hostapd: 4addr sta w/ EAP-TLS

Grewal, Ajay (GE Power) Ajay.Grewal at ge.com
Thu Oct 12 13:36:17 PDT 2017 

It appears my original email below got bounced.

On 10/12/17, 12:38 PM, "Grewal, Ajay (GE Power)" <Ajay.Grewal at ge.com> wrote:

    Hi,
        
    I have setup an AP (hostapd w/ ath9k) to use RADIUS to authenticate a 4addr mode client (wpa_supplicant w/ath9k) using WPA2/EAP-TLS. The authentication is successful and the AP/VLAN interface is created for the client and added to the bridge, however no traffic passes between the AP and Client (between respective bridge interfaces). The same setup with WPA2/PSK works fine. It appears that in WPA2/PSK the client is correctly shown connected to AP/VLAN interface, where-as in WPA2/EAP-TLS case, the client is shown connected to base wlan0 interface (instead of wlan0.sta1): 
        
    WPA2/PSK:
        
        # iw dev wlan0.sta1 station dump
        Station 00:06:3d:0a:a8:0a (on wlan0.sta1)
        	inactive time:	14450 ms
        	rx bytes:	1106
        	rx packets:	11
        	tx bytes:	1387
        	tx packets:	12
        	tx retries:	10
        	tx failed:	0
        	signal:  	-85 [-85, -96] dBm
        	signal avg:	-82 [-83, -96] dBm
        	tx bitrate:	6.5 MBit/s MCS 0
        	rx bitrate:	6.5 MBit/s MCS 0
        	expected throughput:	0.301Mbps
        	authorized:	yes
        	authenticated:	yes
        	preamble:	short
        	WMM/WME:	yes
        	MFP:		no
        	TDLS peer:	no
        	connected time:	30 seconds
        
        # iw dev wlan0 station dump
        #
        
    WPA2/EAP-TLS:
        
        # iw dev wlan0.sta1 station dump
        #
        # iw dev wlan0 station dump
        Station 00:06:3d:0a:a8:0a (on wlan0)
        	inactive time:	14000 ms
        	rx bytes:	9455
        	rx packets:	79
        	tx bytes:	2714
        	tx packets:	14
        	tx retries:	4
        	tx failed:	0
        	signal:  	-84 [-85, -94] dBm
        	signal avg:	-85 [-85, -94] dBm
        	tx bitrate:	1.0 MBit/s
        	rx bitrate:	1.0 MBit/s
        	expected throughput:	0.63Mbps
        	authorized:	yes
        	authenticated:	yes
        	preamble:	short
        	WMM/WME:	yes
        	MFP:		no
        	TDLS peer:	no
        	connected time:	708 seconds
        
    In both cases, the AP/VLAN interface is added to bridge correctly. 
        
        # brctl show
        bridge name	bridge id		STP enabled	interfaces
        br1		8000.00063d070bb4	no		eth1
        							wlan0
        							wlan0.sta1
        
    hostapd/wpa_supplicant version: 2.7-devel (master at 872d0f93cc14842e160e04fec7875a49c571aad8)
        
    The configuration files (h-*.conf for hostapd and w-*.conf for wpa_supplicant) and hostapd debug log files (h-wpa2-e-ccmp-r.log for WPA2/EAP-TLS and h-wpa2-p-ccmp-r.log for WPA2/PSK) are attached.  I’d appreciate any guidance/insights to help resolve the issue and/or any pointers to relevant code section to debug.
        
    Thanks
    Ajay
        
        
        
        
        
    
    

-------------- next part --------------
A non-text attachment was scrubbed...
Name: WPA2-EAPTLS-4addr-issue-20171012.zip
Type: application/zip
Size: 17263 bytes
Desc: WPA2-EAPTLS-4addr-issue-20171012.zip
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20171012/14be5a94/attachment-0001.zip>

More information about the Hostap mailing list