Switch set up fails open

John A. Sullivan III jsullivan
Thu Jun 7 16:22:17 PDT 2007 

On Tue, 2007-06-05 at 18:05 -0400, John A. Sullivan III wrote:
> Hello, all.  This is my first set up of hostapd.  I'm attempting to
> create a test 802.1x enabled Linux based switch.  I have an Ubuntu 7.0.4
> (Feisty) PC with four NICS (eth0,1,2,3) set up in a bridge (switch0)
> with hostapd 0.5.8 and freeradius 1.1.6.  There is no wireless; this is
> a LAN switch only.
> 
> If I understand correctly, I will ultimately need a separate
> configuration file for each port (by the way, does hostadp.conf support
> includes so I can use the same setup for each port and just change the
> interface?) but for now, to keep things simple, I have only configured
> eth3.
> 
> I plugged my laptop into eth3 with a crossover cable.  Before activating
> hostapd, the laptop communicated on the network (ping test).  I then
> activated hostapd and expected that communication would fail since the
> laptop had not authenticated.  It did not fail; the laptop communicates
> on the network just as it did without hostapd. I have rebooted it
> several times with the same results.
> 
> I assume this means my setup is not working and not that hostapd fails
> open on 802.1x.  What is wrong with my configuration?
> 
> Here is stdout from hostapd - the laptop rebooted several times while
> this was running.  The MAC address is that of eth3:
> jsullivan at testswitch:/var/log$ sudo hostapd -dd /etc/hostapd/hostapd.conf
> Password:
> Configuration file: /etc/hostapd/hostapd.conf
> ctrl_interface_group=0
> Opening raw packet socket for ifindex 5
> BSS count 1, BSSID mask ff:ff:ff:ff:ff:ff (0 bits)
> Flushing old station entries
> Deauthenticate all stations
> Using interface eth3 with hwaddr 00:c0:f0:59:99:0c and ssid ''
> eth3: RADIUS Authentication server 127.0.0.1:1812
> eth3: Setup of interface done.
>  
> Here is syslog (several restarts):
> Jun  5 16:20:30 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> Jun  5 16:24:25 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> Jun  5 16:29:15 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> Jun  5 16:30:09 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> Jun  5 16:59:20 testswitch -- MARK --
> Jun  5 17:06:46 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> 
> Here is hostapd.conf (remember - no wireless):
> interface=eth3
> bridge=switch0 # I tried with and without this parameter
> driver=wired
> logger_syslog=54
> logger_syslog_level=2
> logger_stdout=54
> logger_stdout_level=2
> debug=4
> dump_file=/tmp/hostapd.dump
> ctrl_interface=/var/run/hostapd
> ctrl_interface_group=0
> #Wireless settings coming up - I changed very few and commented out some
> - no SSID
> max_num_sta=255
> macaddr_acl=0
> auth_algs=1
> wme_enabled=1
> wme_ac_bk_cwmin=4
> wme_ac_bk_cwmax=10
> wme_ac_bk_aifs=7
> wme_ac_bk_txop_limit=0
> wme_ac_bk_acm=0
> wme_ac_be_aifs=3
> wme_ac_be_cwmin=4
> wme_ac_be_cwmax=10
> wme_ac_be_txop_limit=0
> wme_ac_be_acm=0
> wme_ac_vi_aifs=2
> wme_ac_vi_cwmin=3
> wme_ac_vi_cwmax=4
> wme_ac_vi_txop_limit=94
> wme_ac_vi_acm=0
> wme_ac_vo_aifs=2
> wme_ac_vo_cwmin=2
> wme_ac_vo_cwmax=3
> wme_ac_vo_txop_limit=47
> wme_ac_vo_acm=0
> ieee8021x=1
> eapol_key_index_workaround=0
> eap_server=0
> own_ip_addr=127.0.0.1
> auth_server_addr=127.0.0.1 # RADIUS is freeradius on the same computer
> auth_server_port=1812
> auth_server_shared_secret=<some secret>
> 
> I'm pretty sure I've got the test laptop plugged into the correct port.
> Here switch MAC table:
> jsullivan at testswitch:/etc/hostapd$ brctl showmacs switch0
> port no mac addr                is local?       ageing timer
>   4     00:00:39:75:f8:39       no                 3.17
>   2     00:01:03:24:64:c3       no                 2.39
>   3     00:08:c7:b9:db:18       yes                0.00
>   2     00:09:5b:50:d9:ea       no                 2.02
>   2     00:0f:b0:70:ec:42       no                 0.00
>   2     00:13:20:09:b4:c9       no                49.89
>   1     00:50:da:59:f4:33       yes                0.00
>   2     00:90:4b:8b:5d:c3       no                 2.39
>   2     00:a0:d2:17:26:1c       yes                0.00
>   4     00:c0:f0:59:99:0c       yes                0.00
>   2     02:00:00:00:00:03       no                40.91
>   2     aa:00:00:15:60:3a       no                26.95
>   2     aa:00:00:4b:17:90       no                 2.02
>   2     aa:00:00:57:ff:f9       no                32.93
>       * 
> 
> 00:c0:f0:59:99:0c is the MAC being reported by hostapd stdout and it
> shows on port 4.  00:00:39:75:f8:39 is the MAC address of the laptop and
> also shows on port 4.
> 
> This is a high priority project for us so any help is greatly
> appreciated.  Thanks - John
Well, we've solved most but not all of the problems.  We needed to set
use_pae_group_addr=1.  I'm a little concerned about what that means when
one switch plugs into another.

I also had a mismatch in the CN oid.

Now hostap, freeradius and xsupplicant are all talking to each other and
exchanging authentication information.

However, the switch still fails open.  In other words, if I do not
authenticate, I can still send packets through the interface even if
ieee8021x=1.  Obviously, this is a big problem.  I've spent a few hours
googling and testing but still no success.  What have I configured
incorrectly that hostapd is not blocking unauthenticated connections?
Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

More information about the Hostap mailing list