FT-SAE with RADIUS Tunnel-Password doesn't work
Rany Hany
rany_hany at riseup.net
Sun Sep 15 07:34:48 PDT 2024
Hello,
I'm sorry if this email is short on details but unfortunately I don't
get any information from the AP logs. I'm using the hostapd tree as of
2024-09-14 (ccba6921de6372a2220350bb5ed5776ea8c76bbb).
When I attempt to roam to another AP that is hosted on a different
machine, it is unable to use FT-SAE. Nothing in the hostap logs show up,
it is as if there was no attempt to even connect according to the AP logs.
However, if I try to roam to another AP hosted on the same machine
FT-SAE works.
This issue is specific to SAE only. When I use WPA2-only with no other
configuration change, this issue goes away and it works OK. I attempted
to use WPA3-only instead of WPA2/WPA3-mixed but it made no difference.
Some notes about my setup that are a bit unique (complete hostapd config
is available below for inspection, these are just some of the things
that I think are worth noting):
* I'm using the dynamic VLAN feature (set to 2/required).
* I'm using the per_sta_vif mode.
* I'm using FT over the Air instead of FT over DS.
Working case when roaming using wpa_cli works (different AP but same
hostapd instance):
> roam 00:20:91:00:00:01
OK
<3>SME: Trying to authenticate with 00:20:91:00:00:01 (SSID='X'
freq=2412 MHz)
<3>Trying to associate with 00:20:91:00:00:01 (SSID='X' freq=2412 MHz)
<3>Associated with 00:20:91:00:00:01
<3>WPA: Key negotiation completed with 00:20:91:00:00:01 [PTK=CCMP GTK=CCMP]
<3>CTRL-EVENT-CONNECTED - Connection to 00:20:91:00:00:01 completed
[id=0 id_str=]
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-20 noise=9999 txrate=52000
Failure to use FT (different AP and different hostapd instance):
> roam 00:20:91:00:00:03
OK
<3>SME: Trying to authenticate with 00:20:91:00:00:03 (SSID='X'
freq=2432 MHz)
<3>BSSID 00:20:91:00:00:03 ignore list count incremented to 4, ignoring
for 120 seconds
<3>CTRL-EVENT-SCAN-STARTED
>
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>SME: Trying to authenticate with 00:20:91:00:00:02 (SSID='X'
freq=5745 MHz)
<3>SME: Trying to authenticate with 00:20:91:00:00:02 (SSID='X'
freq=5745 MHz)
<3>PMKSA-CACHE-REMOVED 00:20:91:00:00:02 0
<3>PMKSA-CACHE-ADDED 00:20:91:00:00:02 0
<3>Trying to associate with 00:20:91:00:00:02 (SSID='X' freq=5745 MHz)
<3>Associated with 00:20:91:00:00:02
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
>
<3>WPA: Key negotiation completed with 00:20:91:00:00:02 [PTK=CCMP GTK=CCMP]
<3>Removed BSSID 00:20:91:00:00:02 from ignore list
<3>CTRL-EVENT-CONNECTED - Connection to 00:20:91:00:00:02 completed
[id=0 id_str=]
<3>CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-28 noise=9999 txrate=245000
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
Below is the hostapd configuration (same configuration on all APs except
for bssid/etc, so only the first AP config is provided):
driver=nl80211
logger_syslog=127
logger_syslog_level=0
logger_stdout=127
logger_stdout_level=0
country_code=<redacted>
ieee80211d=1
hw_mode=g
supported_rates=60 90 120 180 240 360 480 540
basic_rates=60 120 240
beacon_int=100
channel=acs_survey
chanlist=1-11
ieee80211n=1
ht_capab=[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1]
interface=2ghz
ctrl_interface=/var/run/hostapd
bss_load_update_period=60
chan_util_avg_period=600
skip_inactivity_poll=0
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
tdls_prohibit=1
nas_identifier=<redacted>
sae_require_mfp=1
macaddr_acl=2
wpa_psk_radius=2
auth_server_addr=<redacted>
auth_server_port=1812
auth_server_shared_secret=<redacted>
macaddr_acl=2
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=X
wpa_disable_eapol_key_retries=1
wpa_key_mgmt=WPA-PSK FT-PSK WPA-PSK-SHA256 SAE FT-SAE
mobility_domain=<redacted>
ft_psk_generate_local=0
ft_over_ds=0
reassociation_deadline=20000
r0_key_lifetime=10000
pmk_r1_push=0
r0kh=ff:ff:ff:ff:ff:ff * <redacted>
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 <redacted>
ieee80211w=1
group_mgmt_cipher=AES-128-CMAC
dynamic_vlan=2
vlan_naming=1
vlan_bridge=br-vlan
per_sta_vif=1
bssid=00:20:91:00:00:01
More information about the Hostap
mailing list