WPA-EAP/802.1x AP mode without NL80211_CMD_SET_STATION driver support

Arend Van Spriel arend.vanspriel at broadcom.com
Fri Oct 9 04:53:21 EDT 2020 

On 10/9/2020 10:03 AM, Pali Rohár wrote:
> On Friday 09 October 2020 09:28:59 Arend Van Spriel wrote:
>> On 10/7/2020 10:30 AM, Pali Rohár wrote:
>>> Hello! I would like to remind this issue.
>>
>> Hi Pali,
>>
>> Why not follow the regular contribution process and submit a patch?
> 
> Hello Arend! Because I have sent another patch months ago which was
> still not processed yet (therefore I do not know if regular contribution
> process is working) and more important, I do not know how to fix this
> issue, so I have nothing to send yet. If you look at the issue, you
> could see it is more complicated and I just provided two changes which
> allowed me to identify main problems.

Fair enough. I stopped reading after the first few paragraphs, but I 
looked at the driver. The NL80211_CMD_SET_STATION ends up calling the 
.change_station() cfg80211 driver callback. The mwifiex driver does 
implement it [1], but states that is only works for TDLS.

Personally, I have not played much with VLANs. For non-vlan the AP uses 
NL80211_CMD_SET_STATION to authorize the associated station to send 
regular data traffic. Bottom line is that your wifi card or at least the 
mwifiex driver does not seem to support both scenarios, ie. authorize 
station and vlan. Also don't see anything obvious in the drivers 
firmware API (fw.h). At least not upstream.

Regards,
Arend

[1] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/wireless/marvell/mwifiex/cfg80211.c#n4145

>> Regards,
>> Arend
>>
>>> On Tuesday 02 June 2020 10:49:17 Pali Rohár wrote:
>>>> Jouni or Johannes, when you have a time, could you please look at this
>>>> issue below?
>>>>
>>>> I would like to enable WPA-EAP mode on mwifiex_sdio wifi card but due to
>>>> hostapd issue described bellow it is not possible right now.
>>>>
>>>> On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
>>>>> Hello Jouni!
>>>>>
>>>>> When hostapd is compiled without CONFIG_NO_VLAN option then
>>>>> WPA-EAP/802.1x AP mode is not working with wifi card which does not
>>>>> support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
>>>>>
>>>>> NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
>>>>> configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
>>>>>
>>>>> Here is hostapd log from Turris MOX router when is configured in WPA-EAP
>>>>> AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
>>>>> which does not implement NL80211_CMD_SET_STATION command when card is in
>>>>> AP mode.
>>>>>
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
>>>>> May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>>>> May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
>>>>> May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>>>> May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
>>>>> May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>>>> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
>>>>> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
>>>>>
>>>>> EAP authentication from radius server is successful, wpa_supplicant on
>>>>> client side also see successful authentication, but link is not
>>>>> established.
>>>>>
>>>>> That failed error code 524 is internal Linux kernel number for ENOTSUPP
>>>>> (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
>>>>>
>>>>> Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
>>>>> from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
>>>>> file.
>>>>>
>>>>> ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
>>>>> unsupported hostapd driver returns zero and for supported hostapd driver
>>>>> calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
>>>>> Which for card with unsupported NL80211_CMD_SET_STATION command returns
>>>>> error code -524.
>>>>>
>>>>> When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
>>>>> always returns zero.
>>>>>
>>>>> I applied following change to hostapd sources:
>>>>>
>>>>> diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
>>>>> index 93f1f0c20..9059162a8 100644
>>>>> --- a/src/ap/sta_info.c
>>>>> +++ b/src/ap/sta_info.c
>>>>> @@ -1092,6 +1092,10 @@ skip_counting:
>>>>>    		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
>>>>>    			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
>>>>>    			       "entry to vlan_id=%d", sta->vlan_id);
>>>>> +		/* Ignore error when driver does not support setting vlan
>>>>> +		 * and we were not requested to set non-zero vlan id */
>>>>> +		if (ret == -ENOTSUP && sta->vlan_id == 0)
>>>>> +			ret = 0;
>>>>>    	}
>>>>>    	/* During 1x reauth, if the vlan id changes, then remove the old id. */
>>>>> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
>>>>> index d48f8cb76..0906508d4 100644
>>>>> --- a/src/drivers/driver_nl80211.c
>>>>> +++ b/src/drivers/driver_nl80211.c
>>>>> @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
>>>>>    	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
>>>>>    	if (ret < 0) {
>>>>> +		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
>>>>> +			ret = -ENOTSUP;
>>>>>    		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
>>>>>    			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
>>>>>    			   MAC2STR(addr), ifname, vlan_id, ret,
>>>>>
>>>>> It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
>>>>> to zero, which is propagated back to the ieee802_1x_receive_auth()
>>>>> function.
>>>>>
>>>>> And with this change WPA-EAP/802.1x AP mode started working. Here is
>>>>> hostapd log:
>>>>>
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
>>>>> May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
>>>>> May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
>>>>> May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
>>>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
>>>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
>>>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
>>>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>>>>>
>>>>> Jouni, I think this is bug in hostapd's 802.1X code. Function
>>>>> ieee802_1x_receive_auth() skips whole processing of 802.1X path when
>>>>> receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
>>>>> function fails.
>>>>>
>>>>> The most suspicious part for me is why hostapd_drv_set_sta_vlan()
>>>>> function returns zero when hostapd driver does not support
>>>>> set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
>>>>> driver does not support this functionality. And also why this code path
>>>>> is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
>>>>> option.
>>>>>
>>>>> Do you have any suggestions how to make AP working in WPA-EAP/802.1x
>>>>> mode for cards without NL80211_CMD_SET_STATION command? I would like to
>>>>> avoid having custom hostapd patch (like one above) and have ability to
>>>>> use upstream unpatched hostapd daemon.
>>>>>
>>>>> [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
>>>
>>> _______________________________________________
>>> Hostap mailing list
>>> Hostap at lists.infradead.org
>>> http://lists.infradead.org/mailman/listinfo/hostap
>>>
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4176 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20201009/1faa89e4/attachment.p7s>

More information about the Hostap mailing list