Supplicant : 8021X-PSK not associating to AP

Bryan Kadzban bryan at kadzban.is-a-geek.net
Thu Oct 11 22:47:48 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

I'm a little confused here because I'm not sure exactly how you want the
network to end up.  Do you want to use CCMP?  I assume you want to use
WPA2 information elements, since both ends (the client and AP) should be
able to understand them.  Do you want to use a single pre-shared key for
everyone, or do you want to use some kind of EAP method (and RADIUS
server)?  If EAP, which EAP method?  (This will depend on what your
RADIUS server supports.)

Basically, I think wpa_supplicant is ignoring the network block that you
have configured because it doesn't exactly match whatever the AP is
sending in its beacons or probe responses.  The more you lock down these
options, the easier it is to match those options.

All that being said, I'll comment on the configuration:

Mr. Maloomnahi wrote:
>  network={
>  	ssid="SEMCO_AP"
> 	scan_ssid=1

Is scan_ssid needed?  I'm not sure whether it makes any difference, but
if you don't need to send an explicit probe request for a given SSID, I
think it's better not to.  (Especially since I'm not sure whether all
the driver-interface backends in wpa_supplicant support that.  And I
know it slows down scanning, based on the comments in the sample config
file.)

If the AP sends normal beacons (with a non-zero-length SSID), then you
shouldn't need to explicitly probe it.

> 	key_mgmt=WPA-EAP WPA-PSK

I'd recommend choosing one of these, not using both (just because it
makes matching networks easier).  WPA-PSK requires a pre-shared key
(static across all associations), which is specified in the psk= option.
WPA-EAP requires a RADIUS server which (after authentication) generates
a unique dynamic key; if you use WPA-EAP, then you have to choose one or
more EAP methods using the eap= option.  You also have to configure
credentials somewhere (the options you use depend on the EAP method(s)
you configure).

One of those EAP methods will allow your credentials to the RADIUS
server to be a single pre-shared key; this is EAP-PSK, which I thought
you were using before.  Now I have no idea what you're using...  (But in
order to use EAP-PSK, your RADIUS server needs to support it -- just
like any other EAP method.)

> 	pairwise=CCMP TKIP

I think this is probably OK (though it depends on scan_ssid), but in my
setups I know which pairwise cipher I want to be used, so I specify it
by itself.

> 	group=CCMP TKIP
> 	group=TKIP

I'm not sure whether this is valid.  You might be better off with only a
single group= line, specifying a single cipher (as in pairwise, above).

> 	psk="DEAD-BEEF-AA"

That psk option is only used for key_mgmt=WPA-PSK.

> 	private_key_passwd="DEAD-BEEF-AA"

And I believe that line is only used when you use WPA-EAP, you set
eap=TLS, and you configure a certificate whose private key requires a
passphrase.  If you haven't done that, then I don't believe that option
is used for anything, and it can probably be removed.

On to hostapd, which I haven't used, but I can guess on...

> wpa_pairwise=TKIP CCMP

I don't think I've ever allowed multiple pairwise ciphers on an AP.  I
think it'd be easier to choose one of these two and set it here (and in
the wpa_supplicant config file as well, in the pairwise= option above).
CCMP is better, but isn't necessarily supported by all client hardware,
especially stuff that's more than about a year old or so.

> wpa_key_mgmt=WPA-PSK WPA-EAP

Here, I'm even more suspicious; I'd think that you'd need to select only
one option for the key management method per SSID.  (I could be wrong,
but I've never seen any hardware AP that supports that.)  PSK is simpler
to set up (no RADIUS server), but EAP is more secure (dynamic pairwise
keys for each individual association).  Of course EAP also requires
support on all the clients.

> wpa_passphrase=XXXX

I suspect this is only needed for WPA-PSK mode.  If so, then I'm sure it
needs to match the psk= option in wpa_supplicant's config file.

> wpa=1

No idea what this controls...

> acct_server_addr=192.168.1.151
> acct_server_port=1813
> acct_server_shared_secret=XXXX
> auth_server_addr=192.168.1.151
> auth_server_port=1812
> auth_server_shared_secret=DEAD-BEEF-AA
> own_ip_addr=192.168.1.151

This is all related to RADIUS.  If you have a separate RADIUS server
running on this box, then this should work; otherwise I'm not so sure.
(But again, I've never used hostapd, so maybe it's smart enough to
listen on that port if nothing else is?)

If you don't use WPA-EAP, then you don't need any of that stuff.

> private_key_passwd=DEAD-BEEF-AA

I suspect this is also only used by RADIUS, and then only by EAP methods
that require a private key (EAP-PEAP, EAP-TLS, EAP-TTLS), and where the
private key requires a passphrase.

> ieee8021x=1

Not sure what this is, but it looks slightly suspicious.

> wep_default_key=0
> wep_key0="XXXX"

As do these.  I wonder if it would help to remove anything related to
WEP?  (That's all three of these quoted lines.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHDuBTS5vET1Wea5wRA7I6AJwNv7lRwDiPkTDUgwOMh/ydcnQl1wCeNsbf
GlZKX52ORtvSVllUpX7NLqc=
=BNVf
-----END PGP SIGNATURE-----

More information about the HostAP mailing list