hostapd authenticates but dhcpd doesn't give out address

Bob Beers bbeers at ieee.org
Tue Jun 15 17:15:00 EDT 2004 

(I hope you don't mind, but I'm cc:'ing the list in case anyone else
  cares to chime in and help me. )


Mark Glines wrote:
> On di, jun 15, 2004 at 10:48:26 -0400, Bob Beers wrote:
> 
>>Just 802.1x for now.  I included some log output below, which I think,
>> indicates successful authentication.  I can provide other output/logs
>> on request, let me know what I should be looking at.
> 
> 
> You might try removing "minimal_eap" from your hostapd.conf.  From
> memory, it circumvents the RADIUS part of the authentication loop
> entirely.
> 
> 
> 

right, This is what I tried just now:

My hostap AP has eth0 172.16.1.201/24, and RADIUS server is 172.16.1.200,
wlan0 is 192.168.87.1/24, essid dugtrio,
then I associate from my laptop (hostap station) with MAC 0006250aa872


bash-2.05# cat /etc/hostapd.conf | grep = | grep -v ^#
interface=wlan0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=2
dump_file=/tmp/hostapd.dump
daemonize=1
ssid=dugtrio
macaddr_acl=2
auth_algs=1
ieee8021x=1
eap_message=helloBob
eapol_key_index_workaround=0
own_ip_addr=172.16.1.201
auth_server_addr=172.16.1.200
auth_server_port=1812
auth_server_shared_secret=secret
acct_server_addr=172.16.1.200
acct_server_port=1813
acct_server_shared_secret=secret

BTW, what is the shared secret for, I have put MAC in RADIUS db for user
  and password, else I get "Unsupported authentication algorithm (0)".

>>>I'm not sure you can do this with just an 802.1x authenticator. The 
>>>Authenticator only has control over whether the port is open or closed. If 
>>>closed (before sucessful authentication), nothing gets through at all 
>>>(well, other than EAP), so no DHCP or HTTP or anything. once RADIUS/EAP 
>>>authentication succeeds, then it's open an everything gets through.
>>>(Someone correct me if I'm wrong)
>>>
>>
>>Yes, I figured more would be required, but the first step would be
>> network connectivity, yes?  I tried just assigning a static IP, after the
>> authentication, but no luck there either.  I'm obviously overlooking
>> some important stuff, but I'm too green to know what I need to know.
>>
>>How can I tell if "the port is open or closed"?  What port?
> 
> 
> Its "port" in the 802.1x context, which is like a port on a switch.
> The way I tell if the port is open is by assigning some static IPs
> and trying to ping...
> 
> Mark
> 

Well, I think I am not getting the port to open, because even if I assign
a static IP to the laptop (192.168.87.2/24) I can't ping the AP ( I get
Destination Host Unreachable)

and I get this in /var/log/debug:

kernel: wifi0: Could not find STA 00:06:25:0a:a8:72 for this TX error (@378023)

and this message in both /var/log/debug and /var/log/messages:

kernel: wlan0: dropped frame from unauthorized port (IEEE 802.1X): ethertype=0x0806

Here's what hostapd -d output was to stdout:

bash-2.05# /sbin/hostapd -d /etc/hostapd.conf
Configuration file: /etc/hostapd.conf
Opening raw packet socket for ifindex 13
Using interface wlan0ap with hwaddr 00:09:5b:41:10:b4 and ssid 'dugtrio'
wlan0: RADIUS Authentication server 172.16.1.200:1812
wlan0: RADIUS Accounting server 172.16.1.200:1813
Sending RADIUS message to accounting server
RADIUS message: code=4 (Accounting-Request) identifier=0 length=71
    Attribute 40 (Acct-Status-Type) length=6
       Value: 7
    Attribute 45 (Acct-Authentic) length=6
       Value: 1
    Attribute 4 (NAS-IP-Address) length=6
       Value: 172.16.1.201
    Attribute 30 (Called-Station-Id) length=27
       Value: '00-09-5B-41-10-B4:dugtrio'
    Attribute 49 (Acct-Terminate-Cause) length=6
       Value: 11
Flushing old station entries
Deauthenticate all stations
Received 108 bytes management frame
RX frame - hexdump(len=108): 08 00 46 97 b9 47 00 50 c2 0f f2 26 08 00 45 10 00 
5e d4 93 40 00 40 06 0a 43 ac 10 01 c9 ac 10 01 ca 00 17 82 f7 c2 01 6b f3 0f a1 
ec 39 80 18 16 a0 13 97 00 00 01 01 08 0a 00 0a 54 28 00 2e 11 ad 4f 70 65 6e 69 
6e 67 20 72 61 77 20 70 61 63 6b 65 74 20 73 6f 63 6b 65 74 20 66 6f 72 20 69 66 
69 6e 64 65 78 20 31 33 0d 0a
DATA
Not ToDS data frame (fc=0x0008)
Received 66 bytes management frame
RX frame - hexdump(len=66): 00 50 c2 0f f2 26 08 00 46 97 b9 47 08 00 45 10 00 
34 4a 92 40 00 40 06 94 6e ac 10 01 ca ac 10 01 c9 82 f7 00 17 0f a1 ec 39 c2 01 
6c 1d 80 10 71 20 96 d1 00 00 01 01 08 0a 00 2e 11 af 00 0a 54 28
MGMT
MGMT: BSSID=00:34:4a:92:40:00 not our address
Received 20 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=5 (Accounting-Response) identifier=0 length=20



Received 30 bytes management frame
RX frame - hexdump(len=30): b0 00 b7 89 00 09 5b 41 10 b4 00 06 25 0a a8 72 00 
09 5b 41 10 b4 f0 e6 00 00 01 00 00 00
MGMT
mgmt::auth
authentication: STA=00:06:25:0a:a8:72 auth_alg=0 auth_transaction=1 
status_code=0 wep=0
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=152
    Attribute 1 (User-Name) length=14
       Value: '0006250aa872'
    Attribute 2 (User-Password) length=18
    Attribute 4 (NAS-IP-Address) length=6
       Value: 172.16.1.201
    Attribute 30 (Called-Station-Id) length=27
       Value: '00-09-5B-41-10-B4:dugtrio'
    Attribute 31 (Calling-Station-Id) length=19
       Value: '00-06-25-0A-A8-72'
    Attribute 61 (NAS-Port-Type) length=6
       Value: 19
    Attribute 77 (Connect-Info) length=24
       Value: 'CONNECT 11Mbps 802.11b'
    Attribute 80 (Message-Authenticator) length=18
Authentication frame from 00:06:25:0a:a8:72 waiting for an external authentication
Received 26 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=1 length=26
    Attribute 6 (?Unknown?) length=6
Found matching Access-Request for RADIUS message (id=1)
Re-sending authentication frame after successful RADIUS ACL query
mgmt::auth
authentication: STA=00:06:25:0a:a8:72 auth_alg=0 auth_transaction=1 
status_code=0 wep=0
   New STA
wlan0: STA 00:06:25:0a:a8:72 IEEE 802.11: authentication OK (open system)
wlan0: STA 00:06:25:0a:a8:72 WPA: event 0 notification
authentication reply: STA=00:06:25:0a:a8:72 auth_alg=0 auth_transaction=2 resp=0
Received 30 bytes management frame
RX frame - hexdump(len=30): b2 00 02 01 00 06 25 0a a8 72 00 09 5b 41 10 b4 00 
09 5b 41 10 b4 10 a1 00 00 02 00 00 00
MGMT (TX callback) ACK
mgmt::auth cb
wlan0: STA 00:06:25:0a:a8:72 IEEE 802.11: authenticated
Received 43 bytes management frame
RX frame - hexdump(len=43): 00 00 68 e0 00 09 5b 41 10 b4 00 06 25 0a a8 72 00 
09 5b 41 10 b4 00 e7 01 00 01 00 00 07 64 75 67 74 72 69 6f 01 04 82 84 0b 16
MGMT
mgmt::assoc_req
association request: STA=00:06:25:0a:a8:72 capab_info=0x01 listen_interval=1
   new AID 1
wlan0: STA 00:06:25:0a:a8:72 IEEE 802.11: association OK (aid 1)
Received 36 bytes management frame
RX frame - hexdump(len=36): 12 00 68 e0 00 06 25 0a a8 72 00 09 5b 41 10 b4 00 
09 5b 41 10 b4 20 a1 01 00 00 00 01 c0 01 04 82 84 0b 16
MGMT (TX callback) ACK
mgmt::assoc_resp cb
wlan0: STA 00:06:25:0a:a8:72 IEEE 802.11: associated (aid 1)
wlan0: STA 00:06:25:0a:a8:72 WPA: event 1 notification
wlan0: STA 00:06:25:0a:a8:72 IEEE 802.1X: start authentication
IEEE 802.1X: 00:06:25:0a:a8:72 AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 BE_AUTH entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 AUTH_KEY_TX entering state NO_KEY_TRANSMIT
IEEE 802.1X: 00:06:25:0a:a8:72 AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 BE_AUTH entering state IDLE
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 Port Timers TICK (timers: 0 0 3599 0)
IEEE 802.1X: 00:06:25:0a:a8:72 AUTH_PAE entering state DISCONNECTED
wlan0: STA 00:06:25:0a:a8:72 IEEE 802.1X: unauthorizing port
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 AUTH_PAE entering state CONNECTING
IEEE 802.1X: Sending EAP Request-Identity to 00:06:25:0a:a8:72 (identifier 0)
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
Received 49 bytes management frame
RX frame - hexdump(len=49): 0a 02 02 01 00 06 25 0a a8 72 00 09 5b 41 10 b4 00 
09 5b 41 10 b4 d0 a1 aa aa 03 00 00 00 88 8e 01 00 00 0d 01 00 00 0d 01 68 65 6c 
6c 6f 42 6f 62
DATA (TX callback) ACK
IEEE 802.1X: 00:06:25:0a:a8:72 TX status - version=1 type=0 length=13 - ack=1
IEEE 802.1X: 00:06:25:0a:a8:72 Port Timers TICK (timers: 0 0 3599 29)
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 Port Timers TICK (timers: 0 0 3599 28)
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 Port Timers TICK (timers: 0 0 3599 27)
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 Port Timers TICK (timers: 0 0 3599 26)
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 Port Timers TICK (timers: 0 0 3599 25)
IEEE 802.1X: 00:06:25:0a:a8:72 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:06:25:0a:a8:72 Port Timers TICK (timers: 0 0 3599 24)

and so on, the ticking counts down to 1 and repeats ...




-- 
Bob Beers
MIEEE 2415966

More information about the HostAP mailing list