configuring FT-EAP with hostapd
Wojciech Żyszczyński
zyszczynski at gmail.com
Tue Mar 21 07:26:00 PDT 2017
Hi,
I was successful after creating the bridge interface and enabling
bridge in hostapd (+ the ft_over_ds=1) setting.
Many thanks for help.
I am including successful config for the guys trying this in the future:
-------------------------------------------------------------------------------
#MAC Addresses used
#wlan0 ether 30:b5:c2:15:73:1c txqueuelen 1000 (Ethernet)
#wlan1 ether 30:b5:c2:15:da:b2 txqueuelen 1000 (Ethernet)
#wlan2 ether 30:b5:c2:18:b3:34 txqueuelen 1000 (Ethernet)
#-----------------------------------------------------------------------------
AP-A
interface=wlan0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=CA.crt
server_cert=CA.crt
private_key=CA.key
ieee8021x=1
wpa=2
#wpa_passphrase=password123
#changes for 802.11r:
#only FT-clients:
wpa_key_mgmt=FT-EAP
#push R1 key to other APs:
pmk_r1_push=1
#list of keyholders, AES-128 keys:
r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
r0kh=30:b5:c2:18:a6:56 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
r1kh=30:b5:c2:18:a6:56 30:b5:c2:18:a6:56 1FC4BBA69DB8EB396A24249B406BA2A5
r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5
#NAS ID:
nas_identifier=ap1.example.com
#mobility domain:
mobility_domain=a1b2
#interface to send/receive packets
r0_key_lifetime=10000
ft_over_ds=1
r1_key_holder=30b5c218a656
ft_psk_generate_local=0
bridge=br0
#reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
reassociation_deadline=1000
wpa_pairwise=CCMP
wpa_group_rekey=3600
rsn_pairwise=CCMP
rsn_preauth=0
ctrl_interface_group=0
macaddr_acl=0
ssid=802.11R_AP
country_code=IE
ieee80211n=1
ieee80211d=1
hw_mode=g
channel=7
-------------------------------------------------
AP-B
interface=wlan0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=peap-alpha/CA.crt
server_cert=CA.crt
private_key=CA.key
ieee8021x=1
wpa=2
#wpa_passphrase=password123
#changes for 802.11r:
#only FT-clients:
wpa_key_mgmt=FT-EAP
#push R1 key to other APs:
pmk_r1_push=1
#list of keyholders, AES-128 keys:
r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
r0kh=30:b5:c2:18:a6:56 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
r1kh=30:b5:c2:18:a6:56 30:b5:c2:18:a6:56 1FC4BBA69DB8EB396A24249B406BA2A5
r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5
#NAS ID:
nas_identifier=ap2.example.com
#mobility domain:
mobility_domain=a1b2
#interface to send/receive packets
r0_key_lifetime=10000
ft_over_ds=1
r1_key_holder=30b5c215731c
ft_psk_generate_local=0
bridge=br0
#reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
reassociation_deadline=1000
wpa_pairwise=CCMP
wpa_group_rekey=3600
rsn_pairwise=CCMP
rsn_preauth=0
ctrl_interface_group=0
macaddr_acl=0
ssid=802.11R_AP
country_code=IE
ieee80211n=1
ieee80211d=1
hw_mode=g
channel=7
Pozdrawiam,
Wojciech Żyszczyński
2017-03-18 2:12 GMT+00:00 Wojciech Żyszczyński <zyszczynski at gmail.com>:
> Hi,
>
> Thanks for helping me out.
>
> As I can imagine that bridge between wlan0 interface and eth0
> interface could help for the ft_over_ds=1 setting (keys exchanged over
> ethernet),
> I have trouble seeing why hostapd requires a bridge for the
> ft_over_ds=0, I just hoped that that key exchange could happen over
> the air, between wlan0 of AP-1 and wlan0 of AP-2.
>
> I will try creating wlan0--eth0 bridges on both APs and use
> ft_over_ds=1 setting.
>
> Best Regards,
> Wojciech Żyszczyński
>
>
> 2017-03-17 13:51 GMT+00:00 Wojciech Dubowik <wojciech.dubowik at neratec.com>:
>> Hello,
>>
>> I don't see bridge setting. I guess you need to setup bridge over Ethernet
>> and wlan
>>
>> to get frames to other AP. Just pass bridge=<your br> to your configs.
>>
>>
>> Wojtek
>>
>>
>>
>> On 15/03/17 16:14, Wojciech Żyszczyński wrote:
>>>
>>> Hi,
>>>
>>> I am trying to configure Fast Transition between 2 AccessPoints.
>>> I was able to get working config for FT-PSK with local key generation
>>> (ft_psk_generate_local=1)
>>>
>>> However, for FT-EAP its not an option. So I set following configuration:
>>>
>>>
>>> AP-1
>>>
>>> #MAC Addresses used
>>> #wlan0 ether 30:b5:c2:15:73:1c txqueuelen 1000 (Ethernet)
>>> #wlan1 ether 30:b5:c2:15:da:b2 txqueuelen 1000 (Ethernet)
>>> #wlan2 ether 30:b5:c2:18:b3:34 txqueuelen 1000 (Ethernet)
>>>
>>> #-----------------------------------------------------------------------------
>>> interface=wlan0
>>> logger_syslog=-1
>>> logger_syslog_level=2
>>> logger_stdout=-1
>>> logger_stdout_level=2
>>> ctrl_interface=/var/run/hostapd
>>>
>>> eapol_key_index_workaround=0
>>> eap_server=1
>>> eap_user_file=/opt/eap/peap-alpha/hostapd.eap_user
>>> ca_cert=/opt/eap/peap-alpha/CA.crt
>>> server_cert=/opt/eap/peap-alpha/CA.crt
>>> private_key=/opt/eap/peap-alpha/CA.key
>>> ieee8021x=1
>>> wpa=2
>>> #changes for 802.11r:
>>> #only FT-clients:
>>> wpa_key_mgmt=FT-EAP
>>> #push R1 key to other APs:
>>> pmk_r1_push=1
>>>
>>> #list of keyholders, AES-128 keys: openet1, openet2:
>>> r0kh=30:b5:c2:15:da:b2 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
>>> r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
>>> r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:da:b2 1FC4BBA69DB8EB396A24249B406BA2A5
>>> r1kh=30:b5:c2:15:da:b2 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5
>>> #NAS ID:
>>> nas_identifier=ap1.example.com
>>> #mobility domain:
>>> mobility_domain=a1b2
>>> #interface to send/receive packets
>>> r0_key_lifetime=10000
>>> ft_over_ds=0
>>> r1_key_holder=30b5c215731c
>>> ft_psk_generate_local=1
>>>
>>> #reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
>>> reassociation_deadline=1000
>>> wpa_pairwise=CCMP
>>> wpa_group_rekey=3600
>>> rsn_pairwise=CCMP
>>> rsn_preauth=0
>>> ctrl_interface_group=0
>>> macaddr_acl=0
>>>
>>> ssid=802.11R_AP
>>> country_code=IE
>>> ieee80211n=1
>>> ieee80211d=1
>>> hw_mode=g
>>> channel=7
>>>
>>>
>>> AP-2
>>>
>>> #MAC Addresses used
>>> #wlan0 ether 30:b5:c2:15:73:1c txqueuelen 1000 (Ethernet)
>>> #wlan1 ether 30:b5:c2:15:da:b2 txqueuelen 1000 (Ethernet)
>>> #wlan2 ether 30:b5:c2:18:b3:34 txqueuelen 1000 (Ethernet)
>>>
>>> #-----------------------------------------------------------------------------
>>> interface=wlan0
>>> logger_syslog=-1
>>> logger_syslog_level=2
>>> logger_stdout=-1
>>> logger_stdout_level=2
>>> ctrl_interface=/var/run/hostapd
>>>
>>> eapol_key_index_workaround=0
>>> eap_server=1
>>> eap_user_file=/opt/eap/peap-alpha/hostapd.eap_user
>>> ca_cert=/opt/eap/peap-alpha/CA.crt
>>> server_cert=/opt/eap/peap-alpha/CA.crt
>>> private_key=/opt/peap-alpha/CA.key
>>> ieee8021x=1
>>> wpa=2
>>> #changes for 802.11r:
>>> #only FT-clients:
>>> wpa_key_mgmt=FT-EAP
>>> #push R1 key to other APs:
>>> pmk_r1_push=1
>>>
>>> #list of keyholders, AES-128 keys: openet1, openet2:
>>> r0kh=30:b5:c2:15:da:b2 ap2.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
>>> r0kh=30:b5:c2:15:73:1c ap1.example.com 1FC4BBA69DB8EB396A24249B406BA2A5
>>> r1kh=30:b5:c2:15:73:1c 30:b5:c2:15:da:b2 1FC4BBA69DB8EB396A24249B406BA2A5
>>> r1kh=30:b5:c2:15:da:b2 30:b5:c2:15:73:1c 1FC4BBA69DB8EB396A24249B406BA2A5
>>>
>>> #NAS ID:
>>> nas_identifier=ap2.example.com
>>> #mobility domain:
>>> mobility_domain=a1b2
>>> #interface to send/receive packets
>>> r0_key_lifetime=10000
>>> ft_over_ds=0
>>> r1_key_holder=30b5c215dab2
>>> ft_psk_generate_local=1
>>>
>>> #reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535)
>>> reassociation_deadline=1000
>>> wpa_pairwise=CCMP
>>> wpa_group_rekey=3600
>>> rsn_pairwise=CCMP
>>> rsn_preauth=0
>>> ctrl_interface_group=0
>>> macaddr_acl=0
>>>
>>> ssid=802.11R_AP
>>> country_code=IE
>>> ieee80211n=1
>>> ieee80211d=1
>>> hw_mode=g
>>> channel=7
>>>
>>> Unfortunately when trying to execute fast transition, I have following
>>> issue (AP2 hostapd log):
>>>
>>> FT: STA R0KH-ID - hexdump(len=15): 61 70 31 2e 65 78 61 6d 70 6c 65 2e 63
>>> 6f 6d
>>> FT: Requested PMKR0Name - hexdump(len=16): 47 ad 87 45 3b ed d3 6d 36
>>> 0b 12 6c 40 78 10 e3
>>> FT: Derived requested PMKR1Name - hexdump(len=16): 8f ee a9 44 89 6f
>>> ec 3e 8b 60 5f 9d fc 6e b7 8b
>>> FT: Send PMK-R1 pull request to remote R0KH address 30:b5:c2:15:73:1c
>>> FT: RRB send to 30:b5:c2:15:73:1c
>>> FT: Callback postponed until response is available res=-1
>>> FT: Received authentication frame: STA=60:a3:7d:8c:6d:38
>>> BSSID=30:b5:c2:18:a6:56 transaction=1
>>> FT: Received authentication frame IEs - hexdump(len=167): 30 26 01 00
>>> 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 03 0c 00 01 00 47 ad 87
>>> 45 3b ed d3 6d 36 0b 12 6c 40 78 10 e3 36 03 a1 b2 00 37 63 00 00 00
>>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> 00 19 9b 8c db 66 d8 9b 63 24 e6 d8 cd 9c c9 e6 4b cd a5 36 95 4b 50
>>> 2d 43 6a 1d 50 e8 bc 5e e2 f4 03 0f 61 70 31 2e 65 78 61 6d 70 6c 65
>>> 2e 63 6f 6d 7f 08 04 00 00 00 00 00 00 40 dd 09 00 10 18 02 01 00 10
>>> 00 00
>>>
>>> So I see there is a pull request send to AP-1. This request shall be
>>> made over air, as ft_over_ds=0. Unfortunately I cant even see such a
>>> request in wireshark... and there is no reply either...
>>> The phone connects to AP-2 with full authentication, so FT failed.
>>>
>>> Any advice? Does exchange of keys works over air or I need to setup it
>>> over DS?
>>> If setting it up over DS, do I need to have some special vlan
>>> configuration? Both APs are connected by Ethernet and a single switch.
>>>
>>> Best Regards
>>> Wojciech Zyszczynski
>>>
>>> _______________________________________________
>>> Hostap mailing list
>>> Hostap at lists.infradead.org
>>> http://lists.infradead.org/mailman/listinfo/hostap
>>
>>
More information about the Hostap
mailing list