Authentication failed, but I still can send packets

henry1412 henry1412
Thu Nov 27 22:49:42 PST 2008


 > Are you using wired networks (i.e., IEEE 802.1X for Ethernet)? If yes,
> please note that hostapd does not include port access entity (PAE). In
> other words, it does not enforce the port authorized/unauthorized
> processing or in any way change how data frames are passed through.

> If you want to block the frames on an unauthorized port in a wired
> network, you will need to use external mechanism (e.g., a kernel module
> to implement PAE functionality or Linux bridge filtering/ibtables) to do
> this and modify hostapd wired driver wrapper (driver_wired.c) to
> configure the external mechanism to block/unblock the port based on IEEE
> 802.1X authorization state.
>
> Jouni Malinen            
                               
I am sorry to send the same email again, because of the last email had some format error.

Hi, Jouni Malinen, I have followed your suggestion that used PAE functionality and modify hostapd wired driver wrapper (driver_wired.c) to configure the external mechanism to block/unblock the port based on IEEE 802.1X authorization state. I meet the new problem and couldn't resolved it. Even I added PAE module in hostapd, the PAE mechanism cann't block the 
unauthorized user in my environment.

I used the 0.0.3 version pae programe writed by Gunter Burchardt. The hostapd is 0.4.8 version. The linux kernel is 2.6.10. The following was my operation.

step 1:    Layer2 patch
The pae-0.0.3 supported a old patch patch-o-matic-ng-20040621 (www.netfilter.org) for 2.6.8.1 kernel.
I used the pf_packet-linux-2.6.10.patch    patch for 2.6.10 kernel.
cd linux 
patch -p1 < ../pf_packet-linux-2.6.10.patch

step 2: hostap patch
The pae-0.0.3 supported a old patch hostap-0.3.5.patch to update the driver_wired.c.
When I used hostap-0.3.0.patch to update driver_wired.c in hostapd-0.4.8, It appeared many errors. So copied a driver_wired.c in hostapd-0.3.5 to overcast the driver_wired.c in hostapd-0.4.8. After that,I patched successed.
cd hostapd
patch < hostap-0.3.5.patch

step 3: make pae module
Specified the KERNEL_PATH=/usr/src/linux-2.6.10 in Makefile and make. It appeared a error message.
passing arg 1 of `wireless_send_event' discards qualifiers from pointer target type
*** Warning: "wireless_send_event" [/linux-tools/hostapd/pae/modules/pae.ko] undefined!
The error reason was the CONFIG_NET_RADIO was commented, so I umcomment it.
#
# Wireless LAN (non-hamradio)
#
CONFIG_NET_RADIO=y
Then make again, The error was disappeared and builded a pae.ko module.

step 4: insert pae module
When I did 'insmod pae.ko' operation in a ARM platform, It appeared a new error.
insmod: cannot insert `pae.ko': Unknown symbol in module (-1): No such file or directory
How to resolve this error ?
I guessed the reason what my system didn't supported wireless_send_event function, I comment
the line of 'wireless_send_event(indev, IWEVREGISTERED,&wreq, (char *)NULL);' in pae/modules/pae_hook.c
file and make again. 
Insmod pae.ko operation was successed in no wireless_send_event function supported mode.

step 5: authorized user
Start the hostapd daemon with the configuration file. 
/hostapd wired.conf &
The hostapd was normally running.
The wpa_supplicant client send a authorized request with a wrong password, in the case of that, the radius server rejected the authentication and the hostapd displayed authentication failed too. But the wpa client could also send packages to radius server, It means that  the PAE mechanism cann't block the unauthorized user in my environment.
The pae displayed the follow information, 00:13:d7:20:00:f0 was the client MAC address. 
cat /proc/net/pae/br0/stations  
station mac       | auth | rx_bytes   | tx_bytes   | rx_packets | tx_packets
00:13:d7:20:00:f0 |      |          0 |          0 |          0 |          0

How to resolve the error of 'insmod: cannot insert `pae.ko': Unknown symbol in module (-1): No such file or directory',
even if the kernel supports 'CONFIG_NET_RADIO=y' option ?
How to block the unauthorized user with PAE mechanism ?

Thank you very much !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20081128/1221b7f6/attachment-0001.htm 



More information about the Hostap mailing list