Switch set up fails open

John A. Sullivan III jsullivan
Tue Nov 6 06:29:04 PST 2007 

I was hoping you would tell me how you solved it! I have not.  We only
needed this as a prototype switch to demonstrate that we could achieve
true perimeterless network security if we combined 802.1x with the ISCS
network security management project (http://iscs.sourceforge.net).
Since it was only for a prototype, we did not invest much energy in
troubleshooting. Let me know how you fare.  Thanks - John

On Tue, 2007-11-06 at 09:41 +0800, Fachao Deng wrote:
> Hello,all.
> 
> I have met the same problem as this "Switch set up fails open", and struggled to sovle it for days.
> 
> I am also trying to set up a 802.1x enabled wired swich using a PC with two NICS(eth0,eth3, both are added in a bridge br0). I am using xsupplicant,-1.2.8 hostapd-0.5.8, freeRadius-1.1.6.
> 
> My wired.conf is as follows:
> 
> interface=eth3
> bridge=br0
> driver=wired
> logger_stdout=-1
> logger_stdout_level=1
> debug=2
> dump_file=/tmp/hostapd.dump
> 
> ieee8021x=1
> eap_reauth_period=3600
> 
> use_pae_group_addr=1
> own_ip_addr=127.0.0.1
> auth_server_addr=127.0.0.1
> auth_server_port=1812
> auth_server_shared_secret=testing123
> 
> 
> Like what John have said,"Now hostap, freeradius and xsupplicant are all talking to each other and
> exchanging authentication information. However if I do not authenticate, I can still send packets through the interface even if ieee8021x=1."
> 
> 
> I want to know if John have solved this problem, and how to solve it.
> 
> And if anybody know  the reason, give me some help please.
> 
> Any of your suggestion will be great help to me! 
> 
> Thanks!!!
> 
> 
> 
> 
> ---	
> Fachao Deng
> Research Institute of Information Technology
> Tsinghua University, China
> 2007-11-06
> >> Hello, all.  This is my first set up of hostapd.  I'm attempting to
> > create a test 802.1x enabled Linux based switch.  I have an Ubuntu 7.0.4
> > (Feisty) PC with four NICS (eth0,1,2,3) set up in a bridge (switch0)
> > with hostapd 0.5.8 and freeradius 1.1.6.  There is no wireless; this is
> > a LAN switch only.
> > 
> > If I understand correctly, I will ultimately need a separate
> > configuration file for each port (by the way, does hostadp.conf support
> > includes so I can use the same setup for each port and just change the
> > interface?) but for now, to keep things simple, I have only configured
> > eth3.
> > 
> > I plugged my laptop into eth3 with a crossover cable.  Before activating
> > hostapd, the laptop communicated on the network (ping test).  I then
> > activated hostapd and expected that communication would fail since the
> > laptop had not authenticated.  It did not fail; the laptop communicates
> > on the network just as it did without hostapd. I have rebooted it
> > several times with the same results.
> > 
> > I assume this means my setup is not working and not that hostapd fails
> > open on 802.1x.  What is wrong with my configuration?
> > 
> > Here is stdout from hostapd - the laptop rebooted several times while
> > this was running.  The MAC address is that of eth3:
> > jsullivan at testswitch:/var/log$ sudo hostapd -dd /etc/hostapd/hostapd.conf
> > Password:
> > Configuration file: /etc/hostapd/hostapd.conf
> > ctrl_interface_group=0
> > Opening raw packet socket for ifindex 5
> > BSS count 1, BSSID mask ff:ff:ff:ff:ff:ff (0 bits)
> > Flushing old station entries
> > Deauthenticate all stations
> > Using interface eth3 with hwaddr 00:c0:f0:59:99:0c and ssid ''
> > eth3: RADIUS Authentication server 127.0.0.1:1812
> > eth3: Setup of interface done.
> >  
> > Here is syslog (several restarts):
> > Jun  5 16:20:30 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> > Jun  5 16:24:25 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> > Jun  5 16:29:15 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> > Jun  5 16:30:09 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> > Jun  5 16:59:20 testswitch -- MARK --
> > Jun  5 17:06:46 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> > 
> > Here is hostapd.conf (remember - no wireless):
> > interface=eth3
> > bridge=switch0 # I tried with and without this parameter
> > driver=wired
> > logger_syslog=54
> > logger_syslog_level=2
> > logger_stdout=54
> > logger_stdout_level=2
> > debug=4
> > dump_file=/tmp/hostapd.dump
> > ctrl_interface=/var/run/hostapd
> > ctrl_interface_group=0
> > #Wireless settings coming up - I changed very few and commented out some
> > - no SSID
> > max_num_sta=255
> > macaddr_acl=0
> > auth_algs=1
> > wme_enabled=1
> > wme_ac_bk_cwmin=4
> > wme_ac_bk_cwmax=10
> > wme_ac_bk_aifs=7
> > wme_ac_bk_txop_limit=0
> > wme_ac_bk_acm=0
> > wme_ac_be_aifs=3
> > wme_ac_be_cwmin=4
> > wme_ac_be_cwmax=10
> > wme_ac_be_txop_limit=0
> > wme_ac_be_acm=0
> > wme_ac_vi_aifs=2
> > wme_ac_vi_cwmin=3
> > wme_ac_vi_cwmax=4
> > wme_ac_vi_txop_limit=94
> > wme_ac_vi_acm=0
> > wme_ac_vo_aifs=2
> > wme_ac_vo_cwmin=2
> > wme_ac_vo_cwmax=3
> > wme_ac_vo_txop_limit=47
> > wme_ac_vo_acm=0
> > ieee8021x=1
> > eapol_key_index_workaround=0
> > eap_server=0
> > own_ip_addr=127.0.0.1
> > auth_server_addr=127.0.0.1 # RADIUS is freeradius on the same computer
> > auth_server_port=1812
> > auth_server_shared_secret=<some secret>
> > 
> > I'm pretty sure I've got the test laptop plugged into the correct port.
> > Here switch MAC table:
> > jsullivan at testswitch:/etc/hostapd$ brctl showmacs switch0
> > port no mac addr                is local?       ageing timer
> >   4     00:00:39:75:f8:39       no                 3.17
> >   2     00:01:03:24:64:c3       no                 2.39
> >   3     00:08:c7:b9:db:18       yes                0.00
> >   2     00:09:5b:50:d9:ea       no                 2.02
> >   2     00:0f:b0:70:ec:42       no                 0.00
> >   2     00:13:20:09:b4:c9       no                49.89
> >   1     00:50:da:59:f4:33       yes                0.00
> >   2     00:90:4b:8b:5d:c3       no                 2.39
> >   2     00:a0:d2:17:26:1c       yes                0.00
> >   4     00:c0:f0:59:99:0c       yes                0.00
> >   2     02:00:00:00:00:03       no                40.91
> >   2     aa:00:00:15:60:3a       no                26.95
> >   2     aa:00:00:4b:17:90       no                 2.02
> >   2     aa:00:00:57:ff:f9       no                32.93
> >       * 
> > 
> > 00:c0:f0:59:99:0c is the MAC being reported by hostapd stdout and it
> > shows on port 4.  00:00:39:75:f8:39 is the MAC address of the laptop and
> > also shows on port 4.
> > 
> > This is a high priority project for us so any help is greatly
> > appreciated.  Thanks - John
> >Well, we've solved most but not all of the problems.  We needed to set
> >use_pae_group_addr=1.  I'm a little concerned about what that means when
> >one switch plugs into another.
> 
> >I also had a mismatch in the CN oid.
> 
> >Now hostap, freeradius and xsupplicant are all talking to each other and
> >exchanging authentication information.
> 
> >However, the switch still fails open.  In other words, if I do not
> >authenticate, I can still send packets through the interface even if
> >ieee8021x=1.  Obviously, this is a big problem.  I've spent a few hours
> >googling and testing but still no success.  What have I configured
> >incorrectly that hostapd is not blocking unauthenticated connections?
> 
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

More information about the Hostap mailing list