hostapd for authentication of win wifi clients

Bob Beers bbeers at ieee.org
Fri Jul 23 12:43:16 EDT 2004


Hi List,

I had a thread last month, but I got distracted from the task
  by other responsibilities.  The old thread subject was
"hostapd authenticates but dhcpd doesn't give out address".

I have some time now to try again, but I'd like to simplify
  the goal.  So I'm starting a new thread, I hope that's ok.

I want to use an 0.2.4 hostap AP to validate using user/pass
  MSwindows wifi clients, give a dynamic IP address, and
  provide encryption (not static WEP).

I have my hostap AP with all of the 0.2.4 hostap parts
  up and running.
I have another linux box (Slack 10.0) with freeRadius
  up and running.
I have access to some MSwindows boxes (a w2kPro laptop
  w/ Lucent/Orinoco Silver, a w2kPro desktop w/ Linksys
  WMP11, a wXPhome laptop w/Linksys WPC11, and I might be
  able to add a Netgear MA311 to a winXPpro desktop if necessary).
  [ side question:  Which MSwin versions support dynamic WEP or WAP? ]

So, now  ...

What are the possible routes to this goal?

1) -- using the radius server and 802.1x dynamic WEP keying?
2) -- using the radius server and 802.1x and WAP w/ EAP-PEAP/MSCHAPv2?

I'll try #1) first.  Adjust hostapd.conf for the appropriate case:

bash-2.05# cat /etc/hostapd.conf
interface=wlan0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=2
dump_file=/tmp/hostapd.dump
daemonize=1
ssid=dugtrio
macaddr_acl=0
auth_algs=1
ieee8021x=1
eap_message=helloBob

# use the next three lines for 802.1x dynamic WEP keying.
wep_key_len_broadcast=5
wep_key_len_unicast=5
wep_rekey_period=300

eapol_key_index_workaround=0
own_ip_addr=172.16.87.23
auth_server_addr=172.16.87.12
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=172.16.87.12
acct_server_port=1813
acct_server_shared_secret=testing123

# use the next five lines for 802.1x and WAP
#wpa=1
#wpa_key_mgmt=WPA-EAP
#wpa_pairwise=TKIP CCMP
#wpa_group_rekey=600
#wpa_gmk_rekey=86400
bash-2.05#

Any glaring errors here?

In either case, I must have the AP as a client to the radius server
  in clients.conf:

client 172.16.87.23 {
         secret     = testing123
         shortname  = dugtrio-network
         nastype     = other
}

Then I also need some user(s) in users:

bob     Auth-Type := Local, User-Password == "bob"
         Reply-Message = "Hello, %u"

Ok here, too?

Now when I try it for dynamic WEP, I get some bad news ...


Obviously, this line from radius server output,

   auth: No User-Password or CHAP-Password attribute in the request

,tells me why the authentication failed, but why did the hostapd message
  to the radiusd server not include the User-Password?  The full output of
  the hostapd and radiusd is below, but here is the hostapd to radiusd
  output showing the message without the User-Password:

Received 44 bytes management frame
RX frame - hexdump(len=44): 08 01 02 01 00 09 5b 41 10 b4 00 06 25 a9 99 27 00 
09 5b 41 10 b4 50 ff aa aa 03 00 00 00 88 8e 01 00 00 08 02 00 00 08 01 62 6f 62
DATA
IEEE 802.1X: 12 bytes from 00:06:25:a9:99:27
    IEEE 802.1X: version=1 type=0 length=8
    EAP: code=2 identifier=0 length=8 (response)
wlan0: STA 00:06:25:a9:99:27 IEEE 802.1X: received EAP packet (code=2 id=0 
len=8) from STA: EAP Response-Identity (1)
wlan0: STA 00:06:25:a9:99:27 IEEE 802.1X: STA identity 'bob'
IEEE 802.1X: 00:06:25:a9:99:27 AUTH_PAE entering state AUTHENTICATING
IEEE 802.1X: 00:06:25:a9:99:27 BE_AUTH entering state RESPONSE
Encapsulating EAP message into a RADIUS packet
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=147
    Attribute 1 (User-Name) length=5
       Value: 'bob'
    Attribute 4 (NAS-IP-Address) length=6
       Value: 172.16.87.23
    Attribute 5 (NAS-Port) length=6
       Value: 1
    Attribute 30 (Called-Station-Id) length=27
       Value: '00-09-5B-41-10-B4:dugtrio'
    Attribute 31 (Calling-Station-Id) length=19
       Value: '00-06-25-A9-99-27'
    Attribute 12 (Framed-MTU) length=6
       Value: 1400
    Attribute 61 (NAS-Port-Type) length=6
       Value: 19
    Attribute 77 (Connect-Info) length=24
       Value: 'CONNECT 11Mbps 802.11b'
    Attribute 79 (EAP-Message) length=10
    Attribute 80 (Message-Authenticator) length=18
IEEE 802.1X: 00:06:25:a9:99:27 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:a9:99:27 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:a9:99:27 Port Timers TICK (timers: 29 0 3599 3)
IEEE 802.1X: 00:06:25:a9:99:27 REAUTH_TIMER entering state INITIALIZE
Resending RADIUS message (id=1)
Received 32 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=1 length=32
    Attribute 18 (?Unknown?) length=12
Allowing RADIUS Access-Reject without Message-Authenticator since it does not 
include EAP-Message
RADIUS packet matching with station 00:06:25:a9:99:27
wlan0: STA 00:06:25:a9:99:27 IEEE 802.1X: could not extract EAP-Message from 
RADIUS message

I'm guessing I have not yet got the hostapd.conf quite right yet, or I'm
  still trying to do something odd.

Thanks for any help.

-Bob

Here's the complete output from both hostapd and radiusd.
==================================================================
< removed to fit under the 25k barrier >

-- 
Bob Beers
MIEEE 2415966




More information about the HostAP mailing list