configuring FT-EAP with hostapd

Wojciech Dubowik wojciech.dubowik at neratec.com
Fri Mar 17 06:51:54 PDT 2017 

Hello,

   I don't see bridge setting. I guess you need to setup bridge over 
Ethernet and wlan

to get frames to other AP. Just pass bridge=<your br> to your configs.


Wojtek


On 15/03/17 16:14, Wojciech Żyszczyński wrote:
> Hi,
>
> I am trying to configure Fast Transition between 2 AccessPoints.
> I was able to get working config for FT-PSK with local key generation
> (ft_psk_generate_local=1)
>
> However, for FT-EAP its not an option. So I set following configuration:
>
>
> AP-1
>
> #MAC Addresses used
> #wlan0        ether 30:b5:c2:15:73:1c  txqueuelen 1000  (Ethernet)
> #wlan1        ether 30:b5:c2:15:da:b2  txqueuelen 1000  (Ethernet)
> #wlan2        ether 30:b5:c2:18:b3:34  txqueuelen 1000  (Ethernet)
> #-----------------------------------------------------------------------------
> interface=wlan0
> logger_syslog=-1
> logger_syslog_level=2
> logger_stdout=-1
> logger_stdout_level=2
> ctrl_interface=/var/run/hostapd
>
> eapol_key_index_workaround=0
> eap_server=1
> eap_user_file=/opt/eap/peap-alpha/hostapd.eap_user
> ca_cert=/opt/eap/peap-alpha/CA.crt
> server_cert=/opt/eap/peap-alpha/CA.crt
> private_key=/opt/eap/peap-alpha/CA.key
> ieee8021x=1
> wpa=2
> #changes for 802.11r:
> #only FT-clients:
> wpa_key_mgmt=FT-EAP
> #push R1 key to other APs:
> pmk_r1_push=1
>
> #list of keyholders, AES-128 keys: openet1, openet2:
> r0kh=30:b5:c2:15:da:b2 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
> r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
> r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:da:b2 1FC4BBA69DB8EB396A24249B406BA2A5
> r1kh=30:b5:c2:15:da:b2 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5
> #NAS ID:
> nas_identifier=ap1.example.com
> #mobility domain:
> mobility_domain=a1b2
> #interface to send/receive packets
> r0_key_lifetime=10000
> ft_over_ds=0
> r1_key_holder=30b5c215731c
> ft_psk_generate_local=1
>
> #reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
> reassociation_deadline=1000
> wpa_pairwise=CCMP
> wpa_group_rekey=3600
> rsn_pairwise=CCMP
> rsn_preauth=0
> ctrl_interface_group=0
> macaddr_acl=0
>
> ssid=802.11R_AP
> country_code=IE
> ieee80211n=1
> ieee80211d=1
> hw_mode=g
> channel=7
>
>
> AP-2
>
> #MAC Addresses used
> #wlan0        ether 30:b5:c2:15:73:1c  txqueuelen 1000  (Ethernet)
> #wlan1        ether 30:b5:c2:15:da:b2  txqueuelen 1000  (Ethernet)
> #wlan2        ether 30:b5:c2:18:b3:34  txqueuelen 1000  (Ethernet)
> #-----------------------------------------------------------------------------
> interface=wlan0
> logger_syslog=-1
> logger_syslog_level=2
> logger_stdout=-1
> logger_stdout_level=2
> ctrl_interface=/var/run/hostapd
>
> eapol_key_index_workaround=0
> eap_server=1
> eap_user_file=/opt/eap/peap-alpha/hostapd.eap_user
> ca_cert=/opt/eap/peap-alpha/CA.crt
> server_cert=/opt/eap/peap-alpha/CA.crt
> private_key=/opt/peap-alpha/CA.key
> ieee8021x=1
> wpa=2
> #changes for 802.11r:
> #only FT-clients:
> wpa_key_mgmt=FT-EAP
> #push R1 key to other APs:
> pmk_r1_push=1
>
> #list of keyholders, AES-128 keys: openet1, openet2:
> r0kh=30:b5:c2:15:da:b2 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
> r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
> r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:da:b2 1FC4BBA69DB8EB396A24249B406BA2A5
> r1kh=30:b5:c2:15:da:b2 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5
>
> #NAS ID:
> nas_identifier=ap2.example.com
> #mobility domain:
> mobility_domain=a1b2
> #interface to send/receive packets
> r0_key_lifetime=10000
> ft_over_ds=0
> r1_key_holder=30b5c215dab2
> ft_psk_generate_local=1
>
> #reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
> reassociation_deadline=1000
> wpa_pairwise=CCMP
> wpa_group_rekey=3600
> rsn_pairwise=CCMP
> rsn_preauth=0
> ctrl_interface_group=0
> macaddr_acl=0
>
> ssid=802.11R_AP
> country_code=IE
> ieee80211n=1
> ieee80211d=1
> hw_mode=g
> channel=7
>
> Unfortunately when trying to execute fast transition, I have following
> issue (AP2 hostapd log):
>
> FT: STA R0KH-ID - hexdump(len=15): 61 70 31 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d
> FT: Requested PMKR0Name - hexdump(len=16): 47 ad 87 45 3b ed d3 6d 36
> 0b 12 6c 40 78 10 e3
> FT: Derived requested PMKR1Name - hexdump(len=16): 8f ee a9 44 89 6f
> ec 3e 8b 60 5f 9d fc 6e b7 8b
> FT: Send PMK-R1 pull request to remote R0KH address 30:b5:c2:15:73:1c
> FT: RRB send to 30:b5:c2:15:73:1c
> FT: Callback postponed until response is available res=-1
> FT: Received authentication frame: STA=60:a3:7d:8c:6d:38
> BSSID=30:b5:c2:18:a6:56 transaction=1
> FT: Received authentication frame IEs - hexdump(len=167): 30 26 01 00
> 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 03 0c 00 01 00 47 ad 87
> 45 3b ed d3 6d 36 0b 12 6c 40 78 10 e3 36 03 a1 b2 00 37 63 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 19 9b 8c db 66 d8 9b 63 24 e6 d8 cd 9c c9 e6 4b cd a5 36 95 4b 50
> 2d 43 6a 1d 50 e8 bc 5e e2 f4 03 0f 61 70 31 2e 65 78 61 6d 70 6c 65
> 2e 63 6f 6d 7f 08 04 00 00 00 00 00 00 40 dd 09 00 10 18 02 01 00 10
> 00 00
>
> So I see there is a pull request send to AP-1. This request shall be
> made over air, as ft_over_ds=0. Unfortunately I cant even see such a
> request in wireshark... and there is no reply either...
> The phone connects to AP-2 with full authentication, so FT failed.
>
> Any advice? Does exchange of keys works over air or I need to setup it over DS?
> If setting it up over DS, do I need to have some special vlan
> configuration? Both APs are connected by Ethernet and a single switch.
>
> Best Regards
> Wojciech Zyszczynski
>
> _______________________________________________
> Hostap mailing list
> Hostap at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap

More information about the Hostap mailing list