Connecting to hostap with WEP enabled

Pavel Roskin proski at gnu.org
Wed Mar 24 21:55:19 EST 2004


Hello!

I'm trying to make xsupplicant work with hostapd (802.1x daemon for hostap
driver) with WEP support.  Sorry for crosspost, but I don't know which
side is to blame.

On the station side I have:

Linux 2.6.5-rc1-bk4 i686
CVS hostap (managed mode)
CVS xsupplicant
Prism2 card with Intersil firmware 1.7.1

xsupplicant uses standard config plus this section:

Mediaplex
{
  identity = <BEGIN_ID>testuser at testnet.com<END_ID>
  allow_types = all
  type = wireless
}


On the AP side I have:
Linux 2.6.5-rc1 i686
CVS hostap (master mode)
CVS hostapd
Prism2 card with Intersil firmware 1.7.1

hostapd.conf without comments:

interface=wlan0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=0
dump_file=/tmp/hostapd.dump
daemonize=0
ssid=Mediaplex
macaddr_acl=1
accept_mac_file=hostapd.accept
auth_algs=1
ieee8021x=1
minimal_eap=1
eap_message=hello
wep_key_len_broadcast=5
wep_key_len_unicast=5
wep_rekey_period=300
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1


Connection without WEP support works fine (all settings beginning with
"wep" are commented out in hostapd.conf).  Connection with WEP never
reaches EAP authentication.

On the AP side, I run ethereal in non-promiscuous mode on wlan0ap.  For
some reason, Ethereal sees beacons form all surrounding APs, so they are
filtered out in Ethereal.

Ethereal reports only outgoing packets to the station.  There are no
incoming packets.  The outgoing packets are recognized by Ethereal as
"Request, Identity" and "Failure".  Protocol is shown as "EAP".

On the station side, Ethereal runs in non-promiscuous mode on wlan0.

It shows all those packets as incoming.  Also, every "Request, Identity"
packet is followed by an outgoing "Response, Identity" packet.  Sometimes
xsupplicant also sends "Start" frames.  When interrupted, it sends
"Logoff".

However, the "Start", "Logoff" and "Response, Identity" packets don't show
up on the AP side.

The kernel log on the AP side shows a few messages like this:

wifi0: TX: IEEE 802.1X - passing unencrypted EAPOL frame
wifi0: TX: IEEE 802.1X - passing unencrypted EAPOL frame
wifi0: WEP decryption failed (not set) (SA=00:40:36:01:7a:bf)
wifi0: TX: IEEE 802.1X - passing unencrypted EAPOL frame
wifi0: WEP decryption failed (not set) (SA=00:40:36:01:7a:bf)
wifi0: TX: IEEE 802.1X - passing unencrypted EAPOL frame
wifi0: WEP decryption failed (not set) (SA=00:40:36:01:7a:bf)

00:40:36:01:7a:bf is the station address.  I actually had to modify the
hostap code a bit to remove a lot of other messages of this kind printed
for encrypted data sent by other, totally unrelated APs.

On the AP side, the keys looks like this:

# iwlist wlan0 key
wlan0     2 key sizes : 40, 104bits
          4 keys available :
                [1]: off
                [2]: 0FE7-2613-84 (40 bits)
                [3]: E08F-010D-91 (40 bits)
                [4]: 56B1-A726-97 (40 bits)
          Current Transmit Key: [2]
          Security mode:open

On the station, the keys are:

# iwlist wlan0 key
wlan0     2 key sizes : 40, 104bits
          4 keys available :
                [1]: 0000-0000-0000-0000-0000-0000-00 (104 bits)
                [2]: off
                [3]: off
                [4]: off
          Current Transmit Key: [1]
          Security mode:open

"WEP decryption failed" is printed if the WEP bit is set in the frame but
there is no key for the station.

Setting the WEP key to 0000-0000-00 on the station side makes no
difference.  Using 104-bit WEP key on the AP side makes no difference
either.

As I understand it, either xsupplicant should not encrypt its response
using keys from zeroes, or hostap should use the zero key for the stations
without WEP key set.  I haven't tried either yet.

-- 
Regards,
Pavel Roskin



More information about the HostAP mailing list