wpa_supplicant authentication using wired interface against dot1x NAC configured for "multi auth"

chaos debian control2chaos at gmail.com
Thu May 19 16:28:29 EDT 2011


Hello,
My apologies if this is the wrong place for this topic.  If the correct
forum is somewhere else please let me know so I don't waste anyone's time.
If this is the correct forum then please continue, thanks...

I am looking for some guidance on either, the ability of wpa_supplicant to
authenticate in my dot1x configuration ("multi auth"), or where in the code
I should look to change the wpa_supplicant behavior to accept unicast
responses.  I think it is somewhere in "iapp.c" and "driver_wired.c" but
since I am new to this code, and don't have any C coding experience, I may
be way off.  It is also possible that wpa_supplicant can already do what I
need and my configuration is lacking the correct settings so please advise
if this is the case.

I am using wpa_supplicant on a Linux PC to authenticate on a NAC (Network
Access Control) wired ethernet port running dot1x protocol.  When I use
wpa_supplicant to authenticate on a "single host" or "multi host" ethernet
port where the Id Request form the dot1x AP sends on a multicast address
(nearest host mcast address) wpa_supplicant continues with the
authentication process to success.  However, when I have a "multi auth"
ethernet port on the dot1x AP and the response's destination unicast address
is my host's ethernet port, the message is ignored and authentication halts
(never proceeds to RX EAPOL step).

Maybe this topic has been touched on before, any links to this information
would also be helpful.

Thanks in advance.

Definitions:
"single host" AP: A single client machine can authenticate against the AP
and only traffic from this client can pass through the port.
"multi host" AP: A single client machine can authenticate against the AP but
traffic from multiple clients on this port may pass through the port.
"multi auth" AP: Multiple client machines can authenticate against the AP
and only traffic from these clients can pass through the port.

Below is my wpa_supplicant configuration file; a debug trace from a failed
attempt against a "multi auth" configurted AP and a packet capture of the
IdRequest; and a debug trace from a successful attempt against a "single
host" configured AP and a packet capture of the IdReqest.

I am running wpa_supplicant version 0.6.10

:START Contents of wpa_supplicant.conf:
#All contents was created using examples and information from 'man
wpa_supplicant.conf"
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
network={
        key_mgmt=IEEE8021X
        eap=MD5
        identity="andy"
        password="andy"
        eapol_flags=0
}
:END Content

:START Authentication Failure
root# wpa_supplicant -c wpa_supplicant.conf -i eth1 -Dwired -dd
Initializing interface 'eth1' conf 'wpa_supplicant.conf' driver 'wired'
ctrl_interface 'N/A' bridge 'N/A'
Configuration file 'wpa_supplicant.conf' -> '/home/andy/wpa_supplicant.conf'
Reading configuration file '/home/andy/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ap_scan=0
Line: 6 - start of a new network block
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=4):
     61 6e 64 79                                       andy
password - hexdump_ascii(len=4): [REMOVED]
eapol_flags=0 (0x0)
Priority group 0
   id=0 ssid=''
Initializing interface (2) 'eth1'
wpa_driver_wired_init: Added multicast membership with packet socket
Own MAC address: 00:d0:b7:25:89:28
RSN: flushing PMKID list in the driver
Setting scan request: 0 sec 100000 usec
WPS: UUID based on MAC address - hexdump(len=16): 2e e1 c8 ed 86 72 5f 83 97
69 13 a2 ef fa 8d be
WPS: Build Beacon and Probe Response IEs
WPS:  * Version
WPS:  * Wi-Fi Protected Setup State (0)
WPS:  * Version
WPS:  * Wi-Fi Protected Setup State (0)
WPS:  * Response Type (2)
WPS:  * UUID-E
WPS:  * Manufacturer
WPS:  * Model Name
WPS:  * Model Number
WPS:  * Serial Number
WPS:  * Primary Device Type
WPS:  * Device Name
WPS:  * Config Methods (0)
WPS:  * RF Bands (3)
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
Added interface eth1
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
Already associated with a configured network - generating associated event
Association info event
State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=01:80:c2:00:00:03
No keys have been configured - skip key clearing
Select network based on association information
Network configuration found for the current AP
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: clearing own WPA/RSN IE
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
Associated with 01:80:c2:00:00:03
WPA: Association event - clear replay counter
WPA: Clear old PTK
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 01 01 00 00
:END Authentication Failure

:START ucast IdReqest
No.     Time        Source                Destination           Protocol
Info
      1 0.000000    00:90:db:2d:64:86     Intel_25:89:28        EAP
Request, Identity [RFC3748]

Frame 1 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src:(00:90:db:2d:64:86), Dst: Intel_25:89:28
(00:d0:b7:25:89:28)
802.1X Authentication

0000  00 d0 b7 25 89 28 00 90 db 2d 64 86 88 8e 01 00   ...%.(...-d.....
0010  00 05 01 12 00 05 01 00 00 00 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0030  00 00 00 00 00 00 00 00 00 00 00 00               ............
:END ucast IdRequest



:START Authentication Success
root# wpa_supplicant -c wpa_supplicant.conf -i eth1 -Dwired -dd
Initializing interface 'eth1' conf 'wpa_supplicant.conf' driver 'wired'
ctrl_interface 'N/A' bridge 'N/A'
Configuration file 'wpa_supplicant.conf' -> '/home/andy/wpa_supplicant.conf'
Reading configuration file '/home/andy/wpa_supplicant.conf'
[Skipped section for size requirement... Same as above...]
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 01 01 00 00
RX EAPOL from 00:90:db:2d:64:86
RX EAPOL - hexdump(len=46): 01 00 00 05 01 01 00 05 01 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=4):
     61 6e 64 79                                       andy
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=13): 01 00 00 09 02 01 00 09 01 61 6e 64 79
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:90:db:2d:64:86
RX EAPOL - hexdump(len=46): 01 00 00 16 01 02 00 16 04 10 f3 97 25 ca f9 ee
2b 67 49 3c 4d 02 c3 24 11 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=2 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: Initialize selected EAP method: vendor 0 method 4 (MD5)
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
EAP: EAP entering state METHOD
EAP-MD5: Challenge - hexdump(len=16): f3 97 25 ca f9 ee 2b 67 49 3c 4d 02 c3
24 11 86
EAP-MD5: Generating Challenge Response
EAP-MD5: Response - hexdump(len=16): e1 c5 3d 96 b0 a0 4f e7 9e e6 24 b6 ab
7f 7a 18
EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=26): 01 00 00 16 02 02 00 16 04 10 e1 c5 3d 96 b0 a0
4f e7 9e e6 24 b6 ab 7f 7a 18
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:90:db:2d:64:86
RX EAPOL - hexdump(len=46): 01 00 00 04 03 02 00 04 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
Cancelling authentication timeout
State: ASSOCIATED -> COMPLETED
CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed (auth)
[id=0 id_str=]
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed successfully
:END Authenticatino Success

:START mcast IdRequest
No.     Time        Source                Destination           Protocol
Info
      2 0.038832    00:90:db:2d:64:86     Nearest               EAP
Request, Identity [RFC3748]

Frame 2 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:90:db:2d:64:86, Dst: Nearest (01:80:c2:00:00:03)
802.1X Authentication

0000  01 80 c2 00 00 03 00 90 db 2d 64 86 88 8e 01 00   .........-d.....
0010  00 05 01 03 00 05 01 00 00 00 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0030  00 00 00 00 00 00 00 00 00 00 00 00               ............
:END mcast IdRequest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20110519/323d222f/attachment.htm 


More information about the HostAP mailing list