hostapd authenticates but dhcpd doesn't give out address

Bob Beers bbeers at ieee.org
Wed Jun 16 11:13:34 EDT 2004



Jouni Malinen wrote:

> What kind of RADIUS authentication are you talking about? Your
> configuration file seemed to be trying to use RADIUS for both MAC
> address based authentication and IEEE 802.1X authentication. While that
> is an allowed configuration, it sounds somewhat odd.
> 
> 

Ok, I'm starting to understand ... the hostapd does so many things,
  I don't have all the parts of it figured out yet.  Which parts are
  mutually exclusive and which parts are complementary?

1) I can do MAC address authentication -
  either locally (macaddr_acl=1/0) in the [accept|deny]_mac_file files,
  or via RADIUS (macaddr_acl=2) to a separate server.
   (Then it's a whole 'nother story how to set up one's RADUIS server
     and database.)

2) Or (and?) I can do username/password authentication via 802.1X -
  by setting ieee8021x=1, minimal_eap=0, and auth_algs=0.
  Where do the usernames and passwords get authenticated?
   If I want that to also be via RADIUS server, I must enable WPA?

3) I can set up dynamic WEP, by setting
  auth_algs=1|3, and the wep_key_len_* and wep_rekey_period values.
   Static WEP would be the old way with "iwconfig wlan0 key ...", yes?
   But either one conflicts with WPA, yes?

4) I can set-up WPA, shared-key or RADIUS/EAP.  This has a pretty good
  explanation in the hostapd.conf file about what else has to be set or
  not set: 802.1x on, dynamic wep off, etc.

> 
> Have you configured the clients to do IEEE 802.1X? What are you using as
> the EAP method? Why would there be a separate browser (as in web
> browser?) authentication after this? Or do you mean a dialog box for
> asking EAP authentication username/password?
> 

Ok, good questions ...

For the hostapd beginner, who has available some hostap clients to
  associate with this hostapd AP, how do I configure the client to do
  802.1X?  Where do I set the EAP method?  Is this something I set in
  hostap, or is this a separate program?  Is this xsupplicant?
(Next, of course, is other clients, but that's for another day.)

Yes, a dialog box for authentication.
  I thought this might be transparent to the clients, (as in: no new
  programs to install,) just a quick registration/login process via a dialog
  box on a web page, when the client tries to access anything.

I'd like to get username/password authentication working first,

then I'll  see if I still want to add MAC authentication as an
  additional/optional feature.  I can envision a situation where
  maybe certain known clients would not need to authenticate with
  username/password, MAC would be enough but if a new/temporary
  client shows up, then it could still play if it can provide a
  good username/password.

> 
> Like mentioned in an earlier reply, minimal_eap is not going to work
> here. If you want to use dynamic WEP keying, the selected EAP method has
> to generate keying material. If you wanted to use username/password
> instead of client certificates, you could try, e.g., EAP-PEAP/MSCHAPv2.


Ok, big mistake(TM) with the minimal-eap setting, I get that now.

I don't understand about client certificates.  Where do I read how that
  applies to hostapd?

WPA looks like what I should use for encryption, and since I've already
  got a RADIUS server talking to hostapd, it should be do-able.

>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: start authentication
>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: unauthorizing port
>>IEEE 802.1X: Sending EAP Request-Identity to 00:09:5b:2f:f6:b4 (identifier 
>>0)
> 
> 
> hostapd start IEEE 802.1X authentication with the station but the
> station does not seem to reply. It looks like the IEEE 802.1X Supplicant
> in the station is not enabled.
> 

yes, it's not enabled until I enable it ... but how?  Do I need
  x-supplicant and wpa-supplicant on the station?

I've been happily using the hostap driver (AP and station mode) for
  quite some time, but now I need to understand/use all these new features.

I'm re-reading, again, the README's etc., so hopefully I'll be over this
  learning curve real soon.  Sorry for being so ignorant.

Thanks a million for all the help so far,


-- 
Bob Beers
MIEEE 2415966





More information about the HostAP mailing list