User Tools

Site Tools


en:users:documentation:hostapd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
en:users:documentation:hostapd [2016/09/04 14:50]
Jan Verhaeghe Typo fix
en:users:documentation:hostapd [2017/07/22 20:45] (current)
Todd Andrews Fix spelling, grammar, capitalization
Line 8: Line 8:
 Homepage: [[http://​w1.fi/​hostapd/​|http://​w1.fi/​hostapd/​]] ​ Homepage: [[http://​w1.fi/​hostapd/​|http://​w1.fi/​hostapd/​]] ​
  
-hostapd is an //IEEE 802.11 AP and IEEE 802.1X/​WPA/​WPA2/​EAP/​RADIUS Authenticator//​. ​ This page is dedicated to the Linux documentation of it'​s ​implementation and use. Please refer to the hostapd home page for information for other Operating Systems. ​+hostapd is an //IEEE 802.11 AP and IEEE 802.1X/​WPA/​WPA2/​EAP/​RADIUS Authenticator//​. ​ This page is dedicated to the Linux documentation of its implementation and use. Please refer to the hostapd home page for information for other Operating Systems. ​
  
-To communicate with a kernel driver hostapd has to use some interface. All **new** cfg80211 (and mac80211) based drivers that implement AP functionality are supported using **[[en/​developers/​Documentation/​nl80211|nl80211]]** interface. ​+To communicate with a kernel driverhostapd has to use some interface. All **new** cfg80211 (and mac80211) based drivers that implement AP functionality are supported using the **[[en/​developers/​Documentation/​nl80211|nl80211]]** interface. ​
  
-For **old** kernel drivers hostapd contains ​separated ​drivers. As far Linux is concerned, there are 3 other drivers you can use: +For **old** kernel drivershostapd contains ​separate ​drivers. As far as Linux is concerned, there are 3 other drivers you can use: 
   * [[en/​users/​Drivers/​hostap|HostAP]] ​   * [[en/​users/​Drivers/​hostap|HostAP]] ​
   * [[en/​users/​Drivers/​madwifi|madwifi]] ​   * [[en/​users/​Drivers/​madwifi|madwifi]] ​
   * [[en/​users/​Drivers/​prism54|prism54]] ​   * [[en/​users/​Drivers/​prism54|prism54]] ​
  
-The mac80211 subsystem moves all aspects of master mode into user space. It depends on hostapd to handle authenticating clients, setting encryption keys, establishing key rotation policy, and other aspects of the wireless infrastructure. Due to this, the old method of issuing '​iwconfig <​wireless interface>​ mode master'​ no longer works. It also means that userspace ​programs like hostapd need a way to management frames. ​+The mac80211 subsystem moves all aspects of master mode into user space. It depends on hostapd to handle authenticating clients, setting encryption keys, establishing key rotation policy, and other aspects of the wireless infrastructure. Due to this, the old method of issuing '​iwconfig <​wireless interface>​ mode master'​ no longer works. It also means that user space programs like hostapd need a way to send/​receive ​management frames. ​
  
  
 ==== Details of nl80211 ==== ==== Details of nl80211 ====
  
-In old days receiving and sending management frames required monitor mode interface. You needed one interface running in master mode for **standard** traffic and another one for authentication,​ keys management, etc. The second one didn't require any specific APIit was accessed using a standard Linux socket. This method is still supported by nl80211 driver as a fallback. ​+In the old daysreceiving and sending management frames required ​monitor mode interface. You needed one interface running in master mode for **standard** traffic and another one for authentication,​ keys management, etc. The second one didn't require any specific APIit was accessed using a standard Linux socket. This method is still supported by nl80211 driver as a fallback. ​
  
-Later nl80211 implemented special commands for sending management frames (NL80211_CMD_FRAME) and subscribing to them (NL80211_CMD_REGISTER_FRAME). This allowed user space to handle wireless infrastructure using a single interface only. This is currently preferred method that can be used with all mac80211 drivers implementing AP mode. +Laternl80211 implemented special commands for sending management frames (NL80211_CMD_FRAME) and subscribing to them (NL80211_CMD_REGISTER_FRAME). This allowed user space to handle wireless infrastructure using a single interface only. This is currently ​the preferred method that can be used with all mac80211 drivers implementing AP mode. 
  
  
Line 30: Line 30:
  
  
-==== Using your distributions ​hostapd ====+==== Using Your Distribution'​s ​hostapd ====
  
-It is advisable to try your distributions ​version of hostapd before taking the time to compile and install your own copy.  This will make future maintenance easier as you'll be able to use the init scripts shipped by the distro and hostapd will be updated by it as well.  If your distribution ships 0.6.8 or later, you can test with this bare minimum config by creating the file hostapd-minimal.conf: ​+It is advisable to try your distribution'​s ​version of hostapd before taking the time to compile and install your own copy.  This will make future maintenance easier as you'll be able to use the init scripts shipped by the distro and hostapd will be updated by it as well.  If your distribution ships 0.6.8 or later, you can test with this bare minimum config by creating the file hostapd-minimal.conf: ​
  
  
Line 47: Line 47:
 Line 2: invalid/​unknown driver '​nl80211'​ Line 2: invalid/​unknown driver '​nl80211'​
 1 errors found in configuration file '​./​hostapd-minimal.conf'</​code>​ 1 errors found in configuration file '​./​hostapd-minimal.conf'</​code>​
-that means that your distro is not shipping hostapd with nl80211 driver support and you'll need to follow the building ​instructions that follow. ​ If it works, you can skip down to the configuring hostapd section. ​ If not, continue on. +it means that your distro is not shipping hostapd with nl80211 driver support and you'll need to follow the build instructions that follow. ​ If it works, you can skip down to the configuring hostapd section. ​ If not, continue on. 
  
  
-==== Download and compile ​hostapd ====+==== Download and Compile ​hostapd ====
  
-//Using hostapd with nl80211 requires you to have at least libnl-1.0 pre8 as this release introduced genl, Generic Netlink, which nl80211 relies on. Most distributions are shipping this or a later release by now. // To compile on fedora ​or other distibutions ​that separate out the headers from the binaries, you need the libnl-devel package. ​+//Using hostapd with nl80211 requires you to have at least libnl-1.0 pre8 as this release introduced genl, Generic Netlink, which nl80211 relies on. Most distributions are shipping this or a later release by now. // To compile on Fedora ​or other distributions ​that separate out the headers from the binaries, you need the libnl-devel package. ​
  
 Throughout this section, versions will be referred to by: x.y.z  Throughout this section, versions will be referred to by: x.y.z 
Line 63: Line 63:
 <​code>​git clone git://​w1.fi/​srv/​git/​hostap.git <​code>​git clone git://​w1.fi/​srv/​git/​hostap.git
 cd hostap/​hostapd</​code>​ cd hostap/​hostapd</​code>​
-Or you can get a stable release (0.6.8 or later reccomended) by downloading the tarball from [[http://​w1.fi/​hostapd/​|http://​w1.fi/​hostapd/​]]+Or you can get a stable release (0.6.8 or later recommended) by downloading the tarball from [[http://​w1.fi/​hostapd/​|http://​w1.fi/​hostapd/​]] ​as follows: ​
  
  
Line 78: Line 78:
  
 <​code>#​CONFIG_DRIVER_NL80211=y</​code>​ <​code>#​CONFIG_DRIVER_NL80211=y</​code>​
-and uncomment it by removing the '#'​ sign.  Repeat for other settings that you may be interested in.  The basic configuration,​ with only this line uncommented is enough to get hostapd up and running with WPA/WPA2 authentication and encryption. ​+and uncomment it by removing the '#'​ sign.  Repeat for other settings that you may be interested in.  The basic configuration,​ with only this line uncommentedis enough to get hostapd up and running with WPA/WPA2 authentication and encryption. ​
  
 Next, compile hostapd: ​ Next, compile hostapd: ​
Line 84: Line 84:
  
 <​code>​make</​code>​ <​code>​make</​code>​
-if this fails with errors like: +If this fails with errors like: 
  
  
Line 92: Line 92:
 driver_nl80211.c:​24:​25:​ warning: netlink/​msg.h:​ No such file or directory driver_nl80211.c:​24:​25:​ warning: netlink/​msg.h:​ No such file or directory
 driver_nl80211.c:​25:​26:​ warning: netlink/​attr.h:​ No such file or directory</​code>​ driver_nl80211.c:​25:​26:​ warning: netlink/​attr.h:​ No such file or directory</​code>​
-you need to install/​update libnl-1.0pre8 (or later). ​ If all goes well and the compilation finishes, try the minimal hostapd again, see the section Using your distributions ​hostapd above for that. +you need to install/​update libnl-1.0pre8 (or later). ​ If all goes well and the compilation finishes, try the minimal hostapd again, see the section ​**Using Your Distribution'​s ​hostapd** above for that. 
  
  
Line 98: Line 98:
 Configuration file: ./​hostapd-minimal.conf Configuration file: ./​hostapd-minimal.conf
 Using interface wlan1 with hwaddr 00:​0d:​0b:​cf:​04:​40 and ssid '​test'</​code>​ Using interface wlan1 with hwaddr 00:​0d:​0b:​cf:​04:​40 and ssid '​test'</​code>​
-If that starts as the example here shows, you can move on to configuring hostapd. ​ If it fails to start with errors about the driver not being found, review the steps listed above for compiling hostapd again. ​ If it gets the error messages:  ​+If that starts as the example here shows, you can move on to configuring hostapd. ​ If it fails to start and gives errors about the driver not being found, review the steps listed above for compiling hostapd again. ​ If it gets the error messages:  ​
  
  
Line 121: Line 121:
 <​code>​Encryption:​ wpa-psk + tkip <​code>​Encryption:​ wpa-psk + tkip
 Wireless Mode: g Wireless Mode: g
-Normal for an environment that has to support semi legacy devices, that don't support ​ccmp or wpa2</​code>​+Normal for an environment that has to support semi-legacy devices, that don't support ​CCMP or WPA2</​code>​
 <​code>​Encryption:​ wpa2-psk + ccmp <​code>​Encryption:​ wpa2-psk + ccmp
 Wireless Mode: g+n Wireless Mode: g+n
-Normal for an environment that has only up to date hardware and software</​code>​+Normal for an environment that has only up-to-date hardware and software</​code>​
 <​code>​Encryption:​ wep <​code>​Encryption:​ wep
 Wireless Mode: b Wireless Mode: b
-This is the worst-case scenario, as wep is broken and can be trivially cracked. ​ Don't consider this as anything more than keeping casual ​free loaders ​out.</​code>​+This is the worst-case scenario, as WEP is broken and can be trivially cracked. ​ Don't consider this as anything more than keeping casual ​freeloaders ​out.</​code>​
 Once you've found your baseline, it's time to edit hostapd.conf. ​ The configuration options will be broken into 3 sections: ​ Once you've found your baseline, it's time to edit hostapd.conf. ​ The configuration options will be broken into 3 sections: ​
  
Line 144: Line 144:
 ==== Wireless Interface ==== ==== Wireless Interface ====
  
-Setting ​Summary:  +Settings ​Summary:  
-    * interface: Tells hostapd what wireless interface to use  +    * interface: Tells hostapd what wireless interface to use 
-    * bridge: Set to a bridge if the wireless interface in use is part of a network bridge interface  +    * bridge: Set to a bridge if the wireless interface in use is part of a network bridge interface 
-    * driver: For our purposes, always nl80211 If you only have 1 wireless interface, and it's going to be bridged with a wired interface, a good example setup would be: +    * driver: For our purposes, always nl80211If you only have 1 wireless interface, and it's going to be bridged with a wired interface, a good example setup would be: 
  
  
Line 156: Line 156:
 ==== Wireless Environment ==== ==== Wireless Environment ====
  
-Setting ​Summary:  +Settings ​Summary:  
-      * ssid: Sets the name (SSID = service set identifier) of the networkwireless extensions/​iwconfig incorrectly calls this "//​essid//"​.  +      * ssid: Sets the name (SSID = service set identifier) of the network. Note that wireless extensions/​iwconfig incorrectly calls this "//​essid//"​.  
-      * hw_mode: Sets the operating mode of the interfaceand the allowed channels. ​ Valid values depend on hardware, but are always a subset of a, b, g  +      * hw_mode: Sets the operating mode of the interface and the allowed channels. ​ Valid values depend on the hardware, but are always a subset of a, b, g. 
-      * channel: Sets the channel for hostapd to operate on.  Must be a channel supported by the mode set in hw_mode, as well as allowed by your countries ​Wireless Regulatory rules. The ssid is just for ease of configuration. ​ It is what shows up in scan results, and can help in configuring your clients. ​ Check the scan results for your area and choose a name. +      * channel: Sets the channel for hostapd to operate on.  Must be a channel supported by the mode set in hw_mode, as well as allowed by your country'​s ​Wireless Regulatory rules. The SSID is just for ease of configuration. ​ It is what shows up in scan results, and can help in configuring your clients. ​ Check the scan results for your area and choose a name. 
  
 hw_mode needs to be something that all of your hardware supports. ​ Setting this to '​g'​ is probably the most common setup, and also enables backwards compatability with 802.11b devices. ​ Note, this is not where you enable 802.11n support, as 802.11n operates on top of 802.11a or 802.11g'​s functionality. ​ hw_mode needs to be something that all of your hardware supports. ​ Setting this to '​g'​ is probably the most common setup, and also enables backwards compatability with 802.11b devices. ​ Note, this is not where you enable 802.11n support, as 802.11n operates on top of 802.11a or 802.11g'​s functionality. ​
  
-channel should be chosen so that it has the minimum overlap with other APs or other networks in your area.  802.11 channels are 20mhz (4  channels) wide in total, or 10mhz (2 channels) wide on each side.  This means that an access point on channel 3 will interfere with an acces point on channel 1 or channel 5.  Use this to pick a channel. ​ Most consumer APs default to channel 6, so you can use channel 1 or channel 11 in most cases for the best results. ​ Also note that the channels available to you depends ​heavily ​entirerly on the local regulatory rules. ​+channel should be chosen so that it has the minimum overlap with other APs or other networks in your area.  802.11 channels are 20mhz (4  channels) wide in total, or 10mhz (2 channels) wide on each side.  This means that an access point on channel 3 will interfere with an acces point on channel 1 or channel 5.  Use this to pick a channel. ​ Most consumer APs default to channel 6, so you can use channel 1 or channel 11 in most cases for the best results. ​ Also note that the channels available to you depends entirerly on the local regulatory rules. ​
  
 An example of a good normal setup is:  An example of a good normal setup is: 
Line 171: Line 171:
 hw_mode=g hw_mode=g
 channel=1</​code>​ channel=1</​code>​
-802.11n ​Setting ​Summary ​+802.11n ​Settings ​Summary ​
  
 802.11n builds on the settings above, and adds additional functionality. ​ If your hardware doesn'​t support 802.11n, or you don't plan on using it, you can ignore these. ​ 802.11n builds on the settings above, and adds additional functionality. ​ If your hardware doesn'​t support 802.11n, or you don't plan on using it, you can ignore these. ​
-        * ieee80211n: Set to 1 to enable 802.11n support, 0 to disable it  +        * ieee80211n: Set to 1 to enable 802.11n support, 0 to disable it 
-        * ht_capab: A list of the 802.11n features supported by your device The explanation of these settings in the sample config file are quite helpful, so I'll suggest reading those. ​ You can use the command 'iw list' to find a short list of the capabilities of your device. ​+        * ht_capab: A list of the 802.11n features supported by your deviceThe explanation of these settings in the sample config file are quite helpful, so I'll suggest reading those. ​ You can use the command 'iw list' to find a short list of the capabilities of your device. ​
  
 Example settings: ​ Example settings: ​
Line 188: Line 188:
 ==== Authentication and Encryption ==== ==== Authentication and Encryption ====
  
-There is a lot to the authentication and encryption options in hostapd. ​ This section will cover the basics as far as wep/wpa/wpa2 goes, as well as some of the other commonly used options. ​+There is a lot to the authentication and encryption options in hostapd. ​ This section will cover the basics as far as WEP/WPA/WPA2 goes, as well as some of the other commonly used options. ​
  
 Settings Summary: ​ Settings Summary: ​
-          * macaddr_acl:​ This controls ​mac address filtering.  ​Mac addresses are easily spoofed, so only consider the use of this to be augmenting other security measures you have in place.  +          * macaddr_acl:​ This controls ​MAC address filtering.  ​MAC addresses are easily spoofed, so only consider the use of this to be augmenting other security measures you have in place.  
-          * auth_algs: This is a bit field where the first bit (1) is for open auth, the second bit (2) is for Shared key auth (wep) and both (3) is both.  +          * auth_algs: This is a bit field where the first bit (1) is for open auth, the second bit (2) is for Shared key auth (WEP) and both (3) is both.  
-          * ignore_broadcast_ssid:​ This enables/​disables broadcasting the ssid.  +          * ignore_broadcast_ssid:​ This enables/​disables broadcasting the SSID.  
-          * wpa: This is a bitfield ​like auth_algs. ​ The first bit enables ​wpa1 (1), the second bit enables ​wpa2 (2), and bothe enables both (3)  +          * wpa: This is a bit field like auth_algs. ​ The first bit enables ​WPA1 (1), the second bit enables ​WPA2 (2), and both enables both (3)  
-          * wpa_psk/​wpa_passphrase:​ These establish what the pre-shared key will be for wpa authentication. ​+          * wpa_psk/​wpa_passphrase:​ These establish what the pre-shared key will be for WPA authentication. ​
           * wpa_key_mgmt:​ This controls what key management algorithms a client can authenticate with.            * wpa_key_mgmt:​ This controls what key management algorithms a client can authenticate with. 
-          * wpa_pairwise:​ This controls ​wpa's data encryption  +          * wpa_pairwise:​ This controls ​WPA's data encryption 
-          * rsn_pairwise:​ This controls ​wpa2's data encryption First, scratch macaddr_acl and ignore_broadcast_ssid from your priorities as they only enhance security (and even then, only slightly). ​ Also, WEP has been effectively broken now, so unless you HAVE to support ​wep, scratch that from your list.  This just leaves ​wpa/wpa2.  Per the draft standard, ​wpa2 is required for 802.11n, and as there are known attacks on wpa now, wpa2 is the recommended authentication and encryption suite to use.  Fortunately,​ you can have both enabled at once.  If Windows clients are going to be connecting, you should leave ccmp encryption out of the wpa_pairwise option, as some windows drivers have problems with systems that enable it. +          * rsn_pairwise:​ This controls ​WPA2's data encryptionFirst, scratch macaddr_acl and ignore_broadcast_ssid from your priorities as they only enhance security (and even then, only slightly). ​ Also, WEP has been effectively broken now, so unless you HAVE to support ​WEP, scratch that from your list.  This just leaves ​WPA/WPA2.  Per the draft standard, ​WPA2 is required for 802.11n, and as there are known attacks on WPA now, WPA2 is the recommended authentication and encryption suite to use.  Fortunately,​ you can have both enabled at once.  If Windows clients are going to be connecting, you should leave CCMP encryption out of the wpa_pairwise option, as some windows drivers have problems with systems that enable it. 
  
-A good starting point for a wpa & wpa2 enabled access point is: +A good starting point for a WPA and WPA2 enabled access point is: 
  
  
Line 211: Line 211:
 wpa_pairwise=TKIP wpa_pairwise=TKIP
 rsn_pairwise=CCMP</​code>​ rsn_pairwise=CCMP</​code>​
-If, alternately, you just want to support ​wpa2, you could use something like: +If, alternatively, you just want to support ​WPA2, you could use something like: 
  
  
Line 222: Line 222:
 wpa_pairwise=TKIP wpa_pairwise=TKIP
 rsn_pairwise=CCMP</​code>​ rsn_pairwise=CCMP</​code>​
-That should be all of the settings that you'll need to change for a basic, secureaccess point using hostapd with an AP enabled mac80211 driver. ​+That should be all of the settings that you'll need to change for a basic, secure access point using hostapd with an AP enabled mac80211 driver. ​
  
  
-==== Dynamic VLAN tagging ​====+==== Dynamic VLAN Tagging ​====
  
 hostapd can be configured to move STAs into separate VLANs based on RADIUS tunnel attributes (as specified in RFC3580, [[http://​tools.ietf.org/​html/​rfc3580#​section-3.31|http://​tools.ietf.org/​html/​rfc3580#​section-3.31]]): ​ hostapd can be configured to move STAs into separate VLANs based on RADIUS tunnel attributes (as specified in RFC3580, [[http://​tools.ietf.org/​html/​rfc3580#​section-3.31|http://​tools.ietf.org/​html/​rfc3580#​section-3.31]]): ​
Line 233: Line 233:
 Tunnel-Medium-Type=802 Tunnel-Medium-Type=802
 Tunnel-Private-Group-ID=VLANID</​code>​ Tunnel-Private-Group-ID=VLANID</​code>​
-To enable dynamic VLAN tagging the following options in hostapd.conf need to be set: +To enable dynamic VLAN taggingthe following options in hostapd.conf need to be set: 
 <​code>​dynamic_vlan=1 <​code>​dynamic_vlan=1
 vlan_file=/​etc/​hostapd.vlan</​code>​ vlan_file=/​etc/​hostapd.vlan</​code>​
 A value of 0 disables dynamic VLAN tagging, a value of 1 allows dynamic VLAN tagging and a value of 2 will reject the authentication if the RADIUS server does not provide the appropriate tunnel attributes. ​ A value of 0 disables dynamic VLAN tagging, a value of 1 allows dynamic VLAN tagging and a value of 2 will reject the authentication if the RADIUS server does not provide the appropriate tunnel attributes. ​
  
-Furthermore,​ hostapd needs to know how the VLAN interfaces should be named, this is done through an additional config file as specified in vlan_file. ​+Furthermore,​ hostapd needs to know how the VLAN interfaces should be named. This is done through an additional config file as specified in vlan_file. ​
  
 Example /​etc/​hostapd.vlan: ​ Example /​etc/​hostapd.vlan: ​
 <​code>​1 ​      ​wlan0.1 <​code>​1 ​      ​wlan0.1
 *       ​wlan0.#</​code>​ *       ​wlan0.#</​code>​
-This will create a wlan0.1 interface on top of wlan0 and move all STAs with the RADIUS supplied vlantag 1 to that interface. The second entry is used to dynamically create VLAN interfaces on top of wlan0hostapd will create an interface wlan0.vlantag for each different vlantag as supplied by the RADIUS server. For example, if a STA associates and the RADIUS server attributes contain the vlantag 100 hostapd will create a wlan0.100 interface and map the STA to this new interface. ​+This will create a wlan0.1 interface on top of wlan0 and move all STAs with the RADIUS supplied vlantag 1 to that interface. The second entry is used to dynamically create VLAN interfaces on top of wlan0hostapd will create an interface wlan0.vlantag for each different vlantag as supplied by the RADIUS server. For example, if a STA (station, a.k.a. device) ​associatesand the RADIUS server attributes containthe vlantag 100 then hostapd will create a wlan0.100 interface and map the STA to this new interface. ​
  
  
-==== IEEE 802.11i/​RSN/​WPA2 ​pre-authentication ====+==== IEEE 802.11i/​RSN/​WPA2 ​Pre-authentication ====
  
-IEEE 802.11 roaming experience can be enhanced by pre-authenticating the IEEE 802.1X/EAP part of the full RSN authentication and key handshake before actually associating with a new AP. To enable RSN pre-authentication you will need hostapd enabled RSN pre-authentication and a STA supplicant that also supports and enables RSN pre-authentication. In this section we'll provide a brief on how to enable rsn_preauthentication,​ what this does, and also provide references on how to [[http://​wiki.openwrt.org/​doc/​recipes/​rsn_preauthentication|enable RSN preauthentication on OpenWrt]] and [[en/​users/​Documentation/​wpa_supplicant|enabling RSN preauthentication on wpa_supplicant]] in order to test it. +IEEE 802.11 roaming experience can be enhanced by pre-authenticating the IEEE 802.1X/EAP part of the full RSN authentication and key handshake before actually associating with a new AP. To enable RSN pre-authentication you will need hostapd enabled RSN pre-authentication and a STA supplicant that also supports and enables RSN pre-authentication. In this section we'll provide a brief description ​on how to enable rsn_preauthentication,​ what this does, and also provide references on how to [[http://​wiki.openwrt.org/​doc/​recipes/​rsn_preauthentication|enable RSN preauthentication on OpenWrt]] and [[en/​users/​Documentation/​wpa_supplicant|enabling RSN preauthentication on wpa_supplicant]] in order to test it. 
  
 First and foremost you need to ensure all your APs will be using the same SSID.  First and foremost you need to ensure all your APs will be using the same SSID. 
  
-In order to ensure your APs and RADIUS are on the same network / switch and can talk to each other you can ping each other and review the **arp -a** output, you should see the MAC address of each other'​s AP's bridge interface on the **HW address** column, as well as the RADIUS server'​s MAC address. ​+In order to ensure your APs and RADIUS are on the same network/​switch and can talk to each other you can ping each other and review the **arp -a** output, you should see the MAC address of each other'​s AP's bridge interface on the **HW address** column, as well as the RADIUS server'​s MAC address. ​
  
 For example, say we have two APs and one RADIUS server: ​ For example, say we have two APs and one RADIUS server: ​
             * ap136: 192.168.4.120 ​             * ap136: 192.168.4.120 ​
             * db120: 192.168.4.139 ​             * db120: 192.168.4.139 ​
-            * Radius server: 192.168.4.149 On ap136: ​+            * Radius server: 192.168.4.149 ​ 
 + 
 +On ap136: ​
  
  
Line 275: Line 277:
 192.168.4.1 ​     0x1         ​0x2 ​        ​68:​7f:​74:​3b:​b1:​0d ​    ​* ​       br-lan 192.168.4.1 ​     0x1         ​0x2 ​        ​68:​7f:​74:​3b:​b1:​0d ​    ​* ​       br-lan
 192.168.4.120 ​   0x1         ​0x2 ​        ​a2:​69:​db:​89:​44:​88 ​    ​* ​       br-lan</​code>​ 192.168.4.120 ​   0x1         ​0x2 ​        ​a2:​69:​db:​89:​44:​88 ​    ​* ​       br-lan</​code>​
-Assuming in this example the RADIUS server is on 192.168.4.149 ​on hostapd.conf you'll need to enable: ​+Assuming in this example ​that the RADIUS server is on 192.168.4.149, in hostapd.conf you'll need to enable: ​
  
  
Line 303: Line 305:
 Note: the same **SSID** must be used for RSN pre-authentication. ​ Note: the same **SSID** must be used for RSN pre-authentication. ​
  
-If using [[OpenWrt|OpenWrt]],​ simply enabling rsn_preauth is sufficient, ​openwrt ​will automatically add the rsn_preauth_interfaces for you, this is typically your bridge interface. You'll need two instances of hostapd running on two separate devices on the same network / switch. You'll also need a Radius server ​installed on a server on the same network / switch. FreeRADIUS is an example RADIUS solution to install, go [[http://​www.openlogic.com/​wazi/​bid/​188089/​Authenticating-Wi-Fi-Users-with-FreeRADIUS%20with%20EAP-TTLS|read how to install and configure FreeRADIUS for authenticating 802.11 users]]. ​+If using [[OpenWrt|OpenWrt]],​ simply enabling rsn_preauth is sufficient, ​OpenWrt ​will automatically add the rsn_preauth_interfaces for you. This is typically your bridge interface. You'll need two instances of hostapd running on two separate devices on the same network/​switch. You'll also need RADIUS ​installed on a server on the same network/​switch. FreeRADIUS is an example RADIUS solution to install, go to [[http://​www.openlogic.com/​wazi/​bid/​188089/​Authenticating-Wi-Fi-Users-with-FreeRADIUS%20with%20EAP-TTLS|read how to install and configure FreeRADIUS for authenticating 802.11 users]]. ​
  
-Be sure to test the Radius ​server, you can do this by using the eapol_test program, part of hostapd code. +Be sure to test the RADIUS ​server. You can do this by using the eapol_test program, part of hostapd code. 
  
  
Line 327: Line 329:
  
 <​code>​./​eapol_test -c eapol-config -a 192.168.x.x -p 1812 -s testing123 -r1</​code>​ <​code>​./​eapol_test -c eapol-config -a 192.168.x.x -p 1812 -s testing123 -r1</​code>​
-Provided you have two APs properly configured ​as describe ​with rsn_preauth as described above and on the same network you should now be able to configure a client for RSN pre-authentication. Details on this are available ​on the [[en/​users/​Documentation/​wpa_supplicant|wpa_supplicant RSN preauthentication documentation section]]. ​+Provided you have two APs properly configured with rsn_preauth as described above and on the same networkyou should now be able to configure a client for RSN pre-authentication. Details on this are available ​at the [[en/​users/​Documentation/​wpa_supplicant|wpa_supplicant RSN preauthentication documentation section]]. ​
  
-On the RADIUS server you want to see something like this, the second authentication from the STA to the second AP would go through the already established network on the first AP, after it associated with it. To be precise when a STA decides to try to preauthenticate against another AP is left up to each implementation to decide. This depends on the driver behavior and how it reports scan results or PMKSA candidates. Today wpa_supplicant does this after association and after a first scan completion. ​+On the RADIUS server you want to see something like this: The second authentication from the STA to the second AP would go through the already established network on the first AP, after it associated with it. To be precisewhen a STA decides to try to preauthenticate against another AP, it is left up to each implementation to decide. This depends on the driver behavior and how it reports scan results or PMKSA candidates. Todaywpa_supplicant does this after association and after a first scan completion. ​
  
  
Line 357: Line 359:
 Access-Request Id 5     ​192.168.4.139:​35038 -> 192.168.4.149:​1812 ​      ​+2.225 Access-Request Id 5     ​192.168.4.139:​35038 -> 192.168.4.149:​1812 ​      ​+2.225
 Access-Accept Id 5      192.168.4.149:​1812 -> 192.168.4.139:​35038 ​      ​+2.225</​code>​ Access-Accept Id 5      192.168.4.149:​1812 -> 192.168.4.139:​35038 ​      ​+2.225</​code>​
-These logs reveal the STA choose ​to authenticate ​first with ap136 and then db120 once connected on the network with ap136. ​+These logs reveal the STA chose to authenticate with ap136 first and then db120 second, ​once connected on the network with ap136. ​
  
 Assuming you can log in to the STA you should be able to see **two** PMKSA entries: ​ Assuming you can log in to the STA you should be able to see **two** PMKSA entries: ​
Line 366: Line 368:
 1 00:​03:​7f:​47:​20:​a5 eb25d3d579742c0384230fa66748f857 43042 0 1 00:​03:​7f:​47:​20:​a5 eb25d3d579742c0384230fa66748f857 43042 0
 2 00:​03:​7f:​42:​10:​09 a99081d41e18f4632994b59b50bb2447 43044 0</​code>​ 2 00:​03:​7f:​42:​10:​09 a99081d41e18f4632994b59b50bb2447 43044 0</​code>​
-The first one should correspond to the BSSID / MAC address of the wlan interface of ap136, so for example for ap136 this would be the MAC address of wlan1. The second one corresponds to the BSSID / MAC address of the wlan interface of db120, in this case wlan0. To test PMKSA caching you can roam from the STA from one AP to another and verify that upon //​reassociation//​ to the first AP the STA still has present the same PMKID (third field above, or sniff it from the network). ​+The first one should correspond to the BSSID / MAC address of the WLAN interface of ap136, so for example for ap136 this would be the MAC address of wlan1. The second one corresponds to the BSSID / MAC address of the WLAN interface of db120, in this case wlan0. To test PMKSA caching you can roam from the STA of one AP to another and verify that upon //​reassociation//​ to the first AP that the STA still has present the same PMKID (third field above, or sniff it from the network). ​
  
 For testing purposes of RSN preauthentication you want to disable Opportunistic Key Caching as otherwise the PMKSA that the AP derived may have come from Opportunistic Key Caching instead of RSN preauthentication. Opportunistic Key Caching enables the PMKSA entries to be shared between configured interfaces and BSSes (i.e., all configurations within a single hostapd process). ​ For testing purposes of RSN preauthentication you want to disable Opportunistic Key Caching as otherwise the PMKSA that the AP derived may have come from Opportunistic Key Caching instead of RSN preauthentication. Opportunistic Key Caching enables the PMKSA entries to be shared between configured interfaces and BSSes (i.e., all configurations within a single hostapd process). ​
  
  
-==== Admission Control Mandatory ​settings ​====+==== Admission Control Mandatory ​Settings ​====
  
-Admission Control Mandatory (ACM) can be used to limit access to higher priority ACs for traffic control **if** admission control were implemented but it is not implemented in hostapd today. ACM can be enabled for the 4 ACs but should be disabled by default in hostapd.conf ​+Admission Control Mandatory (ACM) can be used to limit access to higher priority ACs for traffic control **if** admission control were implemented but it is not implemented in hostapd today. ACM can be enabled for the 4 ACs but should be disabled by default in hostapd.conf
  
  
Line 380: Line 382:
 wmm_ac_vi_acm=0 wmm_ac_vi_acm=0
 wmm_ac_vo_acm=0</​code>​ wmm_ac_vo_acm=0</​code>​
-ACM should be disabled by default. ​ In mac80211 we have a work around ​to deal with **strange** access points that have been configured all ACs to require admission control to transmit frames using AC_BK. Setting all ACs to require admission control would be very strange configuration and that should never be used. +ACM should be disabled by default. ​ In mac80211 we have a workaround ​to deal with **strange** access points that have configured all ACs to require admission control to transmit frames using AC_BK. Setting all ACs to require admission control would be very strange configuration and that should never be used. 
  
-There is no point in setting wmm_ac_[option]_acm=1 with any mac80211-based driver since they do not support admission control anyway. The only use for this with a driver that does not support admission control is for testing purposes. ​+There is no point in setting wmm_ac_[option]_acm=1 with any mac80211-based driver since they do not support admission control anyway. The only use for thiswith a driver that does not support admission controlis for testing purposes. ​
  
  
-==== Automatic ​channel selection ​====+==== Automatic ​Channel Selection ​====
  
 This is a work in progress. The patches are yet to be included in mainline hostapd. ​ This is a work in progress. The patches are yet to be included in mainline hostapd. ​
en/users/documentation/hostapd.txt · Last modified: 2017/07/22 20:45 by Todd Andrews