FreeBSD + EAP/TLS + IPv6 != OK
Jakob Alvermark
jakob.alvermark
Wed Dec 14 04:56:05 PST 2005
> On Wed, Dec 07, 2005 at 10:52:59PM +0200, S?bastien Pierrel wrote:
>> Jouni Malinen wrote:
>> > Have you tried whether IPv4 broadcast packets are received correctly?
>>
>> Yes, they are.
>
> Same here. IPv4 broadcasts gets through, but IPv6 broadcasts seems to
> be mangled somewhere along the way as seen on
> http://www.bughost.org/bugzilla/show_bug.cgi?id=810#c6
>
> I really have no idea on where to go next in order to debug this
> thing... Any help will be greatly appreciated.
I have problems with broadcasts!
I have FreeBSD 6.0 + hostapd 0.4.7 + EAP-PEAP + CCMP
Config as follows:
interface=ural0
driver=bsd
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=0
debug=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=testing
macaddr_acl=0
auth_algs=1
ieee8021x=1
eap_message=hello
wep_key_len_broadcast=13
wep_key_len_unicast=13
wep_rekey_period=300
eapol_key_index_workaround=1
eap_reauth_period=3600
eap_server=0
ca_cert=/usr/local/etc/hostapd/hostapd.ca.pem
server_cert=/usr/local/etc/hostapd/hostapd.server.pem
private_key=/usr/local/etc/hostapd/hostapd.server.prv
private_key_passwd=testkey
own_ip_addr=xxx.xx.x.xxx
auth_server_addr=xxx.xx.xx.x
auth_server_port=1812
auth_server_shared_secret=xxxxxx
acct_server_addr=xxx.xx.xx.x
acct_server_port=1813
acct_server_shared_secret=xxxxxx
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
wpa_group_rekey=600
wpa_strict_rekey=1
wpa_gmk_rekey=86400
Everything looks fine when connecting from a Windows XP client:
Configuration file: /usr/local/etc/hostapd/hostapd.conf
Using interface ural0 with hwaddr 00:0f:ea:f4:ea:f1 and ssid 'testing'
ural0: RADIUS Authentication server xxx.xx.xx.x:1812
ural0: RADIUS Accounting server xxx.xx.xx.x:1813
ural0: RADIUS Sending RADIUS message to accounting server
ural0: RADIUS Next RADIUS client retransmit in 3 seconds
Flushing old station entries
Deauthenticate all stations
ural0: RADIUS Received 20 bytes from RADIUS server
ural0: RADIUS Received RADIUS message
ural0: STA 00:00:00:00:00:00 RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.00 sec
ural0: STA 00:13:ce:72:e0:0a IEEE 802.11: associated
ural0: STA 00:13:ce:72:e0:0a WPA: event 1 notification
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: start authentication
ural0: STA 00:13:ce:72:e0:0a WPA: start authentication
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: unauthorizing port
ural0: STA 00:13:ce:72:e0:0a IEEE 802.11: associated
ural0: STA 00:13:ce:72:e0:0a WPA: event 1 notification
ural0: STA 00:13:ce:72:e0:0a WPA: event 4 notification
ural0: STA 00:13:ce:72:e0:0a IEEE 802.11: associated
ural0: STA 00:13:ce:72:e0:0a WPA: event 1 notification
ural0: STA 00:13:ce:72:e0:0a WPA: event 4 notification
ural0: STA 00:13:ce:72:e0:0a IEEE 802.11: associated
ural0: STA 00:13:ce:72:e0:0a WPA: event 1 notification
ural0: STA 00:13:ce:72:e0:0a WPA: event 4 notification
ural0: STA 00:13:ce:72:e0:0a IEEE 802.11: associated
ural0: STA 00:13:ce:72:e0:0a WPA: event 1 notification
ural0: STA 00:13:ce:72:e0:0a WPA: event 4 notification
ural0: STA 00:13:ce:72:e0:0a IEEE 802.11: associated
ural0: STA 00:13:ce:72:e0:0a WPA: event 1 notification
ural0: STA 00:13:ce:72:e0:0a WPA: event 4 notification
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: received EAPOL-Start from STA
ural0: STA 00:13:ce:72:e0:0a WPA: event 5 notification
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: aborting authentication
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: received EAP packet (code=2 id=1
len=20) from STA: EAP Response-Identity (1)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: STA identity 'XXXXXXXX\xxxxxx'
ural0: RADIUS Sending RADIUS message to authentication server
ural0: RADIUS Next RADIUS client retransmit in 3 seconds
ural0: RADIUS Received 76 bytes from RADIUS server
ural0: RADIUS Received RADIUS message
ural0: STA 00:13:ce:72:e0:0a RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.02 sec
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: using EAP timeout of 30 seconds
(from RADIUS)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: decapsulated EAP packet (code=1
id=2 len=6) from RADIUS server: EAP-Request-PEAP (25)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: received EAP packet (code=2 id=2
len=112) from STA: EAP Response-PEAP (25)
ural0: RADIUS Sending RADIUS message to authentication server
ural0: RADIUS Next RADIUS client retransmit in 3 seconds
ural0: RADIUS Received 202 bytes from RADIUS server
ural0: RADIUS Received RADIUS message
ural0: STA 00:13:ce:72:e0:0a RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.00 sec
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: using EAP timeout of 30 seconds
(from RADIUS)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: decapsulated EAP packet (code=1
id=3 len=132) from RADIUS server: EAP-Request-PEAP (25)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: received EAP packet (code=2 id=3
len=53) from STA: EAP Response-PEAP (25)
ural0: RADIUS Sending RADIUS message to authentication server
ural0: RADIUS Next RADIUS client retransmit in 3 seconds
ural0: RADIUS Received 98 bytes from RADIUS server
ural0: RADIUS Received RADIUS message
ural0: STA 00:13:ce:72:e0:0a RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.00 sec
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: using EAP timeout of 30 seconds
(from RADIUS)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: decapsulated EAP packet (code=1
id=5 len=28) from RADIUS server: EAP-Request-PEAP (25)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: received EAP packet (code=2 id=5
len=43) from STA: EAP Response-PEAP (25)
ural0: RADIUS Sending RADIUS message to authentication server
ural0: RADIUS Next RADIUS client retransmit in 3 seconds
ural0: RADIUS Received 128 bytes from RADIUS server
ural0: RADIUS Received RADIUS message
ural0: STA 00:13:ce:72:e0:0a RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.00 sec
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: using EAP timeout of 6 seconds
(from RADIUS)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: decapsulated EAP packet (code=1
id=6 len=58) from RADIUS server: EAP-Request-PEAP (25)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: received EAP packet (code=2 id=6
len=97) from STA: EAP Response-PEAP (25)
ural0: RADIUS Sending RADIUS message to authentication server
ural0: RADIUS Next RADIUS client retransmit in 3 seconds
ural0: RADIUS Received 243 bytes from RADIUS server
ural0: RADIUS Received RADIUS message
ural0: STA 00:13:ce:72:e0:0a RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.00 sec
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: using EAP timeout of 6 seconds
(from RADIUS)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: decapsulated EAP packet (code=1
id=7 len=74) from RADIUS server: EAP-Request-PEAP (25)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: received EAP packet (code=2 id=7
len=29) from STA: EAP Response-PEAP (25)
ural0: RADIUS Sending RADIUS message to authentication server
ural0: RADIUS Next RADIUS client retransmit in 3 seconds
ural0: RADIUS Received 259 bytes from RADIUS server
ural0: RADIUS Received RADIUS message
ural0: STA 00:13:ce:72:e0:0a RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.00 sec
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: using EAP timeout of 30 seconds
(from RADIUS)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: decapsulated EAP packet (code=1
id=8 len=38) from RADIUS server: EAP-Request-PEAP (25)
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: received EAP packet (code=2 id=8
len=38) from STA: EAP Response-PEAP (25)
ural0: RADIUS Sending RADIUS message to authentication server
ural0: RADIUS Next RADIUS client retransmit in 3 seconds
ural0: RADIUS Received 204 bytes from RADIUS server
ural0: RADIUS Received RADIUS message
ural0: STA 00:13:ce:72:e0:0a RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.00 sec
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: decapsulated EAP packet (code=3
id=9 len=4) from RADIUS server: EAP Success
ural0: STA 00:13:ce:72:e0:0a WPA: sending 1/4 msg of 4-Way Handshake
ural0: STA 00:13:ce:72:e0:0a WPA: received EAPOL-Key frame (2/4 Pairwise)
ural0: STA 00:13:ce:72:e0:0a WPA: sending 3/4 msg of 4-Way Handshake
ural0: STA 00:13:ce:72:e0:0a WPA: received EAPOL-Key frame (4/4 Pairwise)
ural0: STA 00:13:ce:72:e0:0a WPA: pairwise key handshake completed (WPA)
ural0: STA 00:13:ce:72:e0:0a WPA: sending 1/2 msg of Group Key Handshake
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: authorizing port
ural0: RADIUS Sending RADIUS message to accounting server
ural0: RADIUS Next RADIUS client retransmit in 3 seconds
ural0: STA 00:13:ce:72:e0:0a IEEE 802.1X: authenticated
ural0: RADIUS Received 20 bytes from RADIUS server
ural0: RADIUS Received RADIUS message
ural0: STA 00:13:ce:72:e0:0a RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.00 sec
ural0: STA 00:13:ce:72:e0:0a WPA: received EAPOL-Key frame (2/2 Group)
ural0: STA 00:13:ce:72:e0:0a WPA: group key handshake completed (WPA)
Signal 2 received - terminating
Removing station 00:13:ce:72:e0:0a
ural0: STA 00:13:ce:72:e0:0a RADIUS: updated TX/RX stats:
Acct-Input-Octets=5717 Acct-Input-Gigawords=0 Acct-Output-Octets=857
Acct-Output-Gigawords=0
ural0: RADIUS Sending RADIUS message to accounting server
ural0: STA 00:13:ce:72:e0:0a WPA: strict rekeying - force GTK rekey since
STA is leaving
Flushing old station entries
Deauthenticate all stations
ural0: RADIUS Sending RADIUS message to accounting server
But broadcasts looks strange, when the client tries DHCP (which is
broadcast), tcpdump output:
11:38:21.299774 EAP code=2 id=0 length=10
11:38:21.992605 EAP code=1 id=1 length=0
11:38:21.992722 EAP code=2 id=0 length=10
11:38:21.998600 EAP code=1 id=0 length=20
11:38:22.011193 EAP code=2 id=0 length=6
11:38:22.014099 EAP code=1 id=0 length=112
11:38:22.015648 EAP code=2 id=0 length=132
11:38:22.084094 EAP code=1 id=0 length=53
11:38:22.086693 EAP code=2 id=0 length=28
11:38:22.089341 EAP code=1 id=0 length=43
11:38:22.091118 EAP code=2 id=0 length=58
11:38:22.097090 EAP code=1 id=0 length=97
11:38:22.103896 EAP code=2 id=0 length=74
11:38:22.106839 EAP code=1 id=0 length=29
11:38:22.107925 EAP code=2 id=0 length=38
11:38:22.110339 EAP code=1 id=0 length=38
11:38:22.112845 EAP code=2 id=0 length=4
11:38:22.113087 EAP code=2 id=3 length=95
11:38:22.124088 EAP code=1 id=3 length=121
11:38:22.124258 EAP code=2 id=3 length=123
11:38:22.129087 EAP code=1 id=3 length=95
11:38:22.129325 EAP code=2 id=3 length=135
11:38:22.165101 EAP code=1 id=3 length=95
11:38:26.458198 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:13:ce:72:e0:0a (oui Unknown), length: 300
11:38:26.458235 IP5 truncated-ip - 9831 bytes missing! 149.248.61.115 >
217.202.139.118: skip
11:38:31.453697 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:13:ce:72:e0:0a (oui Unknown), length: 300
11:38:31.453733 IP13 bad-hlen 4
11:38:38.453733 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:13:ce:72:e0:0a (oui Unknown), length: 300
11:38:38.453766 IP0 truncated-ip - 16703 bytes missing! 97.77.250.58 >
144.196.161.77: ip-proto-217
11:38:55.453000 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:13:ce:72:e0:0a (oui Unknown), length: 300
11:38:55.453036 IP9 truncated-ip - 63272 bytes missing! 73.193.65.233 >
56.210.235.130: bbn-rcc
11:39:26.458320 arp who-has 169.254.191.3 tell 169.254.191.3
11:39:26.458349 truncated-arp
0x0000: 7166 86aa 4478 aa87 98fe 9ab2 1383 3081 qf..Dx........0.
0x0010: 8150 7cf7 c64e 69d9 daf7 68bc .P|..Ni...h.
11:39:26.561542 arp who-has 169.254.191.3 tell 169.254.191.3
11:39:26.561557 truncated-arp
0x0000: 36a8 9afc 1ade b459 1e58 520c 5825 23db 6......Y.XR.X%#.
0x0010: 6ec7 7239 dbe2 bd8e 3ae8 d091 n.r9....:...
11:39:27.561707 arp who-has 169.254.191.3 tell 169.254.191.3
11:39:27.561733 truncated-arp
0x0000: 3398 871d c458 fc4d 9aab a4bb 1d08 51f0 3....X.M......Q.
0x0010: d2bc 4ee1 4ba2 a539 ba31 959c ..N.K..9.1..
11:39:28.639840 IP 169.254.191.3.netbios-ns > 169.254.255.255.netbios-ns:
NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
11:39:28.639859 IP15 truncated-ip - 26306 bytes missing! 84.232.178.91 >
239.13.215.13: ip-proto-156
11:39:28.652824 IP 169.254.191.3 > igmp.mcast.net: igmp v3 report, 1 group
record(s)
11:39:28.652837 IP1 bad-hlen 12
11:39:28.673333 IP 169.254.191.3.1263 > 239.255.255.250.1900: UDP, length 133
11:39:28.673350 IP5 bad-hlen 16
11:39:29.389513 IP 169.254.191.3.netbios-ns > 169.254.255.255.netbios-ns:
NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
11:39:29.389531 IP7 truncated-ip - 20566 bytes missing! 225.148.224.212 >
47.96.26.138: ip-proto-156
11:39:29.561982 IP 169.254.191.3 > igmp.mcast.net: igmp v3 report, 1 group
record(s)
11:39:29.561995 IP8 truncated-ip - 55940 bytes missing! 9.151.94.166 >
235.157.87.183: ip-proto-153
11:39:30.139429 IP 169.254.191.3.netbios-ns > 169.254.255.255.netbios-ns:
NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
11:39:30.139443 IP11 truncated-ip - 59940 bytes missing! 210.172.54.158 >
198.15.130.73: ip-proto-235
When setting a fixed IP address on the client it works, but I have to
manually set the ARP, since that is also broadcast.
Any ideas?
Regards,
Jakob Alvermark
More information about the Hostap
mailing list