hostapd authenticates but dhcpd doesn't give out address

Jouni Malinen jkmaline
Tue Jun 15 19:43:49 PDT 2004 

On Tue, Jun 15, 2004 at 09:38:53AM -0400, Bob Beers wrote:

> I am running a custom 2.4.20 kernel and the 0.2.2 hostap
>  driver, and all is well:  I can associate all 802.11b
>  stations (hostap and windows) that I try with the hostap AP
>  and then get dynamic IP assignment via dhcpd on the AP.

> But, when I try to implement the hostapd and a remote radius
>  server for authentication I can associate stations, but the
>  dhcpd daemon on the AP never seems to get the dhcp requests.

What kind of RADIUS authentication are you talking about? Your
configuration file seemed to be trying to use RADIUS for both MAC
address based authentication and IEEE 802.1X authentication. While that
is an allowed configuration, it sounds somewhat odd.

> What I think I want is to allow stations to associate,
>  but until after opening a browser for username password validation
>  on a T&C page, not allow them any connectivity.  Am I headed in
>  the right direction here?

Have you configured the clients to do IEEE 802.1X? What are you using as
the EAP method? Why would there be a separate browser (as in web
browser?) authentication after this? Or do you mean a dialog box for
asking EAP authentication username/password?

> ieee8021x=1
> minimal_eap=1
> wep_key_len_broadcast=5
> wep_key_len_unicast=5

Like mentioned in an earlier reply, minimal_eap is not going to work
here. If you want to use dynamic WEP keying, the selected EAP method has
to generate keying material. If you wanted to use username/password
instead of client certificates, you could try, e.g., EAP-PEAP/MSCHAPv2.

> Jun 10 16:24:15 rack001 kernel: wifi0: dropped frame to unauthorized port 
> (IEEE 802.1X): ethertype=0x0000

This means that the IEEE 802.1X was not completed successfully and the
station is not allowed send data packets (other than the IEEE 802.1X
EAPOL frames).

> mgmt::auth
> authentication: STA=00:09:5b:2f:f6:b4 auth_alg=0 auth_transaction=1 
> status_code=0 wep=0
> Sending RADIUS message to authentication server
> RADIUS message: code=1 (Access-Request) identifier=1 length=151
>    Attribute 1 (User-Name) length=14
>       Value: '00095b2ff6b4'

This is the MAC address based authentication using an external RADIUS
server.

> Received 26 bytes from RADIUS server
> Received RADIUS message
> RADIUS message: code=2 (Access-Accept) identifier=1 length=26

.. and it was successful.

> mgmt::assoc_req
> association request: STA=00:09:5b:2f:f6:b4 capab_info=0x01 
> listen_interval=10
>   new AID 1
> wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11: association OK (aid 1)

Stations was associated successfully.

> wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: start authentication
> wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: unauthorizing port
> IEEE 802.1X: Sending EAP Request-Identity to 00:09:5b:2f:f6:b4 (identifier 
> 0)

hostapd start IEEE 802.1X authentication with the station but the
station does not seem to reply. It looks like the IEEE 802.1X Supplicant
in the station is not enabled.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list