Hostapd Test Results and Problem Areas - used TLS

SR Dasgupta srdasgupta
Sat Oct 4 05:26:01 PDT 2003 

Hi Jouni,

Am back :) but not with good news :(.

So, let's see what happened at my end. I have replicated the syslog of my target board at the end of this mail.
Please refer it. I tried both the options (see below) you specified (with and without unicast) but the syslog doesnot changes.
I tried to get into debuggin' the stuff by inserting printf() in the authpae state machine and printk() later in
hostap_rx_frame_decrypt() function. What I observed in hostapd (IEEE 802.1x) is that after the 802.11 association
and authentication takes place, the 802.1x state machine keeps keeps looping in DISCONNECTED and CONNECTED
state which is ofcourse right. Here is the output on the terminal:

************************************************************
#
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: authentication OK (open system)
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: authenticated
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: association OK (aid 1)
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: associated (aid 1)
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: authentication OK (open system)
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: authenticated
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: association OK (aid 1)
AUTH_PAE_DISCONNECTED TO, CONNECTING
AUTH_PAE_CONNECTING TO, CONNECTING
AUTH_PAE_CONNECTING TO, CONNECTING
AUTH_PAE_CONNECTING to, DISCONNECTED
eth2: STA 00:0a:79:15:09:45 IEEE 802.1X: unauthorizing port
AUTH_PAE_DISCONNECTED to, CONNECTING
************************************************************

After observing the printk(), it is for sure that in hostap_rx_frame_decrypt(), the WEP decryptions fails at the
following location (I inserted the '2.' of ' 2. WEP decryption ' here) :
************************************************************
	/* decrypt WEP part of the frame: IV (4 bytes), encrypted
	 * payload (including SNAP header), ICV (4 bytes) */
	atomic_dec(&crypt->refcnt);
	if (olen < 0) {
		printk(KERN_DEBUG "%s: 2. WEP decryption failed (SA=" MACSTR
		       ")\n", local->dev->name, MAC2STR(rxdesc->addr2));
***************************************************************

It is highly possible that I have configured the hostapd correctly but have incorrectly configured the 
WinXP supplicant. Incase anyone is using TLS with re-keying using hostapd & WinXP supplicant, 
please let me know exactly how the XP client was configured.

Jouni, am still using hostapd-0.0.3 and not 0.0.4. Though I would personally love to but for non-technical reasons, 
I cannot re-do the exercise of porting hostapd again on target board for next 3 months. I donot know how to get the
supplicant log on WinXP. If can tell me the steps, I will get that. My platform has MIPS little endian but I donot think
that matters since WEP, MD5 and TLS work pretty well. Incase you need more information, let me know.

Eagerly waiting for your reply.

Regards,
Shubharanjan

************************************************************
Syslog
************************************************************
# cat /var/log/messages
Jan 22 19:49:21 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:49:51 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:50:05 (none) daemon.debug hostapd: eth2: STA 00:0a:79:15:09:45 IEEE 80
2.1X: unauthorizing port
Jan 22 19:50:21 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:50:51 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:51:06 (none) daemon.debug hostapd: eth2: STA 00:0a:79:15:09:45 IEEE 80
2.1X: unauthorizing port
Jan 22 19:51:21 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:51:51 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:52:07 (none) daemon.debug hostapd: eth2: STA 00:0a:79:15:09:45 IEEE 80

************************************************************






-----Original Message-----
From:	Jouni Malinen [SMTP:jkmaline at cc.hut.fi]
Sent:	Saturday, September 20, 2003 8:57 PM
To:	hostap at shmoo.com
Subject:	Re: Hostapd Test Results and Problem Areas

On Thu, Sep 11, 2003 at 04:00:57PM -0000, SR Dasgupta wrote:

> Successful Testings
> ===============
> 1. EAP-MD5 	- This works fine.
> 2. EAP-TLS 	- This works fine as well.

I assume this means that you were able to authenticate the station with
both EAP-MD5 and EAP-TLS when all WEP settings were disabled.

YES. you are right.

> Case 6: (WEP & TLS - key rotation)
> Repeat Case 4 but for the following:
> 1. Enable key rotation ("wep_rekey_period=300") in hostapd.conf. Keep 
> 802.1x option enabled (ieee8021x=1). Configure RADIUS setting correctly, 
> this time for Oddessy server.

Did you enable both broadcast and unicast keys in hostapd.conf?

Recommended configuration for EAP-TLS is:
[Option 1]
ieee8021x=1
wep_key_len_broadcast=13
wep_key_len_unicast_5
wep_rekey_period=300
eapol_key_index_workaround=0
# and RADIUS auth. server configuration

if only broadcast keys are tested, following changes are needed

[Option 2]
wep_key_len_unicast=0
eapol_key_index_workaround=1

If this does not work, please send hostapd debug log (output of
hostapd -ddd hostapd.conf) from a failed case. If you can get debug log
from the supplicant side, that would also be useful finding out why this
did not work.

Both options didnot work. See Syslog above.

-- 
Jouni Malinen                                            PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP at shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap

More information about the Hostap mailing list