Jouni Malinen | 6 Feb 20:44 2016
Picon

Re: WAPI Support in wpa_supplicant

On Fri, Feb 05, 2016 at 01:05:29PM +0000, Shanbhag, Sandeep wrote:
> I read the very old mailing lists (2009) about lack of WAPI support in wpa_supplicant.
> I would like to know if there has been any change since then and what is the official status of WAPI support in wpa_supplicant.

Not much has changed in this area.

> Basically I would like to know if the latest version of wpa_supplicant supports WAPI Supplicant and WAPI
Authenticator functionalities?

There is no such functionality in the current open source project.

> I could see only few WAPI related macros in wpa_supplicant and some very minimal logic using these macros.
> What is the purpose of this?

There are number of proprietary WAPI implementations based on the open
source wpa_supplicant. These macros make it easier to integrate such
off-tree implementations on top of different wpa_supplicant versions.

> What I understood after some digging up is that if the chip supports SMS4 encryption engine and the driver
supports WAPI changes then wpa_supplicant can be used to carry out the security handshake and derive
encryption keys.
> Can somebody on the list who has tried this point to any documentation explaining how nl80211, cfg80211,
driver and wpa_supplicant together be configured to support WAPI Supplicant and Authenticator functionalities?

Such functionality seems to be available only in proprietary
implementations from various Wi-Fi vendors. So far, I have not seen much
interest in someone contributing such an implementation into the open
source project.

As far as nl80211/cfg80211 is concerned, there is sufficient interface
(Continue reading)

Nick Lowe | 6 Feb 12:54 2016

[PATCH] Define the NAS-Port-Id RADIUS attribute.

There is then a need to, subsequently, add code to actually send this
attribute in Access-Request and Accounting-Request packets, populated
with the ifname.

Related...

Correction is also needed for the NAS-Port attribute at this is
presently included with a value of 0 where the association id is not
available. Either the attribute should not be present when that occurs
(which is most of the time), or it should contain the ifindex (better)
for the virtual interface. The current implementation does not comply
with RFC 3580 by sending 0.

We need to continue to ensure and be careful that the NAS-Port value
is consistent in Access-Request and subsequent Accounting-Request
packets.

---

Define the NAS-Port-Id RADIUS attribute.

Signed-off-by: Nick Lowe <nick.lowe <at> lugatech.com>
---
 src/radius/radius.c | 1 +
 src/radius/radius.h | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/radius/radius.c b/src/radius/radius.c
index 266b29f..440f958 100644
--- a/src/radius/radius.c
(Continue reading)

Badrish Adiga H R | 5 Feb 17:53 2016
Picon

MAC Secured WPA supplicant creates new MKA participant for every re-authentication and does not delete the old MKA participant.

Hi all,

I was testing MACSec on a wired WPA Supplicant and found that for
every re-authentication, API ieee802_1x_kay_create_mka gets called and
new MKA participant gets created. if re-auth time is 300 seconds, over
a period of an hour there would be 12 MKA participants get created.
But as per 802.1x standard, shouldn't we delete old MKA participant
upon successfull re-authentication? Keeping old MKA instances can lead
to potential memory-leak as well

Thanks and regards,
Badrish
Padmanabha, Seshadri K. | 4 Feb 21:41 2016

Locating Group Client From Group Owner

Hello all,

I have an Autonomous GO running on a device with display and IO options. My group clients have displays
without IO capability. 
I wish to locate GC from GO by sending a message ( triggering an audible/visual action ). This trigger should
not initiate any sought of connection handshake.

Based on state machine (https://w1.fi/wpa_supplicant/devel/p2p.html), I've tried to restrict myself
to discovery state messages.
Option 1 - 
run p2p_find on both sides and fire out  p2p_sd_request during this interval and wait for response. GC can
use this as dummy trigger. This does not work consistently all the time. Is there a cleaner option or ways to
improve reliability for stated option?

Thanks,
Sesh
Matthew Keeler | 4 Feb 13:26 2016
Picon

Failed to set channel for kernel driver

 
I have been trying a few different things to get hostapd working with my wireless card. With ieee80211d/h
off ACS attempts to use channel 149 (80 MHz wide) and prints out a message of "Could not set channel for
kernel driver”. When I turn ieee80211d/h on the message I get is "Can't set freq params” and "DFS
start_dfs_cac() failed, -1”. The DFS stuff seems to want to use channel 52. According to iw list both 52
and 149 are supported channels by my hardware.

I am using the ath10k driver with a Airetos AEX-QCA9880-NX wireless card. The full testing configuration I
am attempting to use is below. Is there anything I am completely wrong on or could there be
driver/firmware/hardware issues?  

interface=lan-wireless  
driver=nl80211
ssid=test
hw_mode=a
channel=0
ieee80211n=1
ieee80211ac=1
ieee80211d=0
ieee80211h=0
country_code=US
vht_oper_chwidth=1
vht_oper_centr_freq_seg0_idx=42
vht_oper_centr_freq_seg1_idx=159

--  
Matt Keeler  

_______________________________________________
Hostap mailing list
(Continue reading)

Naveen Singh | 3 Feb 21:33 2016
Picon

Re: Fast connect after losing Link

On Wed, Feb 3, 2016 at 8:56 AM, Naveen Singh <naveen <at> nestlabs.com> wrote:
>
>
> On Wed, Feb 3, 2016 at 4:16 AM, Jouni Malinen <j <at> w1.fi> wrote:
>>
>> On Tue, Feb 02, 2016 at 11:56:09PM -0800, Naveen Singh wrote:
>> > Just after losing wifi link because of an incoming deauth with reason
>> > code 6 or 7, wpa_supplicant sets the fast_reconnect and
>> > fast_reconnect_ssid to current bss and current ssid.
>> >
>> > Later on  if fast_reconnect is not NULL it tries to connect to same
>> > SSID. This makes sense for some devices which does not use connman.
>> > Devices using wpa_supplicant with connman this connect is not useful
>> > at all as connman when it gets notified of this disconnect would
>> > disable the network that would end up causing a locally generated
>> > deauth and would nullify this connection attempt.
>>
>> Why would connman do something like that? Large number of enterprise APs
>> use Deauthentication frames to force load balancing and/or band
>> steering. Disabling the network profile immediately on a disconnection
>> event sounds like something that would result in pretty bad user
>> experience in such networks.
>
> Agreed. And we are seeing this.
>>
>>
>> > In stead of having this feature turned on all the time, it would be
>> > good to have a configuration from connman. Initialized value of this
>> > configuration would be turned on meaning fast connect is enabled and
>> > devices using connman along with wpa_supplicant would disable this
(Continue reading)

Ed W | 3 Feb 13:56 2016

Hostapd exits when requesting HT on non HT card?

Hi, this is a rephrase of a previous question

Is it normal/expected that hostapd will exit with an error if I have a 
config file requesting 802.11n, when the card in question is known not 
to support "n"?  Is there not an argument that hostapd should ignore and 
prefer to continue rather than exit?

For a generic solution it looks like I need to parse details of the card 
in-use and rewrite the conf file appropriately?

Can someone please confirm if this is intended behaviour?

Thanks

Ed W
Naveen Singh | 3 Feb 08:56 2016
Picon

Fast connect after losing Link

Hi All
Just after losing wifi link because of an incoming deauth with reason
code 6 or 7, wpa_supplicant sets the fast_reconnect and
fast_reconnect_ssid to current bss and current ssid.

Later on  if fast_reconnect is not NULL it tries to connect to same
SSID. This makes sense for some devices which does not use connman.
Devices using wpa_supplicant with connman this connect is not useful
at all as connman when it gets notified of this disconnect would
disable the network that would end up causing a locally generated
deauth and would nullify this connection attempt.

In stead of having this feature turned on all the time, it would be
good to have a configuration from connman. Initialized value of this
configuration would be turned on meaning fast connect is enabled and
devices using connman along with wpa_supplicant would disable this
feature.

Does this make sense?

Regards
Naveen
Gareth McCaughan | 2 Feb 17:25 2016
Picon

wpa_supplicant over-eagerly blacklisting AP sending PREV_AUTH_NOT_VALID?

[I originally posted this to the linux-wireless mailing list,
but it was pointed out to me that it should have gone here.
My apologies to anyone who's on both lists and therefore sees
it twice.]

I have some reason to believe the following:

   * Some Cisco wireless APs will regularly try to force clients
     to reauthenticate by sending deauthorization frames
     with reason code 2 (PREV_AUTH_NOT_VALID).

   * When one of these arrives, wpa_supplicant will respond by
     putting the AP on a blacklist and roaming to another AP
     rather than by immediately trying to reauthenticate with
     the same AP.

This is a Bad Thing (isn't it?) because e.g. if you have two of
these APs within range but one provides a much better signal
than the other, you'll alternate between them rather than
sticking with the good one. It seems like it might be better
for wpa_supplicant to try the original AP again immediately.

(The problem that actually sent me looking at this stuff is
more severe and involves machines completely falling off
the network after several of these transitions, but I think
that's a separate issue that I don't understand yet.)

Some details follow.

                                *
(Continue reading)

Janusz Dziedzic | 2 Feb 12:16 2016

wpa_cli sometimes "hang" and don't display events

Hello,

Latest wpa_supplicant.
I am testing ath9k/ath10k/hwsim with wpa_supplicant + wpa_cli
(standard config from tests/hwsim, unix sockets).
After running wpa_cli I just type:
p2p_group_add

or p2p_group_add / p2p_group_remove / p2p_group_add ...

After that I just see hang - like in attachment - no event seen.
After I hit <enter> once again I get event with P2P-GROUP-STARTED.

Seems like some monitor eloop issue?

BR
Janusz
_______________________________________________
Hostap mailing list
Hostap <at> lists.infradead.org
http://lists.infradead.org/mailman/listinfo/hostap
Nagaraj Nayak | 2 Feb 07:34 2016
Picon

changing the channel without bringing down hostapd .

Hi
I have bee testing with hostapd2.4 and hostapd2.5
In both version which I give SIGHUP command only the ssid and password 
changes are getting effected ,
But the channel configured doesn't seem to change ,
Is there any method by which the channel can be changed without bringing 
down the hostapd .

Regards
Nagaraj

Gmane