I'm trying to set up a simple 802.1X test environment. The simplest
thing I can come up with is to have one laptop running hostapd with
integrated authentication server and another one running
wpa_supplicant. The short story is: I failed. It seems like the station
(STA) is successfully associated with the AP, but the system is stuck
in 802.1X authentication state machine. Basically STA send back
authentication message (identity/password) but the authentication
server didn't respond and eventually the connection timed out. I'm
very new to hostapd and wpa_supplicant package, so forgive me if the
questions sound stupid. But please do help me solve this puzzle.
<br><br>Here are the details:<br><br>Both stations run on Prism2.5 cards<br>On station 1 (AP+AS), /etc/hostapd.conf: <br><br>interface=wlan0<br>driver=hostap<br>ssid=FBI<br>macaddr_acl=0<br>
auth_algs=3<br>ieee8021x=1<br>eapol_version=2<br>eap_server=1<br>eap_user_file=/etc/hostapd.eap<div id="mb_0">_user<br>own_ip_addr=<a href="http://127.0.0.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
127.0.0.1</a><br>auth_server_addr=<a href="http://127.0.0.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">127.0.0.1</a><br>
auth_server_port=1812<br>auth_server_shared_secret=terminator<br>radius_server_clients=/etc/hostapd.radius_clients<br>radius_server_auth_port=1812<br><br>/etc/hostapd.radius_clients is configured as follows:<br>"1xtest" MD5 "password"
<br>"1xtest" PEAP "password"<br>* PEAP, TTLS, TLS<br>#Phase 2<br>"1xtest" MSCHAPV2 "password" [2]<br><br>----<br>On station 2 (STA), /etc/wpa_supplicant/wpa_supplicant.conf.
<br>ctrl_interface=/var/run/wpa_supplicant<br>ctrl_interface_group=wheel<br>eapol_version=2<br>ap_scan=1<br>network={<br> ssid="FBI"<br> bssid=00:0d:3a:23:dc:a4<br> key_mgmt=IEEE8021X<br> eap=PEAP<br>
phase2="auth=MSCHAPV2"<br> identity="1xtest"<br> private_key_passwd="password"<br># eapol_flags=0<br>}<br><br><br>When I execute hostapd on station 1, and bring up wlan0 on station 2, the following messages are produced:
<br><br>On station 1 (AP+AS)<br><br>Configuration file: /etc/hostapd.conf<br>Opening raw packet socket for ifindex 29<br>Using interface wlan0 with hwaddr 00:0d:3a:23:dc:a4 and ssid 'FBI'<br>wlan0: RADIUS Authentication server
<a href="http://127.0.0.1:1812/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">127.0.0.1:1812</a><br>Flushing old station entries<br>Deauthenticate all stations<br>Received 30 bytes management frame
<br>RX frame - hexdump(len=30): b0 00 02 01 00 0d 3a 23 dc a4 00 0d 3a 23 d1 a8 00 0d 3a 23 dc a4 20 48 00 00 01 00 00 00
<br>MGMT<br>mgmt::auth<br>authentication: STA=00:0d:3a:23:d1:a8 auth_alg=0 auth_transaction=1 status_code=0 wep=0<br> New STA<br>authentication reply: STA=00:0d:3a:23:d1:a8 auth_alg=0 auth_transaction=2 resp=0Received 30 bytes management frame
<br>RX frame - hexdump(len=30): b2 00 02 01 00 0d 3a 23 d1 a8 00 0d 3a 23 dc a4 00 0d 3a 23 dc a4 90 c9 00 00 02 00 00 00<br>MGMT (TX callback) ACK<br>mgmt::auth cb<br>wlan0: STA 00:0d:3a:23:d1:a8 IEEE 802.11: authenticated
<br>Received 39 bytes management frame<br>RX frame - hexdump(len=39):
00 00 02 01 00 0d 3a 23 dc a4 00 0d 3a 23 d1 a8 00 0d 3a 23 dc a4 30 48
11 00 0a 00 00 03 46 42 49 01 04 82 84 0b 16<br>MGMT<br>mgmt::assoc_req<br>association request: STA=00:0d:3a:23:d1:a8 capab_info=0x11 listen_interval=10
<br> new AID 1<br>Received 36 bytes management frame<br>RX frame -
hexdump(len=36): 12 00 02 01 00 0d 3a 23 d1 a8 00 0d 3a 23 dc a4 00 0d
3a 23 dc a4 a0 c9 01 00 00 00 01 c0 01 04 82 84 0b 16<br>MGMT (TX callback) ACK<br>
mgmt::assoc_resp cb<br>wlan0: STA 00:0d:3a:23:d1:a8 IEEE 802.11: associated (aid 1, accounting session 45426B8B-00000000)<br>EAP: State machine created<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state INITIALIZE
<br>
IEEE 802.1X: 00:0d:3a:23:d1:a8 BE_AUTH entering state INITIALIZE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_KEY_TX entering state NO_KEY_TRANSMIT<br>IEEE
802.1X: 00:0d:3a:23:d1:a8 KEY_RX entering state NO_KEY_RECEIVE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 CTRL_DIR entering state IN_OR_BOTH<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state INITIALIZE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 BE_AUTH entering state IDLE
<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 KEY_RX entering state NO_KEY_RECEIVE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 CTRL_DIR entering state FORCE_BOTH<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state INITIALIZE<br>IEEE 802.1X
: 00:0d:3a:23:d1:a8 KEY_RX entering state NO_KEY_RECEIVE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state DISCONNECTED<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state RESTART
<br>IEEE 802.1X: Integrated EAP server in use - do not generate
EAP-Request/IdentityIEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER
entering state INITIALIZE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
<br>EAP: EAP entering state INITIALIZE<br>EAP: EAP entering state SELECT_ACTION<br>EAP: getDecision: no identity known yet -> CONTINUE<br>EAP: EAP entering state PROPOSE_METHOD<br>EAP: getNextMethod: type 1<br>EAP: EAP entering state METHOD_REQUEST
<br>EAP: building EAP-Request: Identifier 103<br>EAP: EAP entering state SEND_REQUEST<br>EAP: eapReqData -> EAPOL - hexdump(len=5): 01 67 00 05 01<br>EAP: EAP entering state IDLE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state CONNECTING
<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 AUTH_PAE entering state AUTHENTICATING<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 BE_AUTH entering state REQUEST<br>IEEE
802.1X
: Sending EAP Packet to 00:0d:3a:23:d1:a8 (identifier 103)<br>Send
Frame: - hexdump(len=41): 0a 02 00 00 00 0d 3a 23 d1 a8 00 0d 3a 23 dc
a4 00 0d 3a 23 dc a4 00 00 aa aa 03 00 00 00 88 8e 02 00 00 05 01 67 00
05 01<br>IEEE
802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE<br>Wireless event: cmd=0x8c03 len=20<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
<br>Received 41 bytes management frame<br>RX frame - hexdump(len=41):
0a 02 02 01 00 0d 3a 23 d1 a8 00 0d 3a 23 dc a4 00 0d 3a 23 dc a4 b0 c9
aa aa 03 00 00 00 88 8e 02 00 00 05 01 67 00 05 01<br>DATA (TX callback) ACK<br>
IEEE 802.1X: 00:0d:3a:23:d1:a8 TX status - version=2 type=0 length=5 - ack=1<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE
<br>IEEE 802.1X: 00:0d:3a:23:d1:a8 REAUTH_TIMER entering state INITIALIZE<br><br><br>On station 2 (STA), wpa_supplicant produces the following messages (in debug mode)<br>Initializing interface 'wlan0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'hostap' ctrl_interface 'N/A'
<br>Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf'<br>Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'<br>ctrl_interface='/var/run/wpa_supplicant'
<br>ctrl_interface_group=10 (from group name 'wheel')<br>eapol_version=2<br>ap_scan=0<br>Priority group 0<br> id=0 ssid='FBI'<br>Initializing interface (2) 'wlan0'<br>EAPOL: SUPP_PAE entering state DISCONNECTED<br>EAPOL: KEY_RX entering state NO_KEY_RECEIVE
<br>EAPOL: SUPP_BE entering state INITIALIZE<br>EAP: EAP entering state DISABLED<br>EAPOL: External notification - portEnabled=0<br>EAPOL: External notification - portValid=0<br>SIOCGIWRANGE: WE(compiled)=19 WE(source)=18 enc_capa=0xf
<br> capabilities: key_mgmt 0xf enc 0xf<br>Added alternative ifindex 3 (wifi0) for wireless events<br>Added alternative ifindex 3 (wifi0) for wireless events<br>Own MAC address: 00:0d:3a:23:d1:a8<br>wpa_driver_hostap_set_wpa: enabled=1
<br>wpa_driver_hostap_set_key: alg=none key_idx=0 set_tx=0 seq_len=0 key_len=0<br>wpa_driver_hostap_set_key: alg=none key_idx=1 set_tx=0 seq_len=0 key_len=0<br>wpa_driver_hostap_set_key: alg=none key_idx=2 set_tx=0 seq_len=0 key_len=0
<br>wpa_driver_hostap_set_key: alg=none key_idx=3 set_tx=0 seq_len=0 key_len=0<br>wpa_driver_hostap_set_countermeasures: enabled=0<br>wpa_driver_hostap_set_drop_unencrypted: enabled=1<br>Setting scan request: 0 sec 100000 usec
<br>Added interface wlan0<br>Wireless event: cmd=0x8b06 len=8<br>RTM_NEWLINK, IFLA_IFNAME: Interface 'wifi0' added<br>RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added<br>RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
<br>
Wireless event: cmd=0x8b06 len=8<br>Wireless event: cmd=0x8b2a len=8<br>Wireless event: cmd=0x8b1a len=12<br>Wireless event: cmd=0x8b15 len=20<br>Wireless event: new AP: 00:0d:3a:23:dc:a4<br>State: DISCONNECTED -> ASSOCIATED
<br>Associated to a new BSS: BSSID=00:0d:3a:23:dc:a4<br>No keys have been configured - skip key clearing<br>Network configuration found for the current AP<br>WPA: clearing AP WPA IE<br>WPA: clearing AP RSN IE<br>WPA: clearing own WPA/RSN IE
<br>EAPOL: External notification - portControl=Auto<br>Associated with 00:0d:3a:23:dc:a4<br>WPA: Association event - clear replay counter<br>EAPOL: External notification - portEnabled=0<br>EAPOL: External notification - portValid=0
<br>EAPOL: External notification - portEnabled=1<br>EAPOL: SUPP_PAE entering state CONNECTING<br>EAPOL: SUPP_BE entering state IDLE<br>EAP: EAP entering state INITIALIZE<br>EAP: EAP entering state IDLE<br>Setting authentication timeout: 10 sec 0 usec
<br>RTM_NEWLINK, IFLA_IFNAME: Interface 'wifi0' added<br>RX EAPOL from 00:0d:3a:23:dc:a4<br>Setting authentication timeout: 70 sec 0 usec<br>EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_PAE entering state RESTART<br>EAP: EAP entering state INITIALIZE
<br>EAP: EAP entering state IDLE<br>EAPOL: SUPP_PAE entering state AUTHENTICATING<br>EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Request method=1 id=103
<br>EAP: EAP entering state IDENTITY<br>CTRL-EVENT-EAP-STARTED EAP authentication started<br>EAP: EAP-Request Identity data - hexdump_ascii(len=0):<br>EAP: using real identity - hexdump_ascii(len=6):<br> 31 78 74 65 73 74 1xtest
<br>EAP: EAP entering state SEND_RESPONSE<br>EAP: EAP entering state IDLE<br>EAPOL: SUPP_BE entering state RESPONSE<br>EAPOL: txSuppRsp<br>EAPOL: SUPP_BE entering state RECEIVE<br>RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
<br>EAPOL: startWhen --> 0<br>EAPOL: authWhile --> 0<br>EAPOL: SUPP_BE entering state TIMEOUT<br>EAPOL: SUPP_PAE entering state CONNECTING<br>EAPOL: SUPP_BE entering state IDLE<br>EAPOL: startWhen --> 0<br>EAPOL: SUPP_PAE entering state CONNECTING
<br>EAPOL: txStart<br>Authentication with 00:0d:3a:23:dc:a4 timed out.<br><br><br><br>It looked like the STA tried to send back identity ("1xtest"), but the server did not respond.<br>On the server side, I notice that after timeout, it received a deauthentication message from the STA, but
<br>the bssid is wrong (set to c8:7b:ab:6b:24:a0, which is an invalid MAC). Maybe something fishy is going on.<br><br>Can someone help me with this? Thanks<br><br><br>Denis.<br>
</div>