Setting up a 802.1X testbed
Liang Guo
waterdragonhead at gmail.com
Fri Oct 27 17:03:28 EDT 2006
I'm trying to set up a simple 802.1X test environment. The simplest thing I
can come up with is to have one laptop running hostapd with integrated
authentication server and another one running wpa_supplicant. The short
story is: I failed. It seems like the station (STA) is successfully
associated with the AP, but the system is stuck in 802.1X authentication
state machine. Basically STA send back authentication message
(identity/password) but the authentication server didn't respond and
eventually the connection timed out. I'm very new to hostapd and
wpa_supplicant package, so forgive me if the questions sound stupid. But
please do help me solve this puzzle.
Here are the details:
Both stations run on Prism2.5 cards
On station 1 (AP+AS), /etc/hostapd.conf:
interface=wlan0
driver=hostap
ssid=FBI
macaddr_acl=0
auth_algs=3
ieee8021x=1
eapol_version=2
eap_server=1
eap_user_file=/etc/hostapd.eap_user
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=terminator
radius_server_clients=/etc/hostapd.radius_clients
radius_server_auth_port=1812
/etc/hostapd.radius_clients is configured as follows:
"1xtest" MD5 "password"
"1xtest" PEAP "password"
* PEAP, TTLS, TLS
#Phase 2
"1xtest" MSCHAPV2 "password" [2]
----
On station 2 (STA), /etc/wpa_supplicant/wpa_supplicant.conf.
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=2
ap_scan=1
network={
ssid="FBI"
bssid=00:0d:3a:23:dc:a4
key_mgmt=IEEE8021X
eap=PEAP
phase2="auth=MSCHAPV2"
identity="1xtest"
private_key_passwd="password"
# eapol_flags=0
}
When I execute hostapd on station 1, and bring up wlan0 on station 2, the
following messages are produced:
On station 1 (AP+AS)
Configuration file: /etc/hostapd.conf
Opening raw packet socket for ifindex 29
Using interface wlan0 with hwaddr 00:0d:3a:23:dc:a4 and ssid 'FBI'
wlan0: RADIUS Authentication server 127.0.0.1:1812
Flushing old station entries
Deauthenticate all stations
Received 30 bytes management frame
RX frame - hexdump(len=30): b0 00 02 01 00 0d 3a 23 dc a4 00 0d 3a 23 d1 a8
00 0d 3a 23 dc a4 20 48 00 00 01 00 00 00
MGMT
mgmt::auth
authentication: STA=00:0d:3a:23:d1:a8 auth_alg=0 auth_transaction=1
status_code=0 wep=0
New STA
authentication reply: STA=00:0d:3a:23:d1:a8 auth_alg=0 auth_transaction=2
resp=0Received 30 bytes management frame
RX frame - hexdump(len=30): b2 00 02 01 00 0d 3a 23 d1 a8 00 0d 3a 23 dc a4
00 0d 3a 23 dc a4 90 c9 00 00 02 00 00 00
MGMT (TX callback) ACK
mgmt::auth cb
wlan0: STA 00:0d:3a:23:d1:a8 IEEE 802.11: authenticated
Received 39 bytes management frame
RX frame - hexdump(len=39): 00 00 02 01 00 0d 3a 23 dc a4 00 0d 3a 23 d1 a8
00 0d 3a 23 dc a4 30 48 11 00 0a 00 00 03 46 42 49 01 04 82 84 0b 16
MGMT
mgmt::assoc_req
association request: STA=00:0d:3a:23:d1:a8 capab_info=0x11
listen_interval=10
new AID 1
Received 36 bytes management frame
RX frame - hexdump(len=36): 12 00 02 01 00 0d 3a 23 d1 a8 00 0d 3a 23 dc a4
00 0d 3a 23 dc a4 a0 c9 01 00 00 00 01 c0 01 04 82 84 0b 16
MGMT (TX callback) ACK
mgmt::assoc_resp cb
wlan0: STA 00:0d:3a:23:d1:a8 IEEE 802.11: associated (aid 1, accounting
session 45426B8B-00000000)
EAP: State machine created
IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 BE_AUTH entering state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_KEY_TX entering state NO_KEY_TRANSMIT
IEEE 802.1X: 00:0d:3a:23:d1:a8 KEY_RX entering state NO_KEY_RECEIVE
IEEE 802.1X: 00:0d:3a:23:d1:a8 CTRL_DIR entering state IN_OR_BOTH
IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 BE_AUTH entering state IDLE
IEEE 802.1X: 00:0d:3a:23:d1:a8 KEY_RX entering state NO_KEY_RECEIVE
IEEE 802.1X: 00:0d:3a:23:d1:a8 CTRL_DIR entering state FORCE_BOTH
IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state INITIALIZE
IEEE 802.1X : 00:0d:3a:23:d1:a8 KEY_RX entering state NO_KEY_RECEIVE
IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state DISCONNECTED
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state RESTART
IEEE 802.1X: Integrated EAP server in use - do not generate
EAP-Request/IdentityIEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering
state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: type 1
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 103
EAP: EAP entering state SEND_REQUEST
EAP: eapReqData -> EAPOL - hexdump(len=5): 01 67 00 05 01
EAP: EAP entering state IDLE
IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state CONNECTING
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state AUTHENTICATING
IEEE 802.1X: 00:0d:3a:23:d1:a8 BE_AUTH entering state REQUEST
IEEE 802.1X : Sending EAP Packet to 00:0d:3a:23:d1:a8 (identifier 103)
Send Frame: - hexdump(len=41): 0a 02 00 00 00 0d 3a 23 d1 a8 00 0d 3a 23 dc
a4 00 0d 3a 23 dc a4 00 00 aa aa 03 00 00 00 88 8e 02 00 00 05 01 67 00 05
01
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
Wireless event: cmd=0x8c03 len=20
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
Received 41 bytes management frame
RX frame - hexdump(len=41): 0a 02 02 01 00 0d 3a 23 d1 a8 00 0d 3a 23 dc a4
00 0d 3a 23 dc a4 b0 c9 aa aa 03 00 00 00 88 8e 02 00 00 05 01 67 00 05 01
DATA (TX callback) ACK
IEEE 802.1X: 00:0d:3a:23:d1:a8 TX status - version=2 type=0 length=5 - ack=1
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
On station 2 (STA), wpa_supplicant produces the following messages (in debug
mode)
Initializing interface 'wlan0' conf
'/etc/wpa_supplicant/wpa_supplicant.conf' driver 'hostap' ctrl_interface
'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' ->
'/etc/wpa_supplicant/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group=10 (from group name 'wheel')
eapol_version=2
ap_scan=0
Priority group 0
id=0 ssid='FBI'
Initializing interface (2) 'wlan0'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
SIOCGIWRANGE: WE(compiled)=19 WE(source)=18 enc_capa=0xf
capabilities: key_mgmt 0xf enc 0xf
Added alternative ifindex 3 (wifi0) for wireless events
Added alternative ifindex 3 (wifi0) for wireless events
Own MAC address: 00:0d:3a:23:d1:a8
wpa_driver_hostap_set_wpa: enabled=1
wpa_driver_hostap_set_key: alg=none key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_hostap_set_key: alg=none key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_hostap_set_key: alg=none key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_hostap_set_key: alg=none key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_hostap_set_countermeasures: enabled=0
wpa_driver_hostap_set_drop_unencrypted: enabled=1
Setting scan request: 0 sec 100000 usec
Added interface wlan0
Wireless event: cmd=0x8b06 len=8
RTM_NEWLINK, IFLA_IFNAME: Interface 'wifi0' added
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
Wireless event: cmd=0x8b06 len=8
Wireless event: cmd=0x8b2a len=8
Wireless event: cmd=0x8b1a len=12
Wireless event: cmd=0x8b15 len=20
Wireless event: new AP: 00:0d:3a:23:dc:a4
State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=00:0d:3a:23:dc:a4
No keys have been configured - skip key clearing
Network configuration found for the current AP
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: clearing own WPA/RSN IE
EAPOL: External notification - portControl=Auto
Associated with 00:0d:3a:23:dc:a4
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Setting authentication timeout: 10 sec 0 usec
RTM_NEWLINK, IFLA_IFNAME: Interface 'wifi0' added
RX EAPOL from 00:0d:3a:23:dc:a4
Setting authentication timeout: 70 sec 0 usec
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=1 id=103
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=6):
31 78 74 65 73 74 1xtest
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
EAPOL: startWhen --> 0
EAPOL: authWhile --> 0
EAPOL: SUPP_BE entering state TIMEOUT
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
Authentication with 00:0d:3a:23:dc:a4 timed out.
It looked like the STA tried to send back identity ("1xtest"), but the
server did not respond.
On the server side, I notice that after timeout, it received a
deauthentication message from the STA, but
the bssid is wrong (set to c8:7b:ab:6b:24:a0, which is an invalid MAC).
Maybe something fishy is going on.
Can someone help me with this? Thanks
Denis.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20061027/1a34f7da/attachment.htm
More information about the HostAP
mailing list