Problems moving hostapd AP config from 6.4 to 8.0RC2

Hi,

I had a working hostapd wireless access point configuration in FreeBSD 6.4.
The access point is being used by Windows XP workstations.

I was using WPA-EAP with freeradius authentication very successfully on the
6.4 backend.

After making the changes for a new 8.0 RC2 (see below) system the XP clients
cannot seem to authenticate. The radius server does not even get contacted by
hostapd.

I can get WEP and WPA-PSK to work OK - just WPA-EAP fails to work in 8.0RC2.

I also have a dhcp server running to hand out dynamic addresses.

Please let me know if you have any suggestions as to how to debug the issue
further or where I may be going wrong.

====

hostapd.log is showing the following:

-> Startup
Nov  8 23:06:26 freebsd hostapd: wlan0: IEEE 802.11 Fetching hardware
channel/rate support not supported.
Nov  8 23:06:26 freebsd hostapd: wlan0: RADIUS Authentication server
xxx.xxx.xxx.xxx:1812
-> When XP client tries to connect to AP
Nov  8 23:08:43 freebsd hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11:
associated
Nov  8 23:08:43 freebsd hostapd: wlan0: STA xx:xx:xx:xx:xx:xx WPA: event 1
notification
Nov  8 23:08:43 freebsd hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.1X:
start authentication
Nov  8 23:08:43 freebsd hostapd: wlan0: STA xx:xx:xx:xx:xx:xx WPA: start
authentication
Nov  8 23:08:43 freebsd hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.1X:
unauthorizing port
Nov  8 23:08:46 freebsd hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.1X:
received EAPOL-Start from STA
Nov  8 23:08:46 freebsd hostapd: wlan0: STA xx:xx:xx:xx:xx:xx WPA: event 5
notification
----> Hangs here for a while
Nov  9 00:32:23 freebsd hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11:
deassociated
Nov  9 00:32:23 freebsd hostapd: wlan0: STA xx:xx:xx:xx:xx:xx WPA: event 2
notification

=====

tcpdump -i wlan0:

00:33:45.570161 xx:xx:xx:xx:xx:xx (oui Unknown) > Broadcast Null Supervisory,
Receiver not Ready, rcv seq 64, Flags [Poll], length 6
00:33:45.570174 xx:xx:xx:xx:xx:xx (oui Unknown) > Broadcast Null Supervisory,
Receiver not Ready, rcv seq 64, Flags [Poll], length 6
00:33:48.523053 EAPOL start (1) v1, len 0



===
dmesg:
ath0: <Atheros 5212> mem 0xf9000000-0xf900ffff irq 16 at device 8.0 on pci1
ath0: [ITHREAD]
ath0: AR5212 mac 5.6 RF5111 phy 4.1
===

rc.conf

I have converted the 6.4 files from:

ifconfig_ath0="inet xxx.xxx.xxx.1 netmask xxx.xxx.xxx.192 mode 11g mediaopt
hostap"

to the newer 8.0 format:

wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap mode 11g country Australia"
ifconfig_wlan0="inet xxx.xxx.xxx.1 netmask xxx.xxx.xxx.192"
ifconfig_wlan0_alias0="inet xxx.xxx.xxx.65 netmask xxx.xxx.xxx.192"
ifconfig_wlan0_alias1="inet xxx.xxx.xxx.129 netmask xxx.xxx.xxx.192"
ifconfig_wlan0_alias2="inet xxx.xxx.xxx.193 netmask xxx.xxx.xxx.192"

NOTE, I found the order of items in create_args_wlan0 important.

====

I also adjusted the 6.4 hostapd.conf. Changes in 8.0RC2 are shown with ->
=====
interface=ath0 -> wlan0
driver=bsd
 -> country_code=Australia
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
debug=4
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=netname
macaddr_acl=0
ieee8021x=1
own_ip_addr=127.0.0.1
auth_server_addr=xxx.xxx.xxx.xxx
auth_server_port=1812
auth_server_shared_secret=secretpw
wpa=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
===

Extra debugging output from wlandebug: <debug,input,xrate,assoc,auth,output>

Nov  9 00:44:07 freebsd kernel: wlan0: [xx:xx:xx:xx:xx:xx] recv probe req
Nov  9 00:44:07 freebsd kernel: wlan0: send probe resp on channel 1 to
xx:xx:xx:xx:xx:xx
Nov  9 00:44:07 freebsd kernel: wlan0: [xx:xx:xx:xx:xx:xx] recv probe req
Nov  9 00:44:07 freebsd kernel: wlan0: send probe resp on channel 1 to
xx:xx:xx:xx:xx:xx
Nov  9 00:44:07 freebsd kernel: wlan0: received auth from xx:xx:xx:xx:xx:xx
rssi 24
Nov  9 00:44:07 freebsd kernel: wlan0: [xx:xx:xx:xx:xx:xx] recv auth frame
with algorithm 0 seq 1
Nov  9 00:44:07 freebsd kernel: [xx:xx:xx:xx:xx:xx] send auth on channel 1
Nov  9 00:44:07 freebsd kernel: wlan0: [xx:xx:xx:xx:xx:xx] station
authenticated (open)
Nov  9 00:44:07 freebsd kernel: wlan0: received assoc_req from
xx:xx:xx:xx:xx:xx rssi 24
Nov  9 00:44:07 freebsd kernel: wlan0: [xx:xx:xx:xx:xx:xx] WPA ie: mc 1/0 uc
3/0 key 1 caps 0x0
Nov  9 00:44:07 freebsd kernel: wlan0: [xx:xx:xx:xx:xx:xx] station associated
at aid 1: short preamble, short slot time, QoS
Nov  9 00:44:07 freebsd kernel: [xx:xx:xx:xx:xx:xx] send assoc_resp on channel
1
Nov  9 00:44:07 freebsd kernel: wlan0: [xx:xx:xx:xx:xx:xx] station unauthorize
via MLME
===

Kind regards,

Geoff















_______________________________________________
freebsd-stable@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@..."

Geoff Roberts wrote:
Doesn't look like you're getting any debugging from hostapd so we cannot
see why it's giving up and dropping the station.

Yes, you cannot change the country code once the interface is marked UP
and that happens implicitly when you set the ip address on an ifnet.

>
> ====
>
> I also adjusted the 6.4 hostapd.conf. Changes in 8.0RC2 are shown with ->
> =====
> interface=ath0 -> wlan0
> driver=bsd
>  -> country_code=Australia

Not used by hostapd on freebsd (pretty sure).

So your station associated and hostapd saw it but nothing in your logs
shows what hostapd did or did not do to complete the radius handshake.
All we see is that hostapd dropped the station--presumably because it
timed out trying to authenticated against the backend.

Not sure what debug level you need for hostapd; I usually use the cmd
line options.

        Sam
_______________________________________________
freebsd-stable@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@..."

Hi Sam,

On Mon, 9 Nov 2009 03:48:41 am Sam Leffler wrote:
> snip <
>
> So your station associated and hostapd saw it but nothing in your logs
> shows what hostapd did or did not do to complete the radius handshake.
> All we see is that hostapd dropped the station--presumably because it
> timed out trying to authenticated against the backend.
>
> Not sure what debug level you need for hostapd; I usually use the cmd
> line options.

Thanks for responding - it was a great help.

Your comment give me a clue as to where to begin looking.

It appears some components required by hostapd weren't being built.

I am building on an amd64 system.

I had a look at the make file in /usr/src/usr.sbin/wpa/hostapd/Makefile and
found that adding the following to /etc/src.conf fixed my problem:

HOSTAPD_CFLAGS+=-DEAP_SERVER -DEAP_GTC -DEAP_AKA -DEAP_SIM -DEAP_GPSK
HOSTAPD_CFLAGS+=-DEAP_PAX -DEAP_SAKE

WITH_OPENSSL=YES

I haven't had a chance to narrow down exactly which one made the difference,
but I'm guessing it is the -DEAP_SERVER flag.

The only tunable I could find in /usr/src/tools/build/options was
WPA_SUPPLICANT_EAPOL, but this should only affect wpa_supplicant.

Does anyone know if there is a tunable I am missing in my src.conf file, or
should I be setting the HOSTAPD_CFLAGS directly as above.

Kind regards,

Geoff

_______________________________________________
freebsd-stable@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@..."

Geoff Roberts wrote:
Setting HOSTAPD_CFLAGS directly is the intended mechanism.  EAP_SERVER
is the important one to define; past that you're just adding in some of
the more esoteric mechanisms.  I should probably enable it by default
(it comes setup out of the box to do only WPA-PSK).

        Sam
_______________________________________________
freebsd-stable@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@..."

Hi Sam,

On Thu, 12 Nov 2009 03:53:17 pm Sam Leffler wrote:
> Setting HOSTAPD_CFLAGS directly is the intended mechanism.  EAP_SERVER
> is the important one to define; past that you're just adding in some of
> the more esoteric mechanisms.  I should probably enable it by default
> (it comes setup out of the box to do only WPA-PSK).

Making a tunable that defaults to enabled sounds logical as the example files
have references to it. However I can understand the concern in doing
something different to the "shrink wrapped" edition :)

It would possibly make a sensible companion setting for WPA_SUPPLICANT_EAPOL -
HOSTAPD_EAP?

Kind regards,

Geoff

--

___________________________________
From the desk of Geoff Roberts
Implementation Partner
AUSTRALIAN PROJECTS PTY LIMITED

S A F E   K N O W L E D G E
IT Security - Data Protection

Email: support@...

NATIONAL HELP DESK SUPPORT
Sydney          02 4231 4222
Melbourne       03 9017 8222
Adelaide        08 6461 6222
Perth           08 8463 1222
Brisbane        07 3137 1555
Hobart          03 6281 2555
Canberra        02 6112 8855
___________________________________

_______________________________________________
freebsd-stable@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@..."