I submitted the patches and my wireless config looks like :
/etc/config/wireless
config 'wifi-device' 'radio0'
option 'type' 'mac80211'
option 'channel' '11'
option 'macaddr' 'f4:ec:38:fc:11:c8'
option 'hwmode' '11ng'
option 'htmode' 'HT20'
list 'ht_capab' 'SHORT-GI-40'
list 'ht_capab' 'DSSS_CCK-40'
option 'txpower' '23'
option 'country' 'US'
config 'wifi-iface'
option 'device' 'radio0'
option 'network' 'lan'
option 'mode' 'ap'
option 'ssid' 'OpenWrt'
option 'auth_server' '192.168.1.104'
option 'auth_secret' 'testing123'
option 'encryption' 'wpa2+ccmp'
option 'vlan_enable' '2'
I understood that making vlan enable 2 forces hostapd to reject
connection if vlan assignment doesn't come from radius .
my radius sends access-accept but hostapd drops the connection and also no
br-vlan appears on ifconfig .
how can I work this out ?
openwrt r28943 with hostapd-20111103
System Log :
> Sep 9 06:07:29 OpenWrt daemon.info hostapd: wlan0: STA 78:e4:00:6c:2f:eb
> IEEE 802.1X: authentication server did not include required VLAN ID in
> Access-Accept
> Sep 9 06:07:29 OpenWrt daemon.warne hostapd: wlan0: STA 78:e4:00:6c:2f:eb
> IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
freeradius -X output:
>
> [peap] Got tunneled reply RADIUS code 2
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 := "10"
> MS-MPPE-Encryption-Policy = 0x00000001
> MS-MPPE-Encryption-Types = 0x00000006
> MS-MPPE-Send-Key = 0xfa4b6928402162dc75ca3c5d3633a544
> MS-MPPE-Recv-Key = 0xdbaf38647954a65f8ff3bd457640aa33
> EAP-Message = 0x03450004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "ashkan"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> ++[eap] returns handled
> Sending Access-Challenge of id 12 to 192.168.1.1 port 56950
> EAP-Message =
> 0x0146002b1900170301002005105d3df33ceaaa611dee9999d6ef7ebea0a52aa5a306448fc819ac6b864fb3
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x84bc4e3b83fa57e7caa19a8619269cb1
> Finished request 268.
> Going to the next request
> Waking up in 0.5 seconds.
> rad_recv: Access-Request packet from host 192.168.1.1 port 56950, id=13,
> length=199
> User-Name = "ashkan"
> NAS-Port = 1
> Called-Station-Id = "F4-EC-38-FC-11-C8:OpenWrt"
> Calling-Station-Id = "78-E4-00-6C-2F-EB"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 54Mbps 802.11g"
> EAP-Message =
> 0x0246002b190017030100204569670443a923b680717450c026917c7fe46b678375ddf9bb4ee0fc34a5a81b
> State = 0x84bc4e3b83fa57e7caa19a8619269cb1
> Message-Authenticator = 0x24ef8ecd74b9236f51ff3dd17e4dc93c
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "ashkan", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 70 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state send tlv success
> [peap] Received EAP-TLV response.
> [peap] Success
> [eap] Freeing handler
> ++[eap] returns ok
> # Executing section post-auth from file
> /etc/freeradius/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 13 to 192.168.1.1 port 56950
> MS-MPPE-Recv-Key =
> 0x6398fd9d9561ea47fa64bf536de9c865b49d11ae9e40ad97653424747c433085
> MS-MPPE-Send-Key =
> 0x1e5eefc46a70bb8704f9b8bf92eab52609af6e5c695a1e24fcedbe91f7ed2ec3
> EAP-Message = 0x03460004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "ashkan"
> Finished request 269.
.
On Mon, Jul 25, 2011 at 5:21 PM, Matthew Bowman <mgbow...@gmx.com> wrote:
> Sorry about the incorrect patches. This is a combined patch of the
> "supporting" files.
>
> --- a/package/hostapd/files/hostapd.sh 2011-07-25 14:05:21.000000000 +0300
> +++ b/package/hostapd/files/hostapd.sh 2011-07-25 16:44:00.000000000 +0300
> @@ -2,6 +2,7 @@
> local var="$1"
> local vif="$2"
> local enc wpa_group_rekey wps_possible
> + local vlan_enable vlan_file vlan_interface
>
> config_get enc "$vif" encryption
> config_get wpa_group_rekey "$vif" wpa_group_rekey
> @@ -93,6 +94,16 @@
> append "$var" "wpa_key_mgmt=WPA-EAP" "$N"
> append "$var" "wpa_group_rekey=300" "$N"
> append "$var" "wpa_gmk_rekey=640" "$N"
> + config_get vlan_enable "$vif" vlan_enable 0
> + case "$vlan_enable" in
> + 1|2)
> + append "$var"
> "dynamic_vlan=$vlan_enable" "$N"
> + config_get vlan_file "$vif"
> vlan_file /etc/hostapd.vlan
> + append "$var"
> "vlan_file=$vlan_file" "$N"
> + config_get vlan_interface "$vif"
> vlan_interface eth0
> + append "$var"
> "vlan_tagged_interface=$vlan_interface" "$N"
> + ;;
> + esac
> ;;
> *wep*)
> config_get key "$vif" key
>
> --- a/package/hostapd/files/hostapd.vlan 1970-01-01
> 02:00:00.000000000 +0200
> +++ b/package/hostapd/files/hostapd.vlan 2011-07-25
> 16:41:36.000000000 +0300
> @@ -0,0 +1,4 @@
> +# Wildcard entry matching all VLAN IDs. The first # in the interface
> +# name will be replaced with the VLAN ID. The network interfaces are
> +# created (and removed) dynamically based on the use.
> +* wlan0.#
>
> --- a/package/hostapd/Makefile 2011-07-25 15:43:33.000000000 +0300
> +++ b/package/hostapd/Makefile 2011-07-25 15:58:49.000000000 +0300
> @@ -281,6 +281,8 @@
> define Install/hostapd
> $(INSTALL_DIR) $(1)/lib/wifi
> $(INSTALL_DATA) ./files/hostapd.sh $(1)/lib/wifi/hostapd.sh
> + $(INSTALL_DIR) $(1)/etc
> + $(INSTALL_DATA) ./files/hostapd.vlan $(1)/etc/hostapd.vlan
> $(INSTALL_DIR) $(1)/usr/sbin
> endef
>
> On Jul 25, 2011, at 4:35 PM, Matthew Bowman wrote:
>
> > Per a discussion with jow, here's a default hostapd.vlan file and a
> patched Makefile to install the file to /etc
> >
> > Signed-off-by: Matthew Bowman <mgbowman at gmx punct com>
> >
> > package/hostapd/files/hostapd.vlan
> >
> > # Wildcard entry matching all VLAN IDs. The first # in the interface
> > # name will be replaced with the VLAN ID. The network interfaces are
> > # created (and removed) dynamically based on the use.
> > * wlan0.#
> >
> > --- a/Makefile 2011-07-25 15:43:33.000000000 +0300
> > +++ b/Makefile 2011-07-25 15:58:49.000000000 +0300
> > @@ -281,6 +281,8 @@
> > define Install/hostapd
> > $(INSTALL_DIR) $(1)/lib/wifi
> > $(INSTALL_DATA) ./files/hostapd.sh $(1)/lib/wifi/hostapd.sh
> > + $(INSTALL_DIR) $(1)/etc
> > + $(INSTALL_DATA) ./files/hostapd.vlan $(1)/etc/hostapd.vlan
> > $(INSTALL_DIR) $(1)/usr/sbin
> > endef
> >
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel@lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
