Type) length=6
> Value: 7
> Attribute 45 (Acct-Authentic) length=6
> Value: 1
> Attribute 4 (NAS-IP-Address) length=6
> Value: 172.16.1.201
> Attribute 30 (Called-Station-Id) length=26
> Value: '00-09-5B-41-10-B4:edgeRM'
> Attribute 49 (Acct-Terminate-Cause) length=6
> Value: 11
> Default WEP key - hexdump(len=5): 4b b7 0e d0 af
> Flushing old station entries
> Deauthenticate all stations
> Received 20 bytes from RADIUS server
> Received RADIUS message
> RADIUS message: code=5 (Accounting-Response) identifier=0 length=20
> Received 30 bytes management frame
> RX frame - hexdump(len=30): b0 00 02 01 00 09 5b 41 10 b4 00 09 5b 2f f6 b4
> 00 09 5b 41 10 b4 30 34 00 00 01 00 00 00
> MGMT
> mgmt::auth
> authentication: STA=00:09:5b:2f:f6:b4 auth_alg=0 auth_transaction=1
> status_code=0 wep=0
> Sending RADIUS message to authentication server
> RADIUS message: code=1 (Access-Request) identifier=1 length=151
> Attribute 1 (User-Name) length=14
> Value: '00095b2ff6b4'
> Attribute 2 (User-Password) length=18
> Attribute 4 (NAS-IP-Address) length=6
> Value: 172.16.1.201
> Attribute 30 (Called-Station-Id) length=26
> Value: '00-09-5B-41-10-B4:edgeRM'
> Attribute 31 (Calling-Station-Id) length=19
> Value: '00-09-5B-2F-F6-B4'
> Attribute 61 (NAS-Port-Type) length=6
> Value: 19
> Attribute 77 (Connect-Info) length=24
> Value: 'CONNECT 11Mbps 802.11b'
> Attribute 80 (Message-Authenticator) length=18
> Authentication frame from 00:09:5b:2f:f6:b4 waiting for an external
> authentication Received 26 bytes from RADIUS server
> Received RADIUS message
> RADIUS message: code=2 (Access-Accept) identifier=1 length=26
> Attribute 6 (?Unknown?) length=6
> Found matching Access-Request for RADIUS message (id=1)
> Re-sending authentication frame after successful RADIUS ACL query
> mgmt::auth
> authentication: STA=00:09:5b:2f:f6:b4 auth_alg=0 auth_transaction=1
> status_code=0 wep=0
> New STA
> wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11: authentication OK (open system)
> wlan0: STA 00:09:5b:2f:f6:b4 WPA: event 0 notification
> authentication reply: STA=00:09:5b:2f:f6:b4 auth_alg=0 auth_transaction=2
> resp=0 Received 30 bytes management frame
> RX frame - hexdump(len=30): b2 00 02 01 00 09 5b 2f f6 b4 00 09 5b 41 10 b4
> 00 09 5b 41 10 b4 d0 62 00 00 02 00 00 00
> MGMT (TX callback) ACK
> mgmt::auth cb
> wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11: authenticated
> Received 42 bytes management frame
> RX frame - hexdump(len=42): 00 00 73 d1 00 09 5b 41 10 b4 00 09 5b 2f f6 b4
> 00 09 5b 41 10 b4 40 34 01 00 0a 00 00 06 65 64 67 65 52 4d 01 04 82 84 0b
> 16 MGMT
> mgmt::assoc_req
> association request: STA=00:09:5b:2f:f6:b4 capab_info=0x01
> listen_interval=10 new AID 1
> wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11: association OK (aid 1)
> Received 36 bytes management frame
> RX frame - hexdump(len=36): 12 00 73 d1 00 09 5b 2f f6 b4 00 09 5b 41 10 b4
> 00 09 5b 41 10 b4 e0 62 11 00 00 00 01 c0 01 04 82 84 0b 16
> MGMT (TX callback) ACK
> mgmt::assoc_resp cb
> wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11: associated (aid 1)
> wlan0: STA 00:09:5b:2f:f6:b4 WPA: event 1 notification
> wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: start authentication
> IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 BE_AUTH entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_KEY_TX entering state NO_KEY_TRANSMIT
> IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 BE_AUTH entering state IDLE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 0)
> IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state DISCONNECTED
> wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: unauthorizing port
> IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state CONNECTING
> IEEE 802.1X: Sending EAP Request-Identity to 00:09:5b:2f:f6:b4 (identifier
> 0) IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
> Received 50 bytes management frame
> RX frame - hexdump(len=50): 0a 02 02 01 00 09 5b 2f f6 b4 00 09 5b 41 10 b4
> 00 09 5b 41 10 b4 90 63 aa aa 03 00 00 00 88 8e 01 00 00 0e 01 00 00 0e 01
> 68 65 6c 6c 6f 45 64 67 65
> DATA (TX callback) ACK
> IEEE 802.1X: 00:09:5b:2f:f6:b4 TX status - version=1 type=0 length=14 -
> ack=1 IEEE 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 29)
> IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 28) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 27) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 26) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 25) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 24) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 23) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 22) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 21) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 20) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 19) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 18) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 17) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 16) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 15) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 14) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 13) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 12) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 11) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 10) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 9) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 8) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 7) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 6) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 5) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 4) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 3) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 2) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 1) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 0) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state CONNECTING
> IEEE 802.1X: Sending EAP Request-Identity to 00:09:5b:2f:f6:b4 (identifier
> 0) IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
> Received 50 bytes management frame
> RX frame - hexdump(len=50): 0a 02 02 01 00 09 5b 2f f6 b4 00 09 5b 41 10 b4
> 00 09 5b 41 10 b4 70 76 aa aa 03 00 00 00 88 8e 01 00 00 0e 01 00 00 0e 01
> 68 65 6c 6c 6f 45 64 67 65
> DATA (TX callback) ACK
> IEEE 802.1X: 00:09:5b:2f:f6:b4 TX status - version=1 type=0 length=14 -
> ack=1 IEEE 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 29)
> IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 28) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 27) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
> 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 26) IEEE
> 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE Signal 2
> received - terminating
> Removing station 00:09:5b:2f:f6:b4
> IEEE 802.1X: station 00:09:5b:2f:f6:b4 port disabled
> IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
> IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
> Flushing old station entries
> Deauthenticate all stations
> Sending RADIUS message to accounting server
> RADIUS message: code=4 (Accounting-Request) identifier=2 length=70
> Attribute 40 (Acct-Status-Type) length=6
> Value: 8
> Attribute 45 (Acct-Authentic) length=6
> Value: 1
> Attribute 4 (NAS-IP-Address) length=6
> Value: 172.16.1.201
> Attribute 30 (Called-Station-Id) length=26
> Value: '00-09-5B-41-10-B4:edgeRM'
> Attribute 49 (Acct-Terminate-Cause) length=6
> Value: 11
>
>
>
>
> I hope this was not too lengthy. Any help appreciated. I'm trying to
> get a better understanding of and then amke good use of the hostapd
> features, but I'm not quite there yet.
>
> Thanks,
>
> -Bob
More information about the Hostap
mailing list