Switch set up fails open

Fachao Deng dfc03 at mails.tsinghua.edu.cn
Mon Nov 5 20:41:18 EST 2007


Hello,all.

I have met the same problem as this "Switch set up fails open", and struggled to sovle it for days.

I am also trying to set up a 802.1x enabled wired swich using a PC with two NICS(eth0,eth3, both are added in a bridge br0). I am using xsupplicant,-1.2.8 hostapd-0.5.8, freeRadius-1.1.6.

My wired.conf is as follows:

interface=eth3
bridge=br0
driver=wired
logger_stdout=-1
logger_stdout_level=1
debug=2
dump_file=/tmp/hostapd.dump

ieee8021x=1
eap_reauth_period=3600

use_pae_group_addr=1
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123


Like what John have said,"Now hostap, freeradius and xsupplicant are all talking to each other and
exchanging authentication information. However if I do not authenticate, I can still send packets through the interface even if ieee8021x=1."


I want to know if John have solved this problem, and how to solve it.

And if anybody know  the reason, give me some help please.

Any of your suggestion will be great help to me! 

Thanks!!!




---	
Fachao Deng
Research Institute of Information Technology
Tsinghua University, China
2007-11-06
>> Hello, all.  This is my first set up of hostapd.  I'm attempting to
> create a test 802.1x enabled Linux based switch.  I have an Ubuntu 7.0.4
> (Feisty) PC with four NICS (eth0,1,2,3) set up in a bridge (switch0)
> with hostapd 0.5.8 and freeradius 1.1.6.  There is no wireless; this is
> a LAN switch only.
> 
> If I understand correctly, I will ultimately need a separate
> configuration file for each port (by the way, does hostadp.conf support
> includes so I can use the same setup for each port and just change the
> interface?) but for now, to keep things simple, I have only configured
> eth3.
> 
> I plugged my laptop into eth3 with a crossover cable.  Before activating
> hostapd, the laptop communicated on the network (ping test).  I then
> activated hostapd and expected that communication would fail since the
> laptop had not authenticated.  It did not fail; the laptop communicates
> on the network just as it did without hostapd. I have rebooted it
> several times with the same results.
> 
> I assume this means my setup is not working and not that hostapd fails
> open on 802.1x.  What is wrong with my configuration?
> 
> Here is stdout from hostapd - the laptop rebooted several times while
> this was running.  The MAC address is that of eth3:
> jsullivan at testswitch:/var/log$ sudo hostapd -dd /etc/hostapd/hostapd.conf
> Password:
> Configuration file: /etc/hostapd/hostapd.conf
> ctrl_interface_group=0
> Opening raw packet socket for ifindex 5
> BSS count 1, BSSID mask ff:ff:ff:ff:ff:ff (0 bits)
> Flushing old station entries
> Deauthenticate all stations
> Using interface eth3 with hwaddr 00:c0:f0:59:99:0c and ssid ''
> eth3: RADIUS Authentication server 127.0.0.1:1812
> eth3: Setup of interface done.
>  
> Here is syslog (several restarts):
> Jun  5 16:20:30 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> Jun  5 16:24:25 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> Jun  5 16:29:15 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> Jun  5 16:30:09 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> Jun  5 16:59:20 testswitch -- MARK --
> Jun  5 17:06:46 testswitch hostapd: eth3: RADIUS Authentication server 127.0.0.1:1812
> 
> Here is hostapd.conf (remember - no wireless):
> interface=eth3
> bridge=switch0 # I tried with and without this parameter
> driver=wired
> logger_syslog=54
> logger_syslog_level=2
> logger_stdout=54
> logger_stdout_level=2
> debug=4
> dump_file=/tmp/hostapd.dump
> ctrl_interface=/var/run/hostapd
> ctrl_interface_group=0
> #Wireless settings coming up - I changed very few and commented out some
> - no SSID
> max_num_sta=255
> macaddr_acl=0
> auth_algs=1
> wme_enabled=1
> wme_ac_bk_cwmin=4
> wme_ac_bk_cwmax=10
> wme_ac_bk_aifs=7
> wme_ac_bk_txop_limit=0
> wme_ac_bk_acm=0
> wme_ac_be_aifs=3
> wme_ac_be_cwmin=4
> wme_ac_be_cwmax=10
> wme_ac_be_txop_limit=0
> wme_ac_be_acm=0
> wme_ac_vi_aifs=2
> wme_ac_vi_cwmin=3
> wme_ac_vi_cwmax=4
> wme_ac_vi_txop_limit=94
> wme_ac_vi_acm=0
> wme_ac_vo_aifs=2
> wme_ac_vo_cwmin=2
> wme_ac_vo_cwmax=3
> wme_ac_vo_txop_limit=47
> wme_ac_vo_acm=0
> ieee8021x=1
> eapol_key_index_workaround=0
> eap_server=0
> own_ip_addr=127.0.0.1
> auth_server_addr=127.0.0.1 # RADIUS is freeradius on the same computer
> auth_server_port=1812
> auth_server_shared_secret=<some secret>
> 
> I'm pretty sure I've got the test laptop plugged into the correct port.
> Here switch MAC table:
> jsullivan at testswitch:/etc/hostapd$ brctl showmacs switch0
> port no mac addr                is local?       ageing timer
>   4     00:00:39:75:f8:39       no                 3.17
>   2     00:01:03:24:64:c3       no                 2.39
>   3     00:08:c7:b9:db:18       yes                0.00
>   2     00:09:5b:50:d9:ea       no                 2.02
>   2     00:0f:b0:70:ec:42       no                 0.00
>   2     00:13:20:09:b4:c9       no                49.89
>   1     00:50:da:59:f4:33       yes                0.00
>   2     00:90:4b:8b:5d:c3       no                 2.39
>   2     00:a0:d2:17:26:1c       yes                0.00
>   4     00:c0:f0:59:99:0c       yes                0.00
>   2     02:00:00:00:00:03       no                40.91
>   2     aa:00:00:15:60:3a       no                26.95
>   2     aa:00:00:4b:17:90       no                 2.02
>   2     aa:00:00:57:ff:f9       no                32.93
>       * 
> 
> 00:c0:f0:59:99:0c is the MAC being reported by hostapd stdout and it
> shows on port 4.  00:00:39:75:f8:39 is the MAC address of the laptop and
> also shows on port 4.
> 
> This is a high priority project for us so any help is greatly
> appreciated.  Thanks - John
>Well, we've solved most but not all of the problems.  We needed to set
>use_pae_group_addr=1.  I'm a little concerned about what that means when
>one switch plugs into another.

>I also had a mismatch in the CN oid.

>Now hostap, freeradius and xsupplicant are all talking to each other and
>exchanging authentication information.

>However, the switch still fails open.  In other words, if I do not
>authenticate, I can still send packets through the interface even if
>ieee8021x=1.  Obviously, this is a big problem.  I've spent a few hours
>googling and testing but still no success.  What have I configured
>incorrectly that hostapd is not blocking unauthenticated connections?




More information about the HostAP mailing list