From owner-freebsd-wireless@FreeBSD.ORG  Thu Apr 12 14:25:13 2012
Return-Path: <owner-freebsd-wireless@FreeBSD.ORG>
Delivered-To: freebsd-wireless@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 444F91065737
	for <freebsd-wireless@freebsd.org>;
	Thu, 12 Apr 2012 14:25:13 +0000 (UTC)
	(envelope-from jhugo@meraka.csir.co.za)
Received: from marge.meraka.csir.co.za (marge.meraka.csir.co.za
	[IPv6:2001:4200:7000:3::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 22FB78FC21
	for <freebsd-wireless@freebsd.org>;
	Thu, 12 Apr 2012 14:25:11 +0000 (UTC)
Received: from jeep.localnet (unknown
	[IPv6:2001:4200:7000:3:223:aeff:fea7:a3c2])
	by marge.meraka.csir.co.za (Postfix) with ESMTP id C9AD2D0CC21
	for <freebsd-wireless@freebsd.org>;
	Thu, 12 Apr 2012 16:25:09 +0200 (SAST)
From: Johann Hugo <jhugo@meraka.csir.co.za>
To: freebsd-wireless@freebsd.org
Date: Thu, 12 Apr 2012 16:25:09 +0200
User-Agent: KMail/1.13.7 (FreeBSD/9.0-RELEASE; KDE/4.7.3; amd64; ; )
X-KMail-Markup: true
MIME-Version: 1.0
Content-Type: Multipart/Mixed;
  boundary="Boundary-00=_FXuhPtxQ4SdKv90"
Message-Id: <201204121625.09572.jhugo@meraka.csir.co.za>
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: hostapd + 802.1X with external Authentication Server
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussions of 802.11 stack,
	tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
	<mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 14:25:13 -0000

--Boundary-00=_FXuhPtxQ4SdKv90
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi all

Has anyone succeeded in configuring hostapd + 802.1X with an external 
Authentication Server ? 

I can get it to work with a PSK, but not with an external radius server.
I don't see any errors when I run hostapd in the foreground, but it never 
fowards the authentication packets to the radius server. Hostapd also don't 
like the "eap_server" keyword in hostapd.conf. 

The wpa_supplicant of the client never gets past this before it restarts:
CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=0

Im not sure if I'm missing something, but I get the same results on FreeBSD 8, 
9 and 10.

Here is my rc.conf, hostapd.conf and the output of running hostapd.

Thanks
Johann

--Boundary-00=_FXuhPtxQ4SdKv90
Content-Type: text/plain;
  charset="UTF-8";
  name="rc.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="rc.conf"

hostname="AP-vlan"
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap country ZA"
ifconfig_wlan0="146.64.5.5/24 mode 11g channel 6"
defaultrouter="146.64.5.1"
hostapd_enable="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm sis0 addm wlan0 up"
ifconfig_sis0="up"
--Boundary-00=_FXuhPtxQ4SdKv90
Content-Type: text/plain;
  charset="UTF-8";
  name="hostapd.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="hostapd.conf"

interface=wlan0
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=testAP
hw_mode=g
channel=6

wpa=1
wpa_pairwise=CCMP TKIP
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP

#eap_server=1
#eapol_version=1
#eapol_key_index_workaround=1

ieee8021x=1
own_ip_addr=146.64.5.5
#nas_identifier=testAP
auth_server_addr=146.64.8.25
auth_server_port=1812
auth_server_shared_secret=testing123


--Boundary-00=_FXuhPtxQ4SdKv90
Content-Type: text/plain;
  charset="UTF-8";
  name="hostapd.out"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="hostapd.out"

AP-vlan:~ # hostapd -d /etc/hostapd.conf
Configuration file: /etc/hostapd.conf
ctrl_interface_group=0 (from group name 'wheel')
BSS count 1, BSSID mask 00:00:00:00:00:00 (0 bits)
Completing interface initialization
Mode: (null)  Channel: 6  Frequency: -1 MHz
Flushing old station entries
Deauthenticate all stations
bsd_set_privacy: enabled=0
bsd_set_key: alg=0 addr=0x0 key_idx=0 set_tx=1 seq_len=0 key_len=0
bsd_del_key: key_idx=0
bsd_set_key: alg=0 addr=0x0 key_idx=1 set_tx=0 seq_len=0 key_len=0
bsd_del_key: key_idx=1
bsd_set_key: alg=0 addr=0x0 key_idx=2 set_tx=0 seq_len=0 key_len=0
bsd_del_key: key_idx=2
bsd_set_key: alg=0 addr=0x0 key_idx=3 set_tx=0 seq_len=0 key_len=0
bsd_del_key: key_idx=3
Using interface wlan0 with hwaddr 00:80:48:4f:2a:ee and ssid 'testAP'
wlan0: RADIUS Authentication server 146.64.8.25:1812
RADIUS local address: 146.64.5.5:37935
bsd_set_ieee8021x: enabled=1
bsd_configure_wpa: enable WPA= 0x1
WPA: group state machine entering state GTK_INIT (VLAN-ID 0)
GMK - hexdump(len=32): [REMOVED]
GTK - hexdump(len=32): [REMOVED]
WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)
bsd_set_key: alg=2 addr=0x0 key_idx=1 set_tx=1 seq_len=0 key_len=32
bsd_set_privacy: enabled=1
bsd_set_opt_ie: set WPA+RSN ie (len 28)
wlan0: Setup of interface done.
Discard routing message to if#180 (not for us 7)

Discard routing message to if#0 (not for us 7)

wlan0: STA 00:15:af:8e:3b:aa IEEE 802.11: associated
STA included WPA IE in (Re)AssocReq
  New STA
wlan0: STA 00:15:af:8e:3b:aa WPA: event 1 notification
bsd_set_key: alg=0 addr=0x2845a308 key_idx=0 set_tx=1 seq_len=0 key_len=0
bsd_del_key: addr=00:15:af:8e:3b:aa
wlan0: STA 00:15:af:8e:3b:aa IEEE 802.1X: start authentication
EAP: Server state machine created
IEEE 802.1X: 00:15:af:8e:3b:aa BE_AUTH entering state IDLE
IEEE 802.1X: 00:15:af:8e:3b:aa CTRL_DIR entering state FORCE_BOTH
wlan0: STA 00:15:af:8e:3b:aa WPA: start authentication
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state INITIALIZE
bsd_set_key: alg=0 addr=0x2845a308 key_idx=0 set_tx=1 seq_len=0 key_len=0
bsd_del_key: addr=00:15:af:8e:3b:aa
WPA: 00:15:af:8e:3b:aa WPA_PTK_GROUP entering state IDLE
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state AUTHENTICATION
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state AUTHENTICATION2
IEEE 802.1X: 00:15:af:8e:3b:aa AUTH_PAE entering state DISCONNECTED
wlan0: STA 00:15:af:8e:3b:aa IEEE 802.1X: unauthorizing port
IEEE 802.1X: 00:15:af:8e:3b:aa AUTH_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
CTRL-EVENT-EAP-STARTED 00:15:af:8e:3b:aa
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 1
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
EAP: EAP entering state METHOD_REQUEST
EAP: method not initialized
EAP: EAP entering state SEND_REQUEST
EAP: SEND_REQUEST - no eapReqData
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:15:af:8e:3b:aa AUTH_PAE entering state CONNECTING
IEEE 802.1X: 00:15:af:8e:3b:aa - (EAP) retransWhile --> 0
EAP: EAP entering state RETRANSMIT
EAP: EAP entering state IDLE
EAP: retransmit timeout 6 seconds (from dynamic back off; retransCount=1)
IEEE 802.1X: 4 bytes from 00:15:af:8e:3b:aa
   IEEE 802.1X: version=1 type=1 length=0
wlan0: STA 00:15:af:8e:3b:aa IEEE 802.1X: received EAPOL-Start from STA
wlan0: STA 00:15:af:8e:3b:aa WPA: event 5 notification
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state AUTHENTICATION2
IEEE 802.1X: 00:15:af:8e:3b:aa - (EAP) retransWhile --> 0
EAP: EAP entering state RETRANSMIT
EAP: EAP entering state IDLE
EAP: retransmit timeout 12 seconds (from dynamic back off; retransCount=2)
wlan0: STA 00:15:af:8e:3b:aa IEEE 802.11: disassociated
AP-STA-DISCONNECTED 00:15:af:8e:3b:aa
wlan0: STA 00:15:af:8e:3b:aa WPA: event 2 notification
bsd_set_key: alg=0 addr=0x2845a308 key_idx=0 set_tx=1 seq_len=0 key_len=0
bsd_del_key: addr=00:15:af:8e:3b:aa
ioctl[SIOCS80211, op=20, val=0, arg_len=7]: No such file or directory
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state DISCONNECTED
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state INITIALIZE
bsd_set_key: alg=0 addr=0x2845a308 key_idx=0 set_tx=1 seq_len=0 key_len=0
bsd_del_key: addr=00:15:af:8e:3b:aa
ioctl[SIOCS80211, op=20, val=0, arg_len=7]: No such file or directory
EAP: Server state machine removed
wlan0: STA 00:15:af:8e:3b:aa IEEE 802.11: associated
STA included WPA IE in (Re)AssocReq
  New STA
wlan0: STA 00:15:af:8e:3b:aa WPA: event 1 notification
bsd_set_key: alg=0 addr=0x2845a308 key_idx=0 set_tx=1 seq_len=0 key_len=0
bsd_del_key: addr=00:15:af:8e:3b:aa
wlan0: STA 00:15:af:8e:3b:aa IEEE 802.1X: start authentication
EAP: Server state machine created
IEEE 802.1X: 00:15:af:8e:3b:aa BE_AUTH entering state IDLE
IEEE 802.1X: 00:15:af:8e:3b:aa CTRL_DIR entering state FORCE_BOTH
wlan0: STA 00:15:af:8e:3b:aa WPA: start authentication
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state INITIALIZE
bsd_set_key: alg=0 addr=0x2845a308 key_idx=0 set_tx=1 seq_len=0 key_len=0
bsd_del_key: addr=00:15:af:8e:3b:aa
WPA: 00:15:af:8e:3b:aa WPA_PTK_GROUP entering state IDLE
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state AUTHENTICATION
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state AUTHENTICATION2
IEEE 802.1X: 00:15:af:8e:3b:aa AUTH_PAE entering state DISCONNECTED
wlan0: STA 00:15:af:8e:3b:aa IEEE 802.1X: unauthorizing port
IEEE 802.1X: 00:15:af:8e:3b:aa AUTH_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
CTRL-EVENT-EAP-STARTED 00:15:af:8e:3b:aa
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 1
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
EAP: EAP entering state METHOD_REQUEST
EAP: method not initialized
EAP: EAP entering state SEND_REQUEST
EAP: SEND_REQUEST - no eapReqData
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:15:af:8e:3b:aa AUTH_PAE entering state CONNECTING
IEEE 802.1X: 4 bytes from 00:15:af:8e:3b:aa
   IEEE 802.1X: version=1 type=1 length=0
wlan0: STA 00:15:af:8e:3b:aa IEEE 802.1X: received EAPOL-Start from STA
wlan0: STA 00:15:af:8e:3b:aa WPA: event 5 notification
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state AUTHENTICATION2
IEEE 802.1X: 00:15:af:8e:3b:aa - (EAP) retransWhile --> 0
EAP: EAP entering state RETRANSMIT
EAP: EAP entering state IDLE
EAP: retransmit timeout 6 seconds (from dynamic back off; retransCount=1)
wlan0: STA 00:15:af:8e:3b:aa IEEE 802.11: disassociated
AP-STA-DISCONNECTED 00:15:af:8e:3b:aa
wlan0: STA 00:15:af:8e:3b:aa WPA: event 2 notification
bsd_set_key: alg=0 addr=0x2845a308 key_idx=0 set_tx=1 seq_len=0 key_len=0
bsd_del_key: addr=00:15:af:8e:3b:aa
ioctl[SIOCS80211, op=20, val=0, arg_len=7]: No such file or directory
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state DISCONNECTED
WPA: 00:15:af:8e:3b:aa WPA_PTK entering state INITIALIZE
bsd_set_key: alg=0 addr=0x2845a308 key_idx=0 set_tx=1 seq_len=0 key_len=0
bsd_del_key: addr=00:15:af:8e:3b:aa
ioctl[SIOCS80211, op=20, val=0, arg_len=7]: No such file or directory
EAP: Server state machine removed

--Boundary-00=_FXuhPtxQ4SdKv90
Content-Type: text/plain;
  charset="UTF-8";
  name="ifconfig.wlan0"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="ifconfig.wlan0"

AP-vlan:~ # ifconfig wlan0
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:80:48:4f:2a:ee
        inet 146.64.5.5 netmask 0xffffff00 broadcast 146.64.5.255 
        inet6 fe80::280:48ff:fe4f:2aee%wlan0 prefixlen 64 scopeid 0x7 
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
        status: running
        ssid testAP channel 6 (2437 MHz 11g) bssid 00:80:48:4f:2a:ee
        regdomain NONE country ZA ecm authmode WPA privacy MIXED deftxkey 2
        TKIP 2:128-bit txpower 30 scanvalid 60 protmode CTS wme burst
        dtimperiod 1 -dfs
--Boundary-00=_FXuhPtxQ4SdKv90--