headers
Jouni Malinen | 1 May 2010 16:57
Picon

Re: wpa_supplicant disconnects and fails to reconnect (wpa-enterprise)

On Wed, Apr 21, 2010 at 02:42:23PM +0200, Georges Toth wrote:

> So when I loose the connection that is actually the time when the AP requests 
> a re-authentication (AFAICT) and wpa_supplicant fails to do this "correctly".

> I collected some debug output today (using -dd) which contains logs from when 
> I first connected to this network, after loosing the connection the first time 
> and several re-connection attempts thereafter.
> I can send them on demand if this could be useful for locating the problem 
> (~1MB).

Is this referring to the same log that is attached to a debug bug at the
following address?

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=wpa_supplicant_debug.bz2;att=1;bug=579297

If not, could you please send me the logs? It could also be useful to
get a debug log with timestamps include (add -t on the command line). It
is somewhat unclear what the timing is, but it looks like the
authentication server does not like PEAP session resumption attempts and
then starts behaving incorrect after this. Do you happen to know which
authentication server is used in this network?

Every now and then, authentication seems to actually succeed even with
PEAP session resumption, but the AP disconnect the client shortly after
the successfully completed authentication for some reason.

If you want to run a test without session resumption, you can disable
this by adding fast_reauth=0 to wpa_supplicant configuration file. I
would expect this to avoid some of the problems shown in the log, but it
(Continue reading)

Permalink | Reply | 7 comments |
headers
Georges Toth | 1 May 2010 19:57

Re: wpa_supplicant disconnects and fails to reconnect (wpa-enterprise)

On Saturday 01 May 2010 16:57:36 Jouni Malinen wrote:
> On Wed, Apr 21, 2010 at 02:42:23PM +0200, Georges Toth wrote:
> > So when I loose the connection that is actually the time when the AP
> > requests a re-authentication (AFAICT) and wpa_supplicant fails to do
> > this "correctly".
> > 
> > I collected some debug output today (using -dd) which contains logs from
> > when I first connected to this network, after loosing the connection the
> > first time and several re-connection attempts thereafter.
> > I can send them on demand if this could be useful for locating the
> > problem (~1MB).
> 
> Is this referring to the same log that is attached to a debug bug at the
> following address?
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=wpa_supplicant
> _debug.bz2;att=1;bug=579297

That's exactly the file I was talking about.

 
> If not, could you please send me the logs? It could also be useful to
> get a debug log with timestamps include (add -t on the command line). It
> is somewhat unclear what the timing is,

I'll try to create another log with timestamps

> but it looks like the
> authentication server does not like PEAP session resumption attempts and
> then starts behaving incorrect after this. Do you happen to know which
(Continue reading)

Permalink | Reply | 2 comments |
headers
Christ Schlacta | 1 May 2010 21:16
Picon

WPA enterprise certificates without user passwords

I want to configure my network so that anyone with a (non-revoked, 
non-expired) certificate can connect without a username or password.  is 
that possible?  is it possible to issue username/password as a fallback 
for short-term clients?
Permalink | Reply | 0 comments |
headers
Jouni Malinen | 1 May 2010 21:39
Picon

Re: internal RADIUS server

On Wed, Apr 28, 2010 at 03:34:19PM +0100, Panagiotis Georgopoulos wrote:
>                 I have a simple question regarding the internal RADIUS
> server of hostapd. What functionalities does it include? What is it capable
> of and how can I interact with it?

It includes RADIUS authentication support with number of EAP methods,
but pretty much no other RADIUS functionality.

> ath1: STA 00:1b:2f:2c:ad:d9 RADIUS: starting accounting session
> 4BD8402B-00000001

> The above implies that there are accounting information beings stored for
> that specific client, how can I query the deamon for this and what other
> functionalities does the internal RADIUS server of hostapd has? Are these
> being described somewhere?

This is from the NAS side and the internal RADIUS server does not
support accounting.

--

-- 
Jouni Malinen                                            PGP id EFC895FA
Permalink | Reply | 2 comments |
headers
Jouni Malinen | 1 May 2010 21:51
Picon

Re: After connecting with wpa_supplicant, dhcp is not working

On Thu, Apr 22, 2010 at 11:54:26AM -0400, Aaron Small wrote:
> Has anyone experienced something like this, or have an idea how to
> diagnose it? I have wpa_supplicant logs collected with -dd if these
> would be of any help.

Both the DHCP and IP connectivity (likely ARP failing) sound like
problems with broadcast frames. The 24-48 hour window when things work
could be the time it takes for the AP to change its broadcast frame
encryption key (GTK). My initial guess would be on the AP having some
problems unless you can clearly show that you have a client that works
now while another client does not.

The part to look at in the logs would be the group key configuration
(GTK), including the key index. If you can easily generate debug logs
from wpa_supplicant when then connection works and when it fails, that
could provide some more information to confirm that this is indeed
likely related to GTK rekeying. Additional step would be to use a
wireless sniffer to check which key index the broadcast data frames are
using and whether it matches with the key that was configured on the
client (mainly, that the key index is same).

--

-- 
Jouni Malinen                                            PGP id EFC895FA
Permalink | Reply | 0 comments |
headers
Jouni Malinen | 1 May 2010 22:07
Picon

Re: wpa_supplicant disconnects and fails to reconnect (wpa-enterprise)

On Sat, May 01, 2010 at 07:57:40PM +0200, Georges Toth wrote:
> On the other hand I have setup a similar network using EAP-TTLS and 
> freeradius, also have session resumption disabled and strangely have exactly 
> the same problems there.

This sounds like an easier testing environment. Could you please send me
debug logs from this both from wpa_supplicant and from FreeRADIUS for
the same authentication + reconnection cases? I did not see problems
with session resumption in my tests with FreeRADIUS with current
wpa_supplicant code build with OpenSSL.

--

-- 
Jouni Malinen                                            PGP id EFC895FA
Permalink | Reply | 1 comment |
headers
Kel Modderman | 2 May 2010 03:02
Picon
Favicon

enable_network command fubar'd?

Hi Jouni,

I've been looking at new bugs in wpa_gui (0.7.2) and found that I am unable to
enable newly created networks. I thought it was a problem with the gui but
could reproduce with wpa_cli:

> list_networks
network id / ssid / bssid / flags
0       configap        any     [CURRENT]
> add_network
1
> set_network 1 ssid "foo"
OK
> enable_network 1
OK
> list_networks
network id / ssid / bssid / flags
0       configap        any     [CURRENT]
1       foo     any     [DISABLED]

Can you reproduce this?

Thanks, Kel.
Permalink | Reply | 2 comments |
headers
Kel Modderman | 2 May 2010 03:05
Picon
Favicon

[PATCH] wpa_gui-qt4: use regexps in disable, enable, select, edit network functions

Use regular expression matches to see if input is not the (now translated?)
string "Select any network" and is a "<network id>: <ssid>" string or the
"all" keyword where that is applicable.

Signed-off-by: Kel Modderman <kel <at> otaku42.de>
---
--- a/wpa_supplicant/wpa_gui-qt4/wpagui.cpp
+++ b/wpa_supplicant/wpa_gui-qt4/wpagui.cpp
 <at>  <at>  -971,17 +971,10  <at>  <at>  void WpaGui::selectNetwork( const QStrin
 	char reply[10];
 	size_t reply_len = sizeof(reply);

-	if (cmd.compare(tr("Select any network"))) {
+	if (cmd.contains(QRegExp("^\\d+:")))
+		cmd.truncate(cmd.indexOf(':'));
+	else
 		cmd = "any";
-	} else {
-		int pos = cmd.indexOf(':');
-		if (pos < 0) {
-			printf("Invalid selectNetwork '%s'\n",
-			       cmd.toAscii().constData());
-			return;
-		}
-		cmd.truncate(pos);
-	}
 	cmd.prepend("SELECT_NETWORK ");
 	ctrlRequest(cmd.toAscii().constData(), reply, &reply_len);
 	triggerUpdate();
 <at>  <at>  -995,14 +988,12  <at>  <at>  void WpaGui::enableNetwork(const QString
(Continue reading)

Permalink | Reply | 1 comment |
headers
Kel Modderman | 2 May 2010 03:21
Picon
Favicon

Re: enable_network command fubar'd?

On Sunday 02 May 2010 11:02:26 Kel Modderman wrote:
> Hi Jouni,
> 
> I've been looking at new bugs in wpa_gui (0.7.2) and found that I am unable to
> enable newly created networks. I thought it was a problem with the gui but
> could reproduce with wpa_cli:
> 
> > list_networks
> network id / ssid / bssid / flags
> 0       configap        any     [CURRENT]
> > add_network
> 1
> > set_network 1 ssid "foo"
> OK
> > enable_network 1
> OK
> > list_networks
> network id / ssid / bssid / flags
> 0       configap        any     [CURRENT]
> 1       foo     any     [DISABLED]
> 
> Can you reproduce this?

Enable a network block, even if there is a current configuration, if it was
disabled.

Signed-off-by: Kel Modderman <kel <at> otaku42.de>
---
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
(Continue reading)

Permalink | Reply | 1 comment |
headers
Jouni Malinen | 2 May 2010 09:25
Picon

Re: The Wireless LAN Controller implementation

On Mon, Apr 19, 2010 at 02:31:49PM +0900, Masashi Honma wrote:

> I'm planning to implement Wireless LAN Controller (WLC). The WLC is
> Cisco hardware which exists between AP and RADIUS server. The figure
> is "STA --- AP --- WLC --- RADIUS server". The WLC receives EAPOL
> frame from AP and process it as authenticator. The AP is just like
> an antenna. So previous figure will be drawn as
> "supplicant --- antenna --- authenticator --- authentication server".
> The AP and WLC communicate with UDP.

Is this only EAPOL or are some IEEE 802.11 management frames handled at
the WLC, too?

> I will implement WLC as some patches to hostapd/wpa_supplicant. As
> first step, I will separate authenticator as another process and
> communicate with UNIX domain socket. How do you think ?

Depending on the exact functionality split, the easiest place to
separate things could be at the driver wrapper interface. Though, if the
driver uses hostapd for processing management frames, you would need to
build another component with just that code in and then connection to
the other part over the driver wrapper interface.

--

-- 
Jouni Malinen                                            PGP id EFC895FA
Permalink | Reply | 0 comments |

Gmane