wpa_supplicant and virtual machines

Petar Bogdanovic petar
Sat Sep 27 13:17:13 PDT 2014 

On Sat, Sep 27, 2014 at 10:50:54PM +0300, Jouni Malinen wrote:
> On Tue, Sep 16, 2014 at 02:32:35PM +0200, Petar Bogdanovic wrote:
> > that works fine on OSX 10.6, but leaves my Linux VMs without an address.
> > All VMs use bridged interfaces, i.e. their virtual ethernet interfaces
> > are "bridged" with the main wireless interface.
> 
> IEEE 802.11 protocol does not support such a configuration, i.e., the
> wireless station interface cannot send frames with the source address
> being different from its own.
> 
> > That same problem does not happen in regular WPA-PSK networks.  So I
> > wonder if WPA-EAP networks would require the VMs to run a separate
> > wpa_supplicant in order to authenticate their virtual interfaces?
> 
> That sounds very strange.. I'm not sure how exactly you are setting this
> up, but if this is layer 2 bridging to a wireless station interface, it
> won't work regardless of what security mode you are using unless
> something like 4-address WDS frames are used.

Thanks Jouni.  After reading your reply, I remembered that VirtualBox
has a special way of bridging virtual with wireless interfaces:

"Bridging to a wireless interface is done differently from bridging to a
 wired interface, because most wireless adapters do not support
 promiscuous mode. All traffic has to use the MAC address of the host's
 wireless adapter, and therefore VirtualBox needs to replace the source
 MAC address in the Ethernet header of an outgoing packet to make sure
 the reply will be sent to the host interface. When VirtualBox sees an
 incoming packet with a destination IP address that belongs to one of
 the virtual machine adapters it replaces the destination MAC address in
 the Ethernet header with the VM adapter's MAC address and passes it on.
 VirtualBox examines ARP and DHCP packets in order to learn the IP
 addresses of virtual machines."

https://www.virtualbox.org/manual/ch06.html#network_bridged

That would explain the WPA-PSK case.  The explanation for the other case
is a Cisco antispoof measure:

"If the IP address or MAC address of the packet has been spoofed, the
 check does not pass, and the controller discards the packet. Spoofed
 packets can pass through the controller only if both the IP and MAC
 addresses are spoofed together and changed to that of another valid
 client on the same controller."

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/system_management/config_system_management_chapter_01101.html

Cheers,

		Petar Bogdanovic

More information about the Hostap mailing list