hostapd authenticates but dhcpd doesn't give out address

Bob Beers bbeers at ieee.org
Tue Jun 15 10:48:26 EDT 2004



Derek Schuff wrote:

Thanks for the quick response!

> On Tuesday 15 June 2004 09:38 am, Bob Beers wrote:
> 
>>Hi list, (I'm re-posting this, so apologies if it does finally
>>  show up twice)
>>
>>I am running a custom 2.4.20 kernel and the 0.2.2 hostap
>>  driver, and all is well:  I can associate all 802.11b
>>  stations (hostap and windows) that I try with the hostap AP
>>  and then get dynamic IP assignment via dhcpd on the AP.
> 
> This is with static WEP?

No, I was trying to use the dynamic WEP rekeying, but I'm willing
  to start simple and work my way up.  No WEP, static WEP, dynamic
  WEP, WPA, VPN, ???

> 
> 
>>But, when I try to implement the hostapd and a remote radius
>>  server for authentication I can associate stations, but the
>>  dhcpd daemon on the AP never seems to get the dhcp requests.
> 
> Is this just 802.1x or WPA?
> I assume you are getting sucessful authentications from the RADIUS server. you 
> may want to verify that port on the AP is getting opened to traffic. (someone 
> else will have to give you more details, as I don't run in AP mode at the 
> moment)
> 

Just 802.1x for now.  I included some log output below, which I think,
  indicates successful authentication.  I can provide other output/logs
  on request, let me know what I should be looking at.
> 
>>Can someone point me to some more reading or example config files
>>  so that I can get this working correctly, please?  Maybe I'm
>>  forgetting something on the station side also?
>>
>>
>>What I think I want is to allow stations to associate,
>>  but until after opening a browser for username password validation
>>  on a T&C page, not allow them any connectivity.  Am I headed in
>>  the right direction here?
> 
> I'm not sure you can do this with just an 802.1x authenticator. The 
> Authenticator only has control over whether the port is open or closed. If 
> closed (before sucessful authentication), nothing gets through at all (well, 
> other than EAP), so no DHCP or HTTP or anything. once RADIUS/EAP 
> authentication succeeds, then it's open an everything gets through.
> (Someone correct me if I'm wrong)
> 

Yes, I figured more would be required, but the first step would be
  network connectivity, yes?  I tried just assigning a static IP, after the
  authentication, but no luck there either.  I'm obviously overlooking
  some important stuff, but I'm too green to know what I need to know.

How can I tell if "the port is open or closed"?  What port?

I am a good reader though, so if someone has some more hints or references
  I will try to educate myself as much as possible.

> 
>>here's my hostapd.conf:
>>
>>bash-2.05# cat /etc/hostapd.conf | grep = | grep -v ^#
>>interface=wlan0
>>logger_syslog=-1
>>logger_syslog_level=2
>>logger_stdout=-1
>>logger_stdout_level=2
>>debug=2
>>dump_file=/tmp/hostapd.dump
>>daemonize=1
>>ssid=edgeRM
>>macaddr_acl=2
>>auth_algs=1
>>ieee8021x=1
>>minimal_eap=1
>>eap_message=hello
>>wep_key_len_broadcast=5
>>wep_key_len_unicast=5
>>wep_rekey_period=300
>>eapol_key_index_workaround=0
>>own_ip_addr=172.16.1.201
>>auth_server_addr=172.16.1.200
>>auth_server_port=1812
>>auth_server_shared_secret=secret
>>acct_server_addr=172.16.1.200
>>acct_server_port=1813
>>acct_server_shared_secret=secret
>>
>>here's some of the log messages I get on the AP:
>>
>>in /var/log/messages:
>>
>>Jun 10 16:24:16 rack001 hostapd: wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11:
>>disassociated due to inactivity
>>Jun 10 16:24:17 rack001 hostapd: wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11:
>>deauthenticated due to inactivity
>>Jun 10 16:24:17 rack001 hostapd: wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11:
>>authenticated
>>Jun 10 16:24:17 rack001 hostapd: wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11:
>>associated (aid 1)
>>
>>in /var/log/debug: (I think this first line is about the dhcp request)
>>
>>Jun 10 16:24:15 rack001 kernel: wifi0: dropped frame to unauthorized port
>>(IEEE 802.1X): ethertype=0x0000
>>Jun 10 16:24:15 rack001 kernel: wifi0: TX len=24 jiffies=1143809
>>Jun 10 16:24:15 rack001 kernel:    FC=0x020a (type=2:0) [FromDS] dur=0x0000
>>seq=0x0000
>>Jun 10 16:24:15 rack001 kernel:    A1=00:09:5b:2f:f6:b4
>>A2=00:09:5b:41:10:b4 A3=00:09:5b:41:10:b4
>>Jun 10 16:24:17 rack001 kernel: wifi0: Could not find STA 00:09:5b:2f:f6:b4
>>for this TX error (@1144012)
>>Jun 10 16:24:18 rack001 kernel: wifi0: TX: IEEE 802.1X - passing
>>unencrypted EAPOL frame
>>Jun 10 16:24:49 rack001 kernel: wifi0: TX: IEEE 802.1X - passing
>>unencrypted EAPOL frame
>>
>>here's what I see when running 'hostapd -d /etc/hostapd.conf':
>>
>>
>>Configuration file: /etc/hostapd.conf
>>Opening raw packet socket for ifindex 16
>>Using interface wlan0ap with hwaddr 00:09:5b:41:10:b4 and ssid 'edgeRM'
>>wlan0: RADIUS Authentication server 172.16.1.200:1812
>>wlan0: RADIUS Accounting server 172.16.1.200:1813
>>Sending RADIUS message to accounting server
>>RADIUS message: code=4 (Accounting-Request) identifier=0 length=70
>>    Attribute 40 (Acct-Status-Type) length=6
>>       Value: 7
>>    Attribute 45 (Acct-Authentic) length=6
>>       Value: 1
>>    Attribute 4 (NAS-IP-Address) length=6
>>       Value: 172.16.1.201
>>    Attribute 30 (Called-Station-Id) length=26
>>       Value: '00-09-5B-41-10-B4:edgeRM'
>>    Attribute 49 (Acct-Terminate-Cause) length=6
>>       Value: 11
>>Default WEP key - hexdump(len=5): 4b b7 0e d0 af
>>Flushing old station entries
>>Deauthenticate all stations
>>Received 20 bytes from RADIUS server
>>Received RADIUS message
>>RADIUS message: code=5 (Accounting-Response) identifier=0 length=20
>>Received 30 bytes management frame
>>RX frame - hexdump(len=30): b0 00 02 01 00 09 5b 41 10 b4 00 09 5b 2f f6 b4
>>00 09 5b 41 10 b4 30 34 00 00 01 00 00 00
>>MGMT
>>mgmt::auth
>>authentication: STA=00:09:5b:2f:f6:b4 auth_alg=0 auth_transaction=1
>>status_code=0 wep=0
>>Sending RADIUS message to authentication server
>>RADIUS message: code=1 (Access-Request) identifier=1 length=151
>>    Attribute 1 (User-Name) length=14
>>       Value: '00095b2ff6b4'
>>    Attribute 2 (User-Password) length=18
>>    Attribute 4 (NAS-IP-Address) length=6
>>       Value: 172.16.1.201
>>    Attribute 30 (Called-Station-Id) length=26
>>       Value: '00-09-5B-41-10-B4:edgeRM'
>>    Attribute 31 (Calling-Station-Id) length=19
>>       Value: '00-09-5B-2F-F6-B4'
>>    Attribute 61 (NAS-Port-Type) length=6
>>       Value: 19
>>    Attribute 77 (Connect-Info) length=24
>>       Value: 'CONNECT 11Mbps 802.11b'
>>    Attribute 80 (Message-Authenticator) length=18
>>Authentication frame from 00:09:5b:2f:f6:b4 waiting for an external
>>authentication Received 26 bytes from RADIUS server
>>Received RADIUS message
>>RADIUS message: code=2 (Access-Accept) identifier=1 length=26
>>    Attribute 6 (?Unknown?) length=6
>>Found matching Access-Request for RADIUS message (id=1)
>>Re-sending authentication frame after successful RADIUS ACL query
>>mgmt::auth
>>authentication: STA=00:09:5b:2f:f6:b4 auth_alg=0 auth_transaction=1
>>status_code=0 wep=0
>>   New STA
>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11: authentication OK (open system)
>>wlan0: STA 00:09:5b:2f:f6:b4 WPA: event 0 notification
>>authentication reply: STA=00:09:5b:2f:f6:b4 auth_alg=0 auth_transaction=2
>>resp=0 Received 30 bytes management frame
>>RX frame - hexdump(len=30): b2 00 02 01 00 09 5b 2f f6 b4 00 09 5b 41 10 b4
>>00 09 5b 41 10 b4 d0 62 00 00 02 00 00 00
>>MGMT (TX callback) ACK
>>mgmt::auth cb
>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11: authenticated
>>Received 42 bytes management frame
>>RX frame - hexdump(len=42): 00 00 73 d1 00 09 5b 41 10 b4 00 09 5b 2f f6 b4
>>00 09 5b 41 10 b4 40 34 01 00 0a 00 00 06 65 64 67 65 52 4d 01 04 82 84 0b
>>16 MGMT
>>mgmt::assoc_req
>>association request: STA=00:09:5b:2f:f6:b4 capab_info=0x01
>>listen_interval=10 new AID 1
>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11: association OK (aid 1)
>>Received 36 bytes management frame
>>RX frame - hexdump(len=36): 12 00 73 d1 00 09 5b 2f f6 b4 00 09 5b 41 10 b4
>>00 09 5b 41 10 b4 e0 62 11 00 00 00 01 c0 01 04 82 84 0b 16
>>MGMT (TX callback) ACK
>>mgmt::assoc_resp cb
>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.11: associated (aid 1)
>>wlan0: STA 00:09:5b:2f:f6:b4 WPA: event 1 notification
>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: start authentication
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 BE_AUTH entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_KEY_TX entering state NO_KEY_TRANSMIT
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 BE_AUTH entering state IDLE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 0)
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state DISCONNECTED
>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: unauthorizing port
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state CONNECTING
>>IEEE 802.1X: Sending EAP Request-Identity to 00:09:5b:2f:f6:b4 (identifier
>>0) IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
>>Received 50 bytes management frame
>>RX frame - hexdump(len=50): 0a 02 02 01 00 09 5b 2f f6 b4 00 09 5b 41 10 b4
>>00 09 5b 41 10 b4 90 63 aa aa 03 00 00 00 88 8e 01 00 00 0e 01 00 00 0e 01
>>68 65 6c 6c 6f 45 64 67 65
>>DATA (TX callback) ACK
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 TX status - version=1 type=0 length=14 -
>>ack=1 IEEE 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 29)
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 28) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 27) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 26) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 25) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 24) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 23) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 22) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 21) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 20) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 19) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 18) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 17) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 16) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 15) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 14) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 13) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 12) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 11) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 10) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 9) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 8) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 7) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 6) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 5) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 4) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 3) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 2) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 1) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 0) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state CONNECTING
>>IEEE 802.1X: Sending EAP Request-Identity to 00:09:5b:2f:f6:b4 (identifier
>>0) IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
>>Received 50 bytes management frame
>>RX frame - hexdump(len=50): 0a 02 02 01 00 09 5b 2f f6 b4 00 09 5b 41 10 b4
>>00 09 5b 41 10 b4 70 76 aa aa 03 00 00 00 88 8e 01 00 00 0e 01 00 00 0e 01
>>68 65 6c 6c 6f 45 64 67 65
>>DATA (TX callback) ACK
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 TX status - version=1 type=0 length=14 -
>>ack=1 IEEE 802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 29)
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 28) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 27) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE IEEE
>>802.1X: 00:09:5b:2f:f6:b4 Port Timers TICK (timers: 0 0 3599 26) IEEE
>>802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE Signal 2
>>received - terminating
>>Removing station 00:09:5b:2f:f6:b4
>>IEEE 802.1X: station 00:09:5b:2f:f6:b4 port disabled
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 AUTH_PAE entering state INITIALIZE
>>IEEE 802.1X: 00:09:5b:2f:f6:b4 REAUTH_TIMER entering state INITIALIZE
>>Flushing old station entries
>>Deauthenticate all stations
>>Sending RADIUS message to accounting server
>>RADIUS message: code=4 (Accounting-Request) identifier=2 length=70
>>    Attribute 40 (Acct-Status-Type) length=6
>>       Value: 8
>>    Attribute 45 (Acct-Authentic) length=6
>>       Value: 1
>>    Attribute 4 (NAS-IP-Address) length=6
>>       Value: 172.16.1.201
>>    Attribute 30 (Called-Station-Id) length=26
>>       Value: '00-09-5B-41-10-B4:edgeRM'
>>    Attribute 49 (Acct-Terminate-Cause) length=6
>>       Value: 11
>>
>>
>>
>>
>>I hope this was not too lengthy.  Any help appreciated.  I'm trying to
>>  get a better understanding of and then amke good use of the hostapd
>>  features, but I'm not quite there yet.
>>
>>Thanks,
>>
>>-Bob
> 
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
> 

-- 
Bob Beers
MIEEE 2415966




More information about the HostAP mailing list