hostapd authenticates but dhcpd doesn't give out address

Derek Schuff schuffdl at ornl.gov
Wed Jun 16 13:01:57 EDT 2004


I'm not entirely sure about the HostAP config lines, but what i'll say here is 
true in general.

On Wednesday 16 June 2004 11:13 am, Bob Beers wrote:
> Jouni Malinen wrote:
> > What kind of RADIUS authentication are you talking about? Your
> > configuration file seemed to be trying to use RADIUS for both MAC
> > address based authentication and IEEE 802.1X authentication. While that
> > is an allowed configuration, it sounds somewhat odd.
>
> Ok, I'm starting to understand ... the hostapd does so many things,
>   I don't have all the parts of it figured out yet.  Which parts are
>   mutually exclusive and which parts are complementary?
>
> 1) I can do MAC address authentication -
>   either locally (macaddr_acl=1/0) in the [accept|deny]_mac_file files,
>   or via RADIUS (macaddr_acl=2) to a separate server.
>    (Then it's a whole 'nother story how to set up one's RADUIS server
>      and database.)
Yes. this requires nothing on the client side, but is susceptible to mac 
spoofing.

>
> 2) Or (and?) I can do username/password authentication via 802.1X -
>   by setting ieee8021x=1, minimal_eap=0, and auth_algs=0.
>   Where do the usernames and passwords get authenticated?
>    If I want that to also be via RADIUS server, I must enable WPA?
(and). You can do both, but it's probably overkill. username/pw authentication 
is probably better due to the mac spoofing thing. that way if they get a new 
NIC or something they can still get on.
802.1x Usernames and passwords are authenticated with a RADIUS server, 
regardless of whether you do WPA or not. (WPA implies use of 802.1x)

>
> 3) I can set up dynamic WEP, by setting
>   auth_algs=1|3, and the wep_key_len_* and wep_rekey_period values.
>    Static WEP would be the old way with "iwconfig wlan0 key ...", yes?
>    But either one conflicts with WPA, yes?
Yes, and yes. WPA uses TKIP encryption instead of WEP.
If you do dynamic WEP or WPA, you need to do 802.1X with an EAP method that 
can generate keying material (EAP-PEAP/MSCHAPv2 is a good bet for 
compatibility, and you don't need client certificates)

>
> 4) I can set-up WPA, shared-key or RADIUS/EAP.  This has a pretty good
>   explanation in the hostapd.conf file about what else has to be set or
>   not set: 802.1x on, dynamic wep off, etc.
Yep. the most secure option is to do WPA with RADIUS if your clients can 
handle it and if you can roll a RADIUS server.

>
> > Have you configured the clients to do IEEE 802.1X? What are you using as
> > the EAP method? Why would there be a separate browser (as in web
> > browser?) authentication after this? Or do you mean a dialog box for
> > asking EAP authentication username/password?
>
> Ok, good questions ...
>
> For the hostapd beginner, who has available some hostap clients to
>   associate with this hostapd AP, how do I configure the client to do
>   802.1X?  Where do I set the EAP method?  Is this something I set in
>   hostap, or is this a separate program?  Is this xsupplicant?
> (Next, of course, is other clients, but that's for another day.)
What I'm about to show you is for WPA client configuration. For hostap-driven  
clients, you use wpa_supplicant, which can be configured to use its own 
internal supplicant, or to use xsupplicant. (I use the internal one). I'm not 
sure if wpa_supplicant will do dynamic WEP, but xsupplicant might.
You set the EAP method in wpa_supplicant's configuration file ( which can be 
specified at the command line. there's a sample one called 
wpa_supplicant.conf)
mine looks something like this:
network{
	ssid="mywpassid"
	#I use a hidden ssid, so I have to scan for it
	scan_ssid=1 
	proto=WPA
	key_mgmt=WPA-EAP
	pairwise=TKIP
	group=TKIP
	# I use EAP-PEAP/MSCHAPv2
	eap=PEAP
	identity="user"
	password="password"
}
PEAP uses a certificate to authenticate the server. if you leave out the 
ca_cert option, the certificate will not be checked.

also I believe there is a way to ask for the password and/or user ID at a 
prompt instead of having it in the config file if you want.

>
> Yes, a dialog box for authentication.
>   I thought this might be transparent to the clients, 
WPA, isn't  really transparent. on linux you have to configure and run 
wpa_supplicant as described above. On windows, you have to download a hotfix 
from MS, and then configure a network for WPA using the normal windows 
wireless config interface. It can be set to prompt for username and password, 
or it can use your NT Domain login credentials. On macintosh, you have to be 
running OSX 10.3 and have the latest airport software, and also have to 
configure the network using the mac config tools. (i can give more detail on 
windows if you want, but probably not mac)

>   (as in: no new 
>   programs to install,) just a quick registration/login process via a
> dialog box on a web page, when the client tries to access anything.
All this of course was just to authenticate onto layer 2 at the access point, 
and it happens before you can even use DHCP. So any web login you have would 
be completely independent of this.

>
> I'd like to get username/password authentication working first,
>
> then I'll  see if I still want to add MAC authentication as an
>   additional/optional feature.  I can envision a situation where
>   maybe certain known clients would not need to authenticate with
>   username/password, MAC would be enough but if a new/temporary
>   client shows up, then it could still play if it can provide a
>   good username/password.
that might require configuring the AP to try mac auth first, and if that 
failed, fall back on EAP. i'm not sure it can do that now, but it might not  
be hard to add.

>
> > Like mentioned in an earlier reply, minimal_eap is not going to work
> > here. If you want to use dynamic WEP keying, the selected EAP method has
> > to generate keying material. If you wanted to use username/password
> > instead of client certificates, you could try, e.g., EAP-PEAP/MSCHAPv2.
>
> Ok, big mistake(TM) with the minimal-eap setting, I get that now.
>
> I don't understand about client certificates.  Where do I read how that
>   applies to hostapd?
Client certificates are required if you use EAP-TLS as your EAP method. Which 
EAP method you choose actually does not affect hostapd at all, since the AP 
just passes the EAP messages between the client and the RADIUS server until 
the RADIUS server reaches a verdict and sends an access-accept or 
access-reject packet back. EAP methods are configured only on client and 
radius server.

>
> WPA looks like what I should use for encryption, and since I've already
>   got a RADIUS server talking to hostapd, it should be do-able.
>
> >>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: start authentication
> >>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: unauthorizing port
> >>IEEE 802.1X: Sending EAP Request-Identity to 00:09:5b:2f:f6:b4
> >> (identifier 0)
> >
> > hostapd start IEEE 802.1X authentication with the station but the
> > station does not seem to reply. It looks like the IEEE 802.1X Supplicant
> > in the station is not enabled.
>
> yes, it's not enabled until I enable it ... but how?  Do I need
>   x-supplicant and wpa-supplicant on the station?
if you use WPA, then you need wpa_supplicant. If you use an EAP method not 
supported by wpa_supplicant, then you need xsupplicant as well. If you are 
doing 802.1X without WPA, then xsupplicant alone should do.

>
> I've been happily using the hostap driver (AP and station mode) for
>   quite some time, but now I need to understand/use all these new features.
>
> I'm re-reading, again, the README's etc., so hopefully I'll be over this
>   learning curve real soon.  Sorry for being so ignorant.
>
> Thanks a million for all the help so far,

hope this helps.

Derek



More information about the HostAP mailing list