Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Hostapd + Radius + PEAP

112 views
Skip to first unread message

Paulo Fragoso

unread,
Jun 1, 2010, 1:23:19 PM6/1/10
to
Hi,

We trying to setup an AP using FreeBSD 8.0 and auth via PEAP and Radius:

hostapd.conf:

interface=wlan0
debug=4
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=freebsdap
wpa=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
# Radius:
own_ip_addr=X.Y.Z.AP
nas_identifier=freebsdnas
auth_server_addr=A.B.C.D
auth_server_port=1812
auth_server_shared_secret=teste123
acct_server_addr=A.B.C.D
acct_server_port=1813
acct_server_shared_secret=teste123
# Logs:
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0

Starting this server (X.Y.Z.AP) we can get initial traffic between
hostapd and radius server, but there isn't traffic for PEAP when a
station try to connect.

This same station connect using WPA+PEAP to another AP which make AAA on
same radius server (A.B.C.D).

Looking for the sources we have noticed hosaptd is compiled without
-DEAP_PEAP -DEAP_MSCHAPv2, how solve this?

Thanks,
Paulo Fragoso.

_______________________________________________
freeb...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp...@freebsd.org"

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de

Dewayne Geraghty

unread,
Jun 1, 2010, 5:07:23 PM6/1/10
to
You may need to modify the /usr/src/contrib/wpa/hostapd/defconfig
to change the build settings. On 8.1 PRERELEASE the EAP_PEAP is
included in the build configuration file (see below)

# grep -v ^\# /usr/src/contrib/wpa/hostapd/defconfig|grep EAP
CONFIG_EAP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_TLS=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_GTC=y
CONFIG_EAP_TTLS=y

Which I've crudely verified with
# strings /usr/sbin/hostapd | grep EAP|grep PEAP
PEAP

Regards, Phil.

Paulo Fragoso

unread,
Sep 7, 2010, 10:05:51 AM9/7/10
to
To solve this I've created src.conf file:

$ cat /etc/src.conf
HOSTAPD_CFLAGS+=-DEAP_SERVER -DEAP_GTC -DEAP_AKA -DEAP_SIM -DEAP_GPSK
HOSTAPD_CFLAGS+=-DEAP_PAX -DEAP_SAKE
WITH_OPENSSL=YES

and

cd /usr/src/usr.sbin/wpa
make clean all
make install

Now there are many strigs PEAP in hostapd:

$ strings /usr/sbin/hostapd | grep EAP|grep PEAP
PEAP
EAP-PEAP: %s -> %s
EAP-PEAP: CSK
EAP-PEAP: Derived key
EAP-PEAP: Invalid frame
EAP-PEAP: Received TLVs
EAP-PEAP: Cryptobinding TLV
EAP-PEAP: CMK
EAP-PEAP: Result TLV
EAP-PEAP: try EAP type %d
EAP-PEAP: forcing version %d
EAP-PEAPv2: Identity Request
EAP-PEAPv2: Not an EAP TLV
EAP-PEAP: Phase 2 Success
EAP-PEAP: Phase 2 Failure
EAP-PEAP: TK
EAP-PEAP: ISK
EAP-PEAP: TempKey
EAP-PEAP: IMCK (IPMKj)
EAP-PEAP: IPMK (S-IPMKj)
EAP-PEAP: CMK (CMKj)
EAP-PEAP: Compound_MAC CMK
EAP-PEAP: Compound_MAC data 1
EAP-PEAP: Compound_MAC data 2
EAP-PEAP: Compound_MAC
EAP-PEAP: peer did not select the forced version (forced=%d peer=%d) -
reject
EAP-PEAP: peer ver=%d, own ver=%d; use version %d
EAP-PEAP: Failed to derive key
EAP-PEAP: Invalid EAP-TLV header
EAP-PEAP: TLV underrun (tlv_len=%d left=%lu)
EAP-PEAP: Unsupported TLV Type %d%s
EAP-PEAP: Last TLV too short in Request (left=%lu)
EAP-PEAP: Invalid cryptobinding TLV length %d
EAP-PEAP: Cryptobinding TLV Version mismatch (was %d; expected %d)
EAP-PEAP: Unexpected Cryptobinding TLV SubType %d
EAP-PEAP: Invalid Compound_MAC in cryptobinding TLV
EAP-PEAP: Cryptobinding seed data
EAP-PEAP: Valid cryptobinding TLV received
EAP-PEAP: No cryptobinding TLV
EAP-PEAP: Too short Result TLV (len=%lu)
EAP-PEAP: TLV Result - Success - requested %s
EAP-PEAP: TLV Result - Failure - requested %s
EAP-PEAP: Unknown TLV Result Status %d
EAP-PEAP: %s - Phase2 not initialized?!
EAP-PEAP: Phase2 type Nak'ed; allowed types
EAP-PEAP: Phase2 check() asked to ignore the packet
EAP-PEAP: Phase2 method is in pending wait state - save decrypted response
EAP-PEAP: Phase2 method failed
EAP-PEAP: Phase2 getKey failed
EAP_PEAP: Phase2 Identity not found in the user database
EAP-PEAP: %s - unexpected state %d
EAP-PEAP: Encrypting Phase 2 data
EAP-PEAP: Failed to initialize SSL.
EAP-PEAPv2: Add EAP-Payload TLV
EAP-PEAPv2: Failed to allocate memory for TLV encapsulation
EAP-PEAPv2: Phase1 done, include first Phase2 payload in the same message
EAP-PEAPv2: Failed to encrypt Phase 2 data
EAP-PEAPv2: Encrypted Identity Request
EAP-PEAP: received %lu bytes encrypted data for Phase 2
EAP-PEAP: Pending Phase 2 response - skip decryption and use old data
EAP-PEAP: failed to allocate memory for decryption
EAP-PEAP: Failed to decrypt Phase 2 data
EAP-PEAP: Decrypted Phase 2 EAP
EAP-PEAPv2: Too short Phase 2 EAP TLV
EAP-PEAPv2: Invalid EAP TLV length
EAP-PEAPv2: No room for full EAP packet in EAP TLV
EAP-PEAP: Too short Phase 2 EAP frame (len=%lu)
EAP-PEAP: Length mismatch in Phase 2 EAP frame (len=%lu hdr->length=%lu)
EAP-PEAP: received Phase 2: code=%d identifier=%d length=%lu
EAP-PEAP: Unexpected code=%d in Phase 2 EAP header
EAP-PEAP: Unexpected state %d in %s
EAP-PEAP: Failed to allocate memory for request
EAP-PEAP: Phase1 done, starting Phase2
EAP-PEAP: Phase 2 method not ready
EAP-PEAP: Encrypting Phase 2 TLV data

If WPA2 Enterprise is top of wireless security PEAP should be compiled
in default for hostapd.

Paulo.

Ref:
http://www.pubbs.net/200911/freebsd/13308-problems-moving-hostapd-ap-config-from-64-to-80rc2.html

0 new messages