Enforce Security - 802.1x
Ben
benoitne at gmail.com
Fri Jan 16 10:46:39 EST 2015
Excuse me I made a mistake on my last email, rectification :
When I set wpa_key_mgt=WPA-EAP-SHA256 in hostapd.conf I can see Auth Key
Management SHA256 (5) in Probe Response packet from my hostapd.
When I set wpa_key_mgt=WPA-EAP in hostapd.conf I can see Auth Key
Management WPA (1) in Probe Response packet from my hostapd.
The only (BIG) difference is that I can see a Authentication message
sent from my hostapd to my computer when I use WPA-EAP, it is never sent
in case of using WPA-EAP-SHA256 surely the reason why my computer is
never connected..but I still don't know why hostapd is not working in
this case..
Any tips are welcoming :-)
On 16/01/2015 15:50, Ben wrote:
> Thanks for your response.
> I am using 3 devices to test (MacOS computer - iPhone and android phone)
> I did a packet capture and realized that when WPA-EAP-SHA256 is turned
> on in my hostapd.conf the Probe Response Auth Key Management is WPA
> (1) , this is probably the reason why my devices ask me a passphrase!
> When I use WPA-EAP the Probe Response Auth Key Management is WSK (2)
>
> On 16/01/2015 12:37, Andreas Hartmann wrote:
>> Ben wrote:
>>> I checked and I have libln 3.2
>>> wpa_supplicant wasn't installed, I just installed it (v2.3) but same
>>> issue :
>>>
>>> as soon as I changed from WPA-EAP to WPA-EAP-SHA256 my computer doesn't
>>> see the AP as a 802.11x but a normal pre-shared WPA2 AP!
>> Don't know, which SW (probably networkmanager? or wicd? or?) exactly
>> this shows.
>>
>> As you didn't had wpa_supplicant before, it can't change anything if you
>> just install it.
>>
>>
>> You have to check all the things lowlevel as root with
>>
>> iw dev wlan0 (or whatever your device is called) scan
>>
>> What does it display? It should show something like I already sent to you.
>>
>>
>> Or with
>>
>> iwlist wlan0 (or whatever your device name is) scanning
>>
>>
>> What does it show exactly?
>>
>>
>>
>> Regards,
>> Andreas
>>
>>
>>> On 15/01/2015 21:36, Andreas Hartmann wrote:
>>>> Ben wrote:
>>>>> Hi,
>>>>>
>>>>> [WPA2 - EAP-TLS with integrated Radius & EAP Server ON]
>>>>> I am using hostapd for a long time and now I am testing multiple
>>>>> options, everything is working expect three things :
>>>>>
>>>>> -I am seeing that Authentication Algorithm needs to be open for 802.1x
>>>>> so it seems that I need to use auth_alg=0 but it is only working with
>>>>> auth_alg=3.
>>>> For me, auth_algs=1 works pretty fine here.
>>>>
>>>> RSN: * Version: 1
>>>> * Group cipher: CCMP
>>>> * Pairwise ciphers: CCMP
>>>> * Authentication suites: IEEE 802.1X IEEE
>>>> 802.1X/SHA-256
>>>> * Capabilities: 16-PTKSA-RC MFP-capable (0x008c)
>>>> * 0 PMKIDs
>>>> * Group mgmt cipher suite: AES-128-CMAC
>>>>
>>>>> Is someone can explain to me why ? I think 3 would be to accept both
>>>>> (802.1x and Shared key), but I would like to force it to 802.1x only..
>>>>>
>>>>> -i80211w : I am able to join my network through an Android but
>>>>> impossible with an iPhone, anyone had been able to test it and make it
>>>>> work?
>>>>> As soon as I required it (ieee8021w=2) I am get into an issue to connect
>>>>> (log saying that I am authenticated but no more message after this)
>>>>>
>>>>> -Someone can explain to me the role of Key Management Algorithms?
>>>>> I am trying to change from WPA-EAP to WPA-EAP-SHA256 but as soon as I do
>>>>> that my computer being confused and detects my wireless network as a
>>>>> normal WPA2 network and not a 802.1x anymore...
>>>>> Is there pre-requesite to make it work properly?
>>>> If it's a Linux STA: you need wpa_supplicant 2.3 and libnl 3.2. Libnl 1
>>>> and wpa_supplicant 2.0 is broken (here too).
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Andreas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150116/c8c228e3/attachment.htm>
More information about the HostAP
mailing list