Paresh Sawant | 3 Sep 22:59 2015
Picon

Two Factor Authentication using EAP-TTLS

Hi,

Does hostap configuration support two factor authentication of the
client? I'm looking for hostap configuration (as a RADIUS server)
that'll allow client to be authenticated using certificate in outer
phase and some other method e.g. EAP-MSCHAPV2 in the inner phase.

Thanks,
Paresh
Robert Senger | 3 Sep 00:23 2015
Picon

Forcing clients into 2.4 or 5 GHz band

Hi all,

I am running hostapd on a machine with two interfaces in dual band mode.
Both interfaces provide a number of SSIDs with different configurations
(Staff/Guest, PSK/EAP, ipv4/ipv6 etc.). For each configuration, the 2.4
GHz and 5 GHz SSID should be identical, so that users only choose SSID
and let the device choose whether it connects to 2.4 or 5 GHz wifi (if
it's dual band at all). 

This works nice for almost all devices (Linux, Windows, OSX, iOS) but...
Android. 

Dual band Android devices seem to have trouble when switching between
2.4 and 5 GHz too fast, as far as I can see this is related with ipv6
address configuration. 

Instead of requiring the users to set their device to 2.4 or 5 GHz only,
I would like to force the clients into 5 GHz network server side. 

The only way I've found to do this is to put the mac address of the
Android clients into a deny_mac_file and add this option to the 2.4 GHz
configuration file (to force them to use 5 GHz).

This is not very elegant, so I would like to ask if there is a better
way to do this.

Cheers,

Robert

(Continue reading)

Yury Shvedov | 1 Sep 15:22 2015
Picon

802.11r and FT-EAP

Hi,

I'm working with 802.11r and trying to test my scheme using 
mac80211_hwsim. I configured hostapd and wpa supplicant to use FT-PSK 
first. It works fine. But when I try to use radius with FT (FT-EAP), the 
4-way handshake failed. Surfing the code and debug logs I found out that 
the reason is in xxkey field of wpa_state_machine (it is empty and ft 
can't derive ptk). The xxkey sets by wpa_auth when eapKeyData is 64 
bytes long (2 * PMK_LEN). But eapKeyData fills up only by radius 
MS-MPPE-Send-Key and MS-MPPE-Recv-Key both 16 bytes long.

The most interesting log of hostapd is:

WPA: 02:00:00:00:02:00 WPA_PTK entering state PTKSTART
wlan3: STA 02:00:00:00:02:00 WPA: sending 1/4 msg of 4-Way Handshake
WPA: Send EAPOL(version=3 secure=0 mic=0 ack=1 install=0 pairwise=1 
kde_len=22 keyidx=0 encr=0)
WPA: Replay Counter - hexdump(len=8): 00 00 00 00 00 00 00 02
WPA: Use EAPOL-Key timeout of 1000 ms (retry counter 2)
wlan3: Event EAPOL_TX_STATUS (38) received
IEEE 802.1X: 02:00:00:00:02:00 TX status - version=2 type=3 length=117 - 
ack=1
WPA: EAPOL-Key TX status for STA 02:00:00:00:02:00 ack=1
wlan3: Event EAPOL_RX (24) received
IEEE 802.1X: 252 bytes from 02:00:00:00:02:00
    IEEE 802.1X: version=1 type=3 length=248
WPA: Received EAPOL-Key from 02:00:00:00:02:00 key_info=0x10b type=2 
key_data_length=153
WPA: Received Key Nonce - hexdump(len=32): 9f 9b 4a 15 31 ab 3e 91 be 1d 
cd 81 10 7b 5e b0 09 8b bb f1 77 6e 03 17 30 7c ff 73 fc 1f 46 6c
(Continue reading)

Stefano Cappa | 31 Aug 01:40 2015
Picon

Execute wpa_supplicant on Android 5.1 or higher

Hi,
i’ve a problem.

I started wpa_supplicant manually on Nexus 5 in this way:
-I modified the wpa_supplicant.conf with this line: ctrl_interface=/data/misc/wifi/sockets
-And finally I started wpa_supplicant specifying the network interface and the config file.
-Everything was ok, on Android 5.0.2.

But now, on Android 5.1.1 (Nexus5), I can’t do that, because in "/data/misc/wifi/sockets” there
aren’t sockets (like wlan0, p2p0).
How can i start wpa_supplicant on 5.1?


PS: with a Nexus 9, this happens also with Android 5.0, only on a Nexus5 this problem appears with 5.1

Thank you,
Stefano
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Atul Joshi | 30 Aug 15:18 2015

wpa_supplicant and provision discovery (PD)

Hi,

According to wpa_supplicant 2.4 code

1.       If the local device has only one config method supported

2.       If peer sends Provision Discovery Request with some other valid but not supported config method

3.       The local device still sends Response with config method in provision discovery request

 

From the supplicant code I can see that, In function p2p_process_prov_disc_req

We check the config methods in PD request with all valid config method than just the supported ones.

 

if (!(msg.wps_config_methods &

                      (WPS_CONFIG_DISPLAY | WPS_CONFIG_KEYPAD |

                       WPS_CONFIG_PUSHBUTTON | WPS_CONFIG_P2PS))) {

                                p2p_dbg(p2p, "Unsupported Config Methods in Provision Discovery Request");

                                goto out;

                }

This is against the P2P spec.

Do we need to patch the supplicant or am I missing something?

 

Thanks

atul

 

_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Paresh Sawant | 30 Aug 02:43 2015
Picon

Two Factor Authentication using EAP-TTLS

Hi,

Does hostap configuration support two factor authentication of the
client? I'm looking for hostap configuration (as a RADIUS server)
that'll allow client to be authenticated using certificate in outer
phase and some other method e.g. EAP-MSCHAPV2 in the inner phase.

Thanks,
Paresh
Ramprasad Vempati | 29 Aug 21:35 2015
Picon

Absolute Timestamp in Debug logs instead of epoch time!

Hi,

 I would like to have Absolute timestamp in debug logs of
wpa_supplicant/hostapd, instead of epoch time as it’s really hard when
you analyse multiple log files like kernel log along with supplicant
log. Is there a way to do this?

I understand epoch timestamp in debug logs will be included when you
use –t option.

-ram
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Lubomir Rintel | 29 Aug 14:30 2015
Picon
Picon

[PATCH v3] wpa_supplicant: Denitialize the driver if the last user went away

It might be that the underlying infrastrucutre went away and the state is no
longer valid. We ought to reinitialize it once a device appears again.

This is the case when the nl80211 devices disappear and cfg8011 is remoed
afterwards. The netlink handle is no longer valid (returns ENOENT) and a new
one needs to be open if it's loaded back.

Signed-off-by: Lubomir Rintel <lkundrak <at> v3.sk>
---
This was just updated to address the crashes during test suite run;
moved the interface removal from the list just above the driver
cleanup attempt.

 wpa_supplicant/wpa_supplicant.c | 48 ++++++++++++++++++++++++++++++-----------
 1 file changed, 36 insertions(+), 12 deletions(-)

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 493b3a8..8bc9a48 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
 <at>  <at>  -4468,6 +4468,28  <at>  <at>  static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
 	return 0;
 }

+/* Deinitialize the driver if we're the last user. */
+static void wpa_drv_cleanup(struct wpa_supplicant *wpa_s)
+{
+	struct wpa_global *global = wpa_s->global;
+	struct wpa_supplicant *iface;
+	int i;
+
+	if (!wpa_s->driver)
+		return;
+
+	for (iface = global->ifaces; iface; iface = iface->next)
+		if (iface->driver == wpa_s->driver)
+			return;
+
+	for (i = 0; wpa_drivers[i]; i++)
+		if (global->drv_priv[i] == wpa_s->global_drv_priv)
+			global->drv_priv[i] = NULL;
+
+	if (wpa_s->driver->global_deinit)
+		wpa_s->driver->global_deinit (wpa_s->global_drv_priv);
+	wpa_s->global_drv_priv = NULL;
+}

 static void wpa_supplicant_deinit_iface(struct wpa_supplicant *wpa_s,
 					int notify, int terminate)
 <at>  <at>  -4656,18 +4678,6  <at>  <at>  int wpa_supplicant_remove_iface(struct wpa_global *global,
 	char *ifname = NULL;
 #endif /* CONFIG_MESH */

-	/* Remove interface from the global list of interfaces */
-	prev = global->ifaces;
-	if (prev == wpa_s) {
-		global->ifaces = wpa_s->next;
-	} else {
-		while (prev && prev->next != wpa_s)
-			prev = prev->next;
-		if (prev == NULL)
-			return -1;
-		prev->next = wpa_s->next;
-	}
-
 	wpa_dbg(wpa_s, MSG_DEBUG, "Removing interface %s", wpa_s->ifname);

 #ifdef CONFIG_MESH
 <at>  <at>  -4694,6 +4704,20  <at>  <at>  int wpa_supplicant_remove_iface(struct wpa_global *global,
 	}
 #endif /* CONFIG_MESH */

+	/* Remove interface from the global list of interfaces */
+	prev = global->ifaces;
+	if (prev == wpa_s) {
+		global->ifaces = wpa_s->next;
+	} else {
+		while (prev && prev->next != wpa_s)
+			prev = prev->next;
+		if (prev == NULL)
+			return -1;
+		prev->next = wpa_s->next;
+	}
+
+	wpa_drv_cleanup(wpa_s);
+
 	return 0;
 }

--

-- 
2.4.3
Paresh Sawant | 28 Aug 18:39 2015
Picon

Two Factor Authentication using EAP-TTLS

Hi,

Does hostap configuration support two factor authentication of the
client? I'm looking for hostap configuration (as a RADIUS server)
that'll allow client to be authenticated using certificate in outer
phase and some other method e.g. EAP-MSCHAPV2 in the inner phase.

Thanks,
Paresh
Jānis Čoders | 28 Aug 16:07 2015
Picon

wpa-supplicant EAP-TLS Key derivation TLS 1.2

Hi, I am developing 802.1x client/authenticator and radius server with
EAP method support and
got confused about key derivation.

In rfc5216#section-2.3 (EAP-TLS) it is stated that key derivation is
done using TLS pseudo
random function:
"
TLS-PRF-X =     TLS pseudo-random function defined in [RFC4346],
                   computed to X octets.
"
and it links to RFC with TLS version 1.1.

*) So the question is - does that mean that EAP-TLS must
derive keys using TLS 1.1 version OR it must derive key according to
which TLS version was
used by making the tunnel?

1) IF key must be derived in all cases as in TLS 1.1, then we can't
use openssl library's function
SSL_export_keying_material(), because it seems to derive according to
used TLS version.

2) IF key must be derived according to used TLS version, then using
SSL_export_keying_material()
is fine, but that function is available only from newer version
(tls_openssl.c) :

#if OPENSSL_VERSION_NUMBER >= 0x10001000L

and if this fails then wpa_supplicant fallbacks to using
internal/custom functions, which derives
keys accoridng to TLS 1.1. So it would fail in case there is openssl
on the other side, which
uses SSL_export_keying_material().

Also I think the same applies to EAP-TTLS (maybe even PEAP/FAST/LEAP)

--

-- 
Ar cieņu,
Jānis Čoders
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Atul Joshi | 28 Aug 12:06 2015

wpa_supplicant and WPS config methods vs P2P config methods

Hello,

Wpa supplicant has a CLI command SET config_methods to set WPS config methods but the config methods within P2P device info attribute are taken from p2p_supplicant.conf this can lead to discrepancy in config method advertisement.

Is there  a CLI command to set config method in P2P device info attribute?

Any help would be appreciated

 

Thanks

Atul  

_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap

Gmane