802.1x: EAP/TLS - xsupplicant and hostap wep enabled

pof pau at eslack.org
Fri Nov 28 20:35:51 EST 2003


Hello,

I have a prism2 card and I use hostap-driver 0.1.2 in "Managed" mode.

I want to authenticate to another computer running hostap-driver 0.1.2
in "Master" mode with 802.1x enabled using EAP/TLS and a FreeRADIUS
server (today's CVS snapshot) running in the same host.

I have read the docs, and set-up openssl certs, xsupplicant config,
hostapd config and FreeRADIUS config accordingly.

I have succeeded with EAP/MD5 and EAP/TLS always with wep disabled.

Now I want to test with  EAP/TLS and wep enabled:

No matter if I set up client and AP with static wep or with rekeying, I
always get the same unsuccessful result.

I use the same config files that work without wep, then I just enable
wep in both client and AP host using iwconfig wlan0 enc "s:mykey". These
are the results:


CLIENT
------

# xsupplicant -i wlan0 -m TLS -n pofHQ
Couldn't get information for interface wlan0!
Calling do_eapol, with device wlan0
Setup on device wlan0 complete
Done with init.
Sending EAPOL-Start #1
Sending EAPOL-Start #2
No authenticator found! Assuming the port is authorized!


AP HOST
-------

hostap log:

Nov 29 02:20:30 nimble kernel: wlan0: RX: IEEE 802.1X frame
Nov 29 02:20:30 nimble hostapd: wlan0: STA 00:90:d1:06:5b:9f IEEE
802.1X: received EAPOL-Start from STA
Nov 29 02:21:00 nimble kernel: wlan0: RX: IEEE 802.1X frame
Nov 29 02:21:00 nimble hostapd: wlan0: STA 00:90:d1:06:5b:9f IEEE
802.1X: received EAPOL-Start from STA
Nov 29 02:21:00 nimble hostapd: wlan0: STA 00:90:d1:06:5b:9f IEEE
802.1X: unauthorizing port
Nov 29 02:22:02 nimble hostapd: wlan0: STA 00:90:d1:06:5b:9f IEEE
802.1X: unauthorizing port
Nov 29 02:23:03 nimble hostapd: wlan0: STA 00:90:d1:06:5b:9f IEEE
802.1X: unauthorizing port
Nov 29 02:23:22 nimble kernel: wlan0: dropped frame from unauthorized
port (IEEE 802.1X): ethertype=0x0806
[...]

freeradius log:

rad_recv: Accounting-Request packet from host 127.0.0.1:40081, id=17,
length=172
        Acct-Session-Id = "3FC7EF72-00000000"
        Acct-Status-Type = Alive
        Acct-Authentic = RADIUS
        User-Name = "Pau"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1
        Called-Station-Id = "00-90-D1-08-1A-25:pofHQ"
        Calling-Station-Id = "00-90-D1-06-5B-9F"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        Acct-Session-Time = 822
        Acct-Input-Packets = 40
        Acct-Output-Packets = 92
        Acct-Input-Octets = 7461
        Acct-Output-Octets = 9066
modcall: entering group preacct for request 2
  modcall[preacct]: module "preprocess" returns noop for request 2
    rlm_realm: No '@' in User-Name = "Pau", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[preacct]: module "suffix" returns noop for request 2
  modcall[preacct]: module "files" returns noop for request 2
modcall: group preacct returns noop for request 2
modcall: entering group accounting for request 2
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 127.0.0.1,NAS-IP-Address
= 127.0.0.1,Acct-Session-Id = "3FC7EF72-00000000",User-Name = "Pau"'
rlm_acct_unique: Acct-Unique-Session-ID = "425620f0a7d157a3".
  modcall[accounting]: module "acct_unique" returns ok for request 2
radius_xlat:  '/var/log/radius/radacct/127.0.0.1/detail-20031129'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/detail-20031129
  modcall[accounting]: module "detail" returns ok for request 2
radius_xlat:  '/var/log/radius/radutmp'
radius_xlat:  'Pau'
  modcall[accounting]: module "radutmp" returns ok for request 2
modcall: group accounting returns ok for request 2
Sending Accounting-Response of id 17 to 127.0.0.1:40081
Finished request 2
Going to the next request
--- Walking the entire request list ---
Cleaning up request 2 ID 17 with timestamp 3fc7f45d
Nothing to do.  Sleeping until we see a request.


Can someone point me in the right direction to successfully authenticate
when WEP is enabled. I am stuck and I don't know if I am missing
something that may be obvious for you here.

Regards,

	Pau Oliva.


-- 
 .----------------------------------------------.
|  Pau Oliva Fora         http://pof.eslack.org  |
|  KeyID: 665D05B533539E02 available at keyserv  |
 `----------------------------------------------'
         In Googlis non est, ergo non est.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20031129/9653b26e/attachment.pgp 


More information about the HostAP mailing list