Cannot get hostapd radius to authenticate OSEN connection.
Ben Greear
greearb
Thu Mar 19 17:58:21 PDT 2015
I cannot seem to get a hostapd radius server to authenticate an OSEN connection.
I think it might be some issue with the hostapd-radius server, but not sure why.
I have enabled CONFIG_EAP_UNAUTH_TLS=y in the wpa_supplicant and hostapd config files.
(This config option should be mentioned in the defconfig files?).
hostapd-radius conf:
interface=eth0#0
driver=wired
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
#ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=/etc/hostapd.eap_user
server_id=ota-2.lanforge.com
eap_sim_db=unix:/tmp/hlr_auc_gw.sock
radius_server_auth_port=1811
radius_server_clients=/etc/hostapd.radius_clients
[root at ben-ota-2 wifi]# cat /etc/hostapd.eap_user
"*@lanforge.com" TLS
"0"* AKA
"2"* AKA
"4"* AKA
"osen at lanforge.com" WFA-UNAUTH-TLS
Here is log. Maybe the important bit is about not being able to find ssl ctxt?
[root at ben-ota-2 wifi]# cat /tmp/hostapd_log_eth0#0.txt
1426812353.330157: Configuration file: wifi/hostapd_eth0#0.conf
1426812353.330366: ctrl_interface_group=0
1426812353.330436: Opening raw packet socket for ifindex 9
1426812353.336157: BSS count 1, BSSID mask 00:00:00:00:00:00 (0 bits)
1426812353.336182: Using existing control interface directory.
1426812353.336203: ctrl_iface bind(PF_UNIX) failed: Address already in use
1426812353.336211: ctrl_iface exists, but does not allow connections - assuming it was leftover from forced program termination
1426812353.336226: Successfully replaced leftover ctrl_iface socket '/var/run/hostapd/eth0#0'
1426812353.336245: 1426812353.336245: eth0#0: IEEE 802.11 Fetching hardware channel/rate support not supported.
1426812353.336250: Completing interface initialization
1426812353.336253: hostapd_setup_bss(hapd=0x1711aa0 (eth0#0), first=1)
1426812353.336259: eth0#0: Flushing old station entries
1426812353.336263: eth0#0: Deauthenticate all stations
1426812353.336269: Using interface eth0#0 with hwaddr 00:90:0b:f6:bd:c0 and ssid ""
1426812353.336291: connect(eap_sim_db): No such file or directory
1426812353.336296: HLR/AuC GW socket - hexdump_ascii(len=20):
2f 74 6d 70 2f 68 6c 72 5f 61 75 63 5f 67 77 2e /tmp/hlr_auc_gw.
73 6f 63 6b sock
1426812353.336318: EAP-SIM DB: External database connection not available - will retry later
1426812353.336369: eth0#0: interface state UNINITIALIZED->ENABLED
1426812353.336376: eth0#0: AP-ENABLED
1426812353.336380: eth0#0: Setup of interface done.
1426812353.336383: ctrl_iface not configured!
1426812366.389784: RADIUS SRV: Received 198 bytes from 127.0.0.1:27438
1426812366.389806: RADIUS SRV: Received data - hexdump(len=198): 01 73 00 c6 da c0 50 a8 f5 73 91 b4 b4 78 0f ff 66 ec 35 28 01 13 6f 73 65 6e 40 6c 61 6e 66 6f 72 67 65 2e 63 6f 6d 04 06 7f 00 00 01 1e 1f 30 30 2d 30 45 2d 38 45 2d 32 42 2d 45 35 2d 39 36 3a 6f 74 61 2d 39 6b 2d 6f 73 65 6e 3d 06 00 00 00 13 05 06 00 00 00 01 1f 13 30 30 2d 30 45 2d 38 45 2d 34 45 2d 35 37 2d 39 37 4d 18 43 4f 4e 4e 45 43 54 20 35 34 4d 62 70 73 20 38 30 32 2e 31 31 67 2c 13 35 35 30 42 36 34 41 38 2d 30 30 30 30 30 30 37 31 0c 06 00 00 05 78 4f 18 02 55 00 16 01 6f 73 65 6e 40 6c 61 6e 66 6f 72 67 65 2e 63 6f 6d 50 12 6e 14 07 8a 32 cd dc 25 42 07 34 73 9d f4 0a 89
1426812366.389841: RADIUS message: code=1 (Access-Request) identifier=115 length=198
1426812366.389846: Attribute 1 (User-Name) length=19
1426812366.389851: Value: 'osen at lanforge.com'
1426812366.389855: Attribute 4 (NAS-IP-Address) length=6
1426812366.389859: Value: 127.0.0.1
1426812366.389863: Attribute 30 (Called-Station-Id) length=31
1426812366.389867: Value: '00-0E-8E-2B-E5-96:ota-9k-osen'
1426812366.389871: Attribute 61 (NAS-Port-Type) length=6
1426812366.389875: Value: 19
1426812366.389878: Attribute 5 (NAS-Port) length=6
1426812366.389882: Value: 1
1426812366.389886: Attribute 31 (Calling-Station-Id) length=19
1426812366.389890: Value: '00-0E-8E-4E-57-97'
1426812366.389893: Attribute 77 (Connect-Info) length=24
1426812366.389897: Value: 'CONNECT 54Mbps 802.11g'
1426812366.389900: Attribute 44 (Acct-Session-Id) length=19
1426812366.389904: Value: '550B64A8-00000071'
1426812366.389908: Attribute 12 (Framed-MTU) length=6
1426812366.389911: Value: 1400
1426812366.389915: Attribute 79 (EAP-Message) length=24
1426812366.389922: Value: 02550016016f73656e406c616e666f7267652e636f6d
1426812366.389926: Attribute 80 (Message-Authenticator) length=18
1426812366.389931: Value: 6e14078a32cddc25420734739df40a89
1426812366.389977: RADIUS SRV: Creating a new session
1426812366.389982: RADIUS SRV: User-Name - hexdump_ascii(len=17):
6f 73 65 6e 40 6c 61 6e 66 6f 72 67 65 2e 63 6f osen at lanforge.co
6d m
1426812366.390005: RADIUS SRV: Matching user entry found
1426812366.390011: RADIUS SRV: [0x0 127.0.0.1] New session created
1426812366.390023: EAP: Server state machine created
1426812366.390029: RADIUS SRV: New session 0x0 initialized
1426812366.390042: RADIUS SRV: Received EAP data - hexdump(len=22): 02 55 00 16 01 6f 73 65 6e 40 6c 61 6e 66 6f 72 67 65 2e 63 6f 6d
1426812366.390049: EAP: EAP entering state INITIALIZE
1426812366.390052: EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=85 respMethod=1 respVendor=0 respVendorMethod=0
1426812366.390059: eth0#0: CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00
1426812366.390062: EAP: EAP entering state PICK_UP_METHOD
1426812366.390067: eth0#0: CTRL-EVENT-EAP-PROPOSED-METHOD method=1
1426812366.390070: EAP: EAP entering state METHOD_RESPONSE
1426812366.390073: EAP-Identity: Peer identity - hexdump_ascii(len=17):
6f 73 65 6e 40 6c 61 6e 66 6f 72 67 65 2e 63 6f osen at lanforge.co
6d m
1426812366.390087: RADIUS SRV: [0x0 127.0.0.1] EAP: EAP-Response/Identity 'osen at lanforge.com'
1426812366.390091: EAP: EAP entering state SELECT_ACTION
1426812366.390095: EAP: getDecision: another method available -> CONTINUE
1426812366.390098: EAP: EAP entering state PROPOSE_METHOD
1426812366.390101: EAP: getNextMethod: vendor 40808 type 13
1426812366.390108: TLS context not initialized - cannot use TLS-based EAP method
1426812366.390112: EAP-TLS: Failed to initialize SSL.
1426812366.390118: EAP: Failed to initialize EAP method 254
1426812366.390121: EAP: getNextMethod: vendor 0 type 0
1426812366.390125: EAP: Could not find suitable EAP method
1426812366.390129: RADIUS SRV: [0x0 127.0.0.1] EAP: Could not find suitable EAP method
1426812366.390132: EAP: EAP entering state METHOD_REQUEST
1426812366.390135: EAP: method not initialized
1426812366.390138: EAP: EAP entering state FAILURE
1426812366.390141: EAP: Building EAP-Failure (id=85)
1426812366.390146: eth0#0: CTRL-EVENT-EAP-FAILURE 00:00:00:00:00:00
1426812366.390149: RADIUS SRV: EAP data from the state machine - hexdump(len=4): 04 55 00 04
1426812366.390154: RADIUS SRV: [0x0 127.0.0.1] EAP authentication failed
1426812366.390168: RADIUS SRV: Reply to 127.0.0.1:27438
1426812366.390172: RADIUS message: code=3 (Access-Reject) identifier=115 length=44
1426812366.390176: Attribute 79 (EAP-Message) length=6
1426812366.390180: Value: 04550004
1426812366.390183: Attribute 80 (Message-Authenticator) length=18
1426812366.390188: Value: f71f9de55050238f52771263793002c5
1426812366.390192: RADIUS SRV: [0x0 127.0.0.1] Sending Access-Reject
1426812366.390216: RADIUS SRV: Removing completed session 0x0 after timeout
Here is conf of the hostapd that is acting as AP, and is hopefully set up to
accept an OSEN authentication:
[root at ben-ota-2 wifi]# cat hostapd_vap1.conf
interface=vap1
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=ota-9k-osen
bssid=00:0e:8e:2b:e5:96
country_code=US
ieee80211d=0
ieee80211h=0
ieee80211w=0
hw_mode=g
ieee80211n=1
beacon_int=240
dtim_period=2
max_num_sta=2007
rts_threshold=2347
fragm_threshold=2346
preamble=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
# Enable HT modes if you want 300Mbps+ throughput.
#ht_capab=[HT20][HT40-][HT40+][GF][SHORT-GI-20][SHORT-GI-40]
# [TX-STBC][RX-STBC123][MAX-AMSDU-7935][DSSS_CCK-40][PSMP][LSIG-TXOP-PROT]
ht_capab=[HT20][HT40+][SHORT-GI-40][SHORT-GI-20]
#vht_capab=[MAX-MPDU-11454][RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP0][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
channel=1
supported_rates=10 20 55 110 60 90 120 180 240 360 480 540
ieee8021x=1
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1811
auth_server_shared_secret=lanforge
# Error emulation settings.
ignore_probe_probability=0.000000
ignore_auth_probability=0.000000
ignore_assoc_probability=0.000000
ignore_reassoc_probability=0.000000
corrupt_gtk_rekey_mic_probability=0.000000
osen=1
#Wifi Custom Config specified by user directly.
hs20_icon=32:32:eng:image/png:icon32:/home/lanforge/32x32.png
hs20_icon=64:64:eng:image/png:icon64:/home/lanforge/64x64.png
osu_ssid="osu-ssid"
# OSU Providers
# One or more sets of following parameter. Each OSU provider is started by the
# mandatory osu_server_uri item. The other parameters add information for the
# last added OSU provider.
#
osu_server_uri=https://ben-ota-2/hs20/signup.php?realm=example.com
osu_friendly_name=eng:LANforge HS20 Operator
osu_nai=osen at lanforge.com
osu_method_list=1 0
osu_icon=icon32
osu_icon=icon64
osu_service_desc=eng:LANforge Example services
And, here is the supplicant config file:
[root at ben-ota-1 wifi]# cat wpa_supplicant-wiphy1-wlan1.conf
ctrl_interface=/var/run/wpa_supplicant
fast_reauth=1
concurrent_assoc_ok=1
scan_cur_freq=1
min_scan_gap=5
bss_max_count=2000
network={
ssid="ota-9k-osen"
disable_ht=0
disable_vht=1
ieee80211w=0
disable_ht40=0
disable_sgi=0
ht_mcs=""
disable_max_amsdu=-1
ampdu_factor=-1
ampdu_density=-1
proto=OSEN
key_mgmt=OSEN
eap=WFA-UNAUTH-TLS
ocsp=2
pairwise=CCMP
group=GTK_NOT_USED
identity="osen at lanforge.com"
ca_cert="/home/lanforge/ota2-ca.pem"
proactive_key_caching=0
}
If anyone has any suggestions, please let me know.
Thanks,
Ben
--
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc http://www.candelatech.com
More information about the Hostap
mailing list