Non-bridging access point

Richard Lewis richard.lewis
Tue Sep 30 09:13:38 PDT 2014


Hi there,

I'm trying to configure a Debian GNU/Linux "jessie" box to work as a
wifi access point. It's going to use WPA PSK authentication, provide
DHCP for clients, but clients will only use the access point to access
services runnning on the host itself; there will be no gateway to any
other network (including the internet).

I have the following configuration set up so far:

/etc/hostapd/myap.conf:
----------------------------------------------------------
interface=wlan0
driver=nl80211
ssid=myap
wme_enabled=0
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=thepassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
----------------------------------------------------------

/etc/default/hostapd:
----------------------------------------------------------
DAEMON_CONF="/etc/hostapd/myap.conf"
----------------------------------------------------------

/etc/dhcp/dhcpd.conf:
----------------------------------------------------------
option domain-name "myap.net";

option domain-name-servers 208.67.220.220, 208.67.222.222;

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.101 192.168.1.254;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.1.255;
    option routers 192.168.1.100;
    option domain-name-servers 192.168.1.100;
}

default-lease-time 600;
max-lease-time 7200;
authoritative;
----------------------------------------------------------

/etc/default/isc-dhcp-server:
----------------------------------------------------------
INTERFACES="wlan0"
----------------------------------------------------------

/etc/network/interfaces:
----------------------------------------------------------
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
	address 123.546.x.x
	netmask 255.255.0.0
	network 123.546.0.0
	broadcast 123.546.255.255
	gateway 123.546.x.x
	# dns-* options are implemented by the resolvconf package, if installed
	dns-nameservers 208.67.220.220 208.67.222.222

allow-hotplug wlan0
auto wlan0
iface wlan0 inet static
	address 192.168.1.100
	netmask 255.255.255.0
	broadcast 192.168.1.255
----------------------------------------------------------

Notice that I don't specify a 'bridge' in my hostapd conf file. This
is because I'm not trying to create a bridge. Also notice that the
ethernet interface is connected to another network that does have a
gateway to the internet, but remember that I'm *not* bridging wlan0 to
eth0.

This is the wireless card in the box:

02:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8188CE 802.11b/g/n WiFi Adapter (rev 01)
	Subsystem: AzureWave Device 2057
	Kernel driver in use: rtl8192ce

Both dhcpd and hostapd are running. I can scan the wifi network from
my client machine. When I try to connect to the network I get the
following on the client machine:

local# iw dev wlan0 connect myap
local# wpa_supplicant -i wlan0 -c <(wpa_passphrase myap thepassword)
Successfully initialized wpa_supplicant
wlan0: CTRL-EVENT-SCAN-STARTED 
wlan0: SME: Trying to authenticate with xx:xx:xx:xx:xx:xx (SSID='myap' freq=2437 MHz)
wlan0: Trying to associate with xx:xx:xx:xx:xx:xx (SSID='myap' freq=2437 MHz)
wlan0: Associated with xx:xx:xx:xx:xx:xx
wlan0: CTRL-EVENT-DISCONNECTED bssid=xx:xx:xx:xx:xx:xx reason=2
wlan0: WPA: 4-Way Handshake failed - pre-shared key may be incorrect
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="myap" auth_failures=1 duration=10 reason=WRONG_KEY
wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=WORLD
wlan0: CTRL-EVENT-SCAN-STARTED 
wlan0: CTRL-EVENT-SCAN-STARTED 
^Cwlan0: CTRL-EVENT-TERMINATING 

I also tried connecting using the /etc/network/interfaces file like
this, just in case wpa_passphrase was doing something wrong with the
passphrase:

iface wlan0-myap inet dhcp
	wpa-ssid myap
	wpa-psk thepassword

# ifup -v wlan0
Running mapping script ifscheme-mapping on wlan0
Configuring interface wlan0=wlan0-myap (inet)
run-parts --exit-on-error --verbose /etc/network/if-pre-up.d
run-parts: executing /etc/network/if-pre-up.d/ethtool
run-parts: executing /etc/network/if-pre-up.d/wireless-tools
run-parts: executing /etc/network/if-pre-up.d/wpasupplicant
wpa_supplicant: wpa-driver nl80211,wext (default)
wpa_supplicant: /sbin/wpa_supplicant -s -B -P /run/wpa_supplicant.wlan0.pid -i wlan0 -D nl80211,wext -C /run/wpa_supplicant
Starting /sbin/wpa_supplicant...
wpa_supplicant: creating sendsigs omission pidfile: /run/sendsigs.omit.d/wpasupplicant.wpa_supplicant.wlan0.pid
wpa_supplicant: ctrl_interface socket located at /run/wpa_supplicant/wlan0
wpa_supplicant: configuring network block -- 0
wpa_supplicant: wpa-ssid "myap" -- OK
wpa_supplicant: wpa-psk ***** -- OK
wpa_supplicant: enabling network block 0 -- OK

dhclient -v -pf /run/dhclient.wlan0.pid -lf /var/lib/dhcp/dhclient.wlan0.leases wlan0 	
Internet Systems Consortium DHCP Client 4.3.1
Copyright 2004-2014 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/wlan0/a4:17:31:f4:8b:81
Sending on   LPF/wlan0/a4:17:31:f4:8b:81
Sending on   Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 6
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 9
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 12
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 13
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 15
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 6
No DHCPOFFERS received.
No working leases in persistent database - sleeping.
run-parts --exit-on-error --verbose /etc/network/if-up.d
run-parts: executing /etc/network/if-up.d/000resolvconf
run-parts: executing /etc/network/if-up.d/avahi-daemon
run-parts: executing /etc/network/if-up.d/ethtool
run-parts: executing /etc/network/if-up.d/mountnfs
run-parts: executing /etc/network/if-up.d/ntpdate
run-parts: executing /etc/network/if-up.d/openssh-server
run-parts: executing /etc/network/if-up.d/upstart
run-parts: executing /etc/network/if-up.d/wpasupplicant
----------------------------------------------------------

I'm not quite sure whether this output means that the authentication
worked and that there's something wrong with the DHCP, or if it just
ignores (or doesn't notice?) the authentication problem?

One last bit of information is the output from hostapd which looks
like this:

nl80211: Event message available
nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wlan0
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlan0(s:e:r:v:e:r) A1=s:e:r:v:e:r A2=c:l:i:e:n:t
nl80211: MLME event frame - hexdump(len=67): [...]
nl80211: Frame event
nl80211: RX frame freq=2437 ssi_signal=-50 stype=4 len=67
nl80211: send_mlme - noack=0 freq=0 no_cck=0 offchanok=0 wait_time=0 fc=0x50 nlmode=3
nl80211: send_mlme -> send_frame
nl80211: send_frame - Use bss->freq=2437
nl80211: send_frame -> send_frame_cmd
nl80211: CMD_FRAME freq=2437 wait=0 no_cck=0 no_ack=0 offchanok=0
CMD_FRAME - hexdump(len=129): [...]
nl80211: Frame TX command accepted; cookie 0xffff8800596eab00
nl80211: Event message available
nl80211: Drv Event 60 (NL80211_CMD_FRAME_TX_STATUS) received for wlan0
nl80211: MLME event 60 (NL80211_CMD_FRAME_TX_STATUS) on wlan0(s:e:r:v:e:r) A1=c:l:i:e:n:t A2=s:e:r:v:e:r
nl80211: MLME event frame - hexdump(len=129): [...]
nl80211: Frame TX status event
wlan0: Event TX_STATUS (18) received
nl80211: Event message available
nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wlan0
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlan0(s:e:r:v:e:r) A1=s:e:r:v:e:r A2=c:l:i:e:n:t
nl80211: MLME event frame - hexdump(len=30): [...]
nl80211: Frame event
nl80211: RX frame freq=2437 ssi_signal=-50 stype=11 len=30
wlan0: Event RX_MGMT (20) received
mgmt::auth
authentication: STA=c:l:i:e:n:t auth_alg=0 auth_transaction=1 status_code=0 wep=0
  New STA
ap_sta_add: register ap_handle_timer timeout for c:l:i:e:n:t (300 seconds - ap_max_inactivity)
wlan0: STA c:l:i:e:n:t IEEE 802.11: authentication OK (open system)
wlan0: STA c:l:i:e:n:t MLME: MLME-AUTHENTICATE.indication(c:l:i:e:n:t, OPEN_SYSTEM)
wlan0: STA c:l:i:e:n:t MLME: MLME-DELETEKEYS.request(c:l:i:e:n:t)
authentication reply: STA=c:l:i:e:n:t auth_alg=0 auth_transaction=2 resp=0 (IE len=0)
nl80211: send_mlme - noack=0 freq=0 no_cck=0 offchanok=0 wait_time=0 fc=0xb0 nlmode=3
nl80211: send_mlme -> send_frame
nl80211: send_frame - Use bss->freq=2437
nl80211: send_frame -> send_frame_cmd
nl80211: CMD_FRAME freq=2437 wait=0 no_cck=0 no_ack=0 offchanok=0
CMD_FRAME - hexdump(len=30): b0 00 00 00 40 b0 fa c7 48 05 00 08 ca f7 01 d4 00 08 ca f7 01 d4 00 00 00 00 02 00 00 00
nl80211: Frame TX command accepted; cookie 0xffff8800596ea500
nl80211: Event message available
nl80211: Drv Event 60 (NL80211_CMD_FRAME_TX_STATUS) received for wlan0
nl80211: MLME event 60 (NL80211_CMD_FRAME_TX_STATUS) on wlan0(s:e:r:v:e:r) A1=c:l:i:e:n:t A2=s:e:r:v:e:r
nl80211: MLME event frame - hexdump(len=30): [...]
nl80211: Frame TX status event
wlan0: Event TX_STATUS (18) received
mgmt::auth cb
wlan0: STA c:l:i:e:n:t IEEE 802.11: authenticated
nl80211: Event message available
nl80211: BSS Event 59 (NL80211_CMD_FRAME) received for wlan0
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlan0(s:e:r:v:e:r) A1=s:e:r:v:e:r A2=c:l:i:e:n:t
nl80211: MLME event frame - hexdump(len=81): [...]
nl80211: Frame event
nl80211: RX frame freq=2437 ssi_signal=-50 stype=0 len=81
wlan0: Event RX_MGMT (20) received
mgmt::assoc_req
association request: STA=c:l:i:e:n:t capab_info=0x431 listen_interval=1
  new AID 1
wlan0: STA c:l:i:e:n:t IEEE 802.11: association OK (aid 1)
nl80211: send_mlme - noack=0 freq=0 no_cck=0 offchanok=0 wait_time=0 fc=0x10 nlmode=3
nl80211: send_mlme -> send_frame
nl80211: send_frame - Use bss->freq=2437
nl80211: send_frame -> send_frame_cmd
nl80211: CMD_FRAME freq=2437 wait=0 no_cck=0 no_ack=0 offchanok=0
CMD_FRAME - hexdump(len=61): [...]
nl80211: Frame TX command accepted; cookie 0xffff8800596eaa00
nl80211: Event message available
nl80211: Drv Event 60 (NL80211_CMD_FRAME_TX_STATUS) received for wlan0
nl80211: MLME event 60 (NL80211_CMD_FRAME_TX_STATUS) on wlan0(s:e:r:v:e:r) A1=c:l:i:e:n:t A2=s:e:r:v:e:r
nl80211: MLME event frame - hexdump(len=61): [...]
nl80211: Frame TX status event
wlan0: Event TX_STATUS (18) received
mgmt::assoc_resp cb
wlan0: STA c:l:i:e:n:t IEEE 802.11: associated (aid 1)
wlan0: STA c:l:i:e:n:t MLME: MLME-ASSOCIATE.indication(c:l:i:e:n:t)
wlan0: STA c:l:i:e:n:t MLME: MLME-DELETEKEYS.request(c:l:i:e:n:t)
wpa_driver_nl80211_set_key: ifindex=4 (wlan0) alg=0 addr=0x7f93c05123d0 key_idx=0 set_tx=1 seq_len=0 key_len=0
   addr=c:l:i:e:n:t
nl80211: sta_remove -> DEL_STATION wlan0 c:l:i:e:n:t --> -2 (No such file or directory)
nl80211: Add STA c:l:i:e:n:t
  * supported rates - hexdump(len=12): 82 84 8b 96 0c 12 18 24 30 48 60 6c
  * aid=1
  * listen_interval=1
  * capability=0x431
  * flags set=0x4 mask=0x4
wlan0: STA c:l:i:e:n:t WPA: event 1 notification
wpa_driver_nl80211_set_key: ifindex=4 (wlan0) alg=0 addr=0x7f93c05123d0 key_idx=0 set_tx=1 seq_len=0 key_len=0
   addr=c:l:i:e:n:t
IEEE 802.1X: Ignore STA - 802.1X not enabled or forced for WPS
wlan0: STA c:l:i:e:n:t WPA: start authentication
WPA: c:l:i:e:n:t WPA_PTK entering state INITIALIZE
wpa_driver_nl80211_set_key: ifindex=4 (wlan0) alg=0 addr=0x7f93c05123d0 key_idx=0 set_tx=1 seq_len=0 key_len=0
   addr=c:l:i:e:n:t
wlan0: STA c:l:i:e:n:t IEEE 802.1X: unauthorizing port
WPA: c:l:i:e:n:t WPA_PTK_GROUP entering state IDLE
WPA: c:l:i:e:n:t WPA_PTK entering state AUTHENTICATION
WPA: c:l:i:e:n:t WPA_PTK entering state AUTHENTICATION2
Get randomness: len=32 entropy=262
WPA: Assign ANonce - hexdump(len=32): [...]
WPA: c:l:i:e:n:t WPA_PTK entering state INITPSK
Searching a PSK for c:l:i:e:n:t prev_psk=(nil)
Searching a PSK for c:l:i:e:n:t prev_psk=(nil)
WPA: c:l:i:e:n:t WPA_PTK entering state PTKSTART
wlan0: STA c:l:i:e:n:t WPA: sending 1/4 msg of 4-Way Handshake
WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=0 keyidx=0 encr=0)
WPA: Use EAPOL-Key timeout of 100 ms (retry counter 1)
hostapd_new_assoc_sta: reschedule ap_handle_timer timeout for c:l:i:e:n:t (300 seconds - ap_max_inactivity)
nl80211: Event message available
nl80211: Drv Event 19 (NL80211_CMD_NEW_STATION) received for wlan0
nl80211: New station c:l:i:e:n:t
wlan0: Event EAPOL_TX_STATUS (40) received
IEEE 802.1X: c:l:i:e:n:t TX status - version=2 type=3 length=95 - ack=1
WPA: EAPOL-Key TX status for STA c:l:i:e:n:t ack=1
WPA: Increase initial EAPOL-Key 1/4 timeout by 1000 ms because of acknowledged frame
wlan0: STA c:l:i:e:n:t WPA: EAPOL-Key timeout
WPA: c:l:i:e:n:t WPA_PTK entering state PTKSTART
wlan0: STA c:l:i:e:n:t WPA: sending 1/4 msg of 4-Way Handshake
WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=0 keyidx=0 encr=0)
WPA: Use EAPOL-Key timeout of 1000 ms (retry counter 2)
wlan0: Event EAPOL_TX_STATUS (40) received
IEEE 802.1X: c:l:i:e:n:t TX status - version=2 type=3 length=95 - ack=1
WPA: EAPOL-Key TX status for STA c:l:i:e:n:t ack=1
wlan0: STA c:l:i:e:n:t WPA: EAPOL-Key timeout
WPA: c:l:i:e:n:t WPA_PTK entering state PTKSTART
wlan0: STA c:l:i:e:n:t WPA: sending 1/4 msg of 4-Way Handshake
WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=0 keyidx=0 encr=0)
WPA: Use EAPOL-Key timeout of 1000 ms (retry counter 3)
wlan0: Event EAPOL_TX_STATUS (40) received
IEEE 802.1X: c:l:i:e:n:t TX status - version=2 type=3 length=95 - ack=1
WPA: EAPOL-Key TX status for STA c:l:i:e:n:t ack=1
wlan0: STA c:l:i:e:n:t WPA: EAPOL-Key timeout
WPA: c:l:i:e:n:t WPA_PTK entering state PTKSTART
wlan0: STA c:l:i:e:n:t WPA: sending 1/4 msg of 4-Way Handshake
WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=0 keyidx=0 encr=0)
WPA: Use EAPOL-Key timeout of 1000 ms (retry counter 4)
wlan0: Event EAPOL_TX_STATUS (40) received
IEEE 802.1X: c:l:i:e:n:t TX status - version=2 type=3 length=95 - ack=1
WPA: EAPOL-Key TX status for STA c:l:i:e:n:t ack=1
wlan0: STA c:l:i:e:n:t WPA: EAPOL-Key timeout
WPA: c:l:i:e:n:t WPA_PTK entering state PTKSTART
wlan0: STA c:l:i:e:n:t WPA: PTKSTART: Retry limit 4 reached
WPA: c:l:i:e:n:t WPA_PTK entering state DISCONNECT
wpa_sta_disconnect STA c:l:i:e:n:t
hostapd_wpa_auth_disconnect: WPA authenticator requests disconnect: STA c:l:i:e:n:t reason 2
nl80211: send_mlme - noack=0 freq=0 no_cck=0 offchanok=0 wait_time=0 fc=0xc0 nlmode=3
nl80211: send_mlme -> send_frame
nl80211: send_frame - Use bss->freq=2437
nl80211: send_frame -> send_frame_cmd
nl80211: CMD_FRAME freq=2437 wait=0 no_cck=0 no_ack=0 offchanok=0
CMD_FRAME - hexdump(len=26): [...]
nl80211: Frame TX command accepted; cookie 0xffff8800596ea800
wlan0: STA c:l:i:e:n:t WPA: event 3 notification
wpa_driver_nl80211_set_key: ifindex=4 (wlan0) alg=0 addr=0x7f93c05123d0 key_idx=0 set_tx=1 seq_len=0 key_len=0
   addr=c:l:i:e:n:t
WPA: wpa_sm_step() called recursively
ap_sta_disconnect: reschedule ap_handle_timer timeout for c:l:i:e:n:t (5 seconds - AP_MAX_INACTIVITY_AFTER_DEAUTH)
WPA: c:l:i:e:n:t WPA_PTK entering state DISCONNECTED
WPA: c:l:i:e:n:t WPA_PTK entering state INITIALIZE
wpa_driver_nl80211_set_key: ifindex=4 (wlan0) alg=0 addr=0x7f93c05123d0 key_idx=0 set_tx=1 seq_len=0 key_len=0
   addr=c:l:i:e:n:t
wlan0: STA c:l:i:e:n:t IEEE 802.1X: unauthorizing port
nl80211: Event message available
nl80211: Drv Event 60 (NL80211_CMD_FRAME_TX_STATUS) received for wlan0
nl80211: MLME event 60 (NL80211_CMD_FRAME_TX_STATUS) on wlan0(s:e:r:v:e:r) A1=c:l:i:e:n:t A2=s:e:r:v:e:r
nl80211: MLME event frame - hexdump(len=26): [...]
nl80211: Frame TX status event
wlan0: Event TX_STATUS (18) received
mgmt::deauth cb
STA c:l:i:e:n:t acknowledged deauth
Removing STA c:l:i:e:n:t from kernel driver
nl80211: sta_remove -> DEL_STATION wlan0 c:l:i:e:n:t --> 0 (Success)
wlan0: STA c:l:i:e:n:t MLME: MLME-DEAUTHENTICATE.indication(c:l:i:e:n:t, 2)
wlan0: STA c:l:i:e:n:t MLME: MLME-DELETEKEYS.request(c:l:i:e:n:t)
wpa_driver_nl80211_set_key: ifindex=4 (wlan0) alg=0 addr=0x7f93c05123d0 key_idx=0 set_tx=1 seq_len=0 key_len=0
   addr=c:l:i:e:n:t

(Hope this is enough of the output. I've removed most of the hexdumps
and hidden the MAC addresses.)

I can see quite a few "EAPOL-Key timeout" messages. And then there's
this "hostapd_wpa_auth_disconnect: WPA authenticator requests
disconnect ... reason 2". Are these indicative of anything?

I was just trying to investigate whether this might be related to not
having a bridge
configured. <http://madwifi-project.org/wiki/UserDocs/HostAP> has the
following to say:

> If you're bridging between the wireless and wired (ie using brctl),
> you must add a line such as:
> 
>   bridge=br0
> 
> or whatever the bridge name you are using to the config file, or the
> WPA key exchange packets will get eaten by the bridge.
> 
> Symptom of this problem is that the host AP will retransmit the WPA
> key exchange packets (3 times) then deassociate the authenticating
> STA. The associating STA will receive the initial EAP-KEY packets,
> and respond, but the transmissions from the STA never reach the host
> AP daemon.

Might this be relevant? Should I try and set up some sort of dummy
bridge?

I also notice from the example hostapd.conf file,

> If the bridge parameter is not set, the drivers will automatically
> figure out the bridge interface (assuming sysfs is enabled and
> mounted to /sys) and this parameter may not be needed.

Could this be happening? Could it be creating a bridge interface and
then timing out trying to get a response from it?

Thanks for any help.

Richard
-- 
Blank



More information about the Hostap mailing list