How to control a wpa_supplicant client request can only send to a hostapd NAS?<br><div class="gmail_quote"><br>My network struct was following:<br> RADIUS(freeradius)<br>
|<br>
|<br> SWITCH(cisco)<br> |<br> |<br>
------------------------------------------------<br> | |<br> NAS1(hostapd) NAS2(hostapd)<br>
| |<br> CLIENT1(wpa_supplicant) CLIENT2(wpa_supplicant) <br> <br><br>If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? Thank you very much!<br>
<br>The CLIENT1 MAC: 00:0F:1E:34:28:B4<br>The NAS1 MAC: 00:0F:1E:34:26:50<br>The NAS2 MAC: 00:0f:1e:00:00:83<br><br>The CLIENT1 log<br>--------------------------<br>EAPOL: txSuppRsp<br>TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34<br>
EAPOL: SUPP_BE entering state RECEIVE<br>RX EAPOL from <i><b>00:0f:1e:34:26:50</b></i><br>RX EAPOL - hexdump(len=14): 02 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f<br>EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_BE entering state REQUEST<br>
EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Request method=1 id=0<br>EAP: EAP entering state RETRANSMIT<br>EAP: EAP entering state SEND_RESPONSE<br>EAP: EAP entering state IDLE<br>EAPOL: SUPP_BE entering state RESPONSE<br>
EAPOL: txSuppRsp<br>TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34<br>EAPOL: SUPP_BE entering state RECEIVE<br>RX EAPOL from <i><b>00:0f:1e:00:00:83</b></i><br>RX EAPOL - hexdump(len=46): 02 00 00 16 01 01 00 16 04 10 e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br>
EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Request method=4 id=1<br>EAP: EAP entering state GET_METHOD<br>EAP: initialize selected EAP method (4, MD5)<br>
CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected<br>EAP: EAP entering state METHOD<br>EAP-MD5: Challenge - hexdump(len=16): e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb<br>EAP-MD5: generating Challenge Response<br>EAP-MD5: Response - hexdump(len=16): 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41<br>
EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC<br>EAP: EAP entering state SEND_RESPONSE<br>EAP: EAP entering state IDLE<br>EAPOL: SUPP_BE entering state RESPONSE<br>EAPOL: txSuppRsp<br>TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41<br>
EAPOL: SUPP_BE entering state RECEIVE<br>RX EAPOL from 00:0f:1e:34:26:50<br>RX EAPOL - hexdump(len=26): 02 00 00 16 01 01 00 16 04 10 02 c8 6c 9b 31 7d 34 bc 09 6a 0f f2 c3 a8 01 54<br>EAPOL: Received EAP-Packet frame<br>
EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Request method=4 id=1<br>EAP: AS used the same Id again, but EAP packets were not identical<br>EAP: workaround - assume this is not a duplicate packet<br>
EAP: EAP entering state DISCARD<br>EAP: EAP entering state IDLE<br>EAPOL: SUPP_BE entering state RECEIVE<br>RX EAPOL from 00:0f:1e:34:26:50<br>RX EAPOL - hexdump(len=8): 02 00 00 04 04 01 00 04<br>EAPOL: Received EAP-Packet frame<br>
EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Failure<br>EAP: EAP entering state DISCARD<br>EAP: EAP entering state IDLE<br>EAPOL: SUPP_BE entering state RECEIVE<br>
RX EAPOL from 00:0f:1e:00:00:83<br>RX EAPOL - hexdump(len=46): 02 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br>EAPOL: Received EAP-Packet frame<br>
EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Success<br>EAP: EAP entering state SUCCESS<br><br>The NAS1 log<br>--------------------------<br>Deauthenticate all stations<br>
br0: STA <i><b>00:0f:1e:34:28:b4</b></i> IEEE 802.1X: start authentication<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA<br>br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port<br>
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1)<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4'<br>br0: RADIUS Sending RADIUS message to authentication server<br>
br0: RADIUS Next RADIUS client retransmit in 3 seconds<br><br>br0: RADIUS Received 80 bytes from RADIUS server<br>br0: RADIUS Received RADIUS message<br>br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.03 sec<br>
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: using EAP timeout of 30 seconds<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5-Challenge (4)<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored<br>
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=1 len=22) from STA: EAP Response-MD5-Challenge (4)<br>br0: RADIUS Sending RADIUS message to authentication server<br>br0: RADIUS Next RADIUS client retransmit in 3 seconds<br>
<br>br0: RADIUS Received 44 bytes from RADIUS server<br>br0: RADIUS Received RADIUS message<br>br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP Failure<br>
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: authentication failed<br><br><br>The NAS2 log<br>
--------------------------<br>Deauthenticate all stations<br>br0: STA <i><b>00:0f:1e:34:28:b4</b></i> IEEE 802.1X: start authentication<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA<br>br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification<br>
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1)<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4'<br>
br0: RADIUS Sending RADIUS message to authentication server<br>br0: RADIUS Next RADIUS client retransmit in 3 seconds<br><br>br0: RADIUS Received 80 bytes from RADIUS server<br>br0: RADIUS Received RADIUS message<br>br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.02 sec<br>
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: using EAP timeout of 30 seconds<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5-Challenge (4)<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored<br>
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=1 len=22) from STA: EAP Response-MD5-Challenge (4)<br>br0: RADIUS Sending RADIUS message to authentication server<br>br0: RADIUS Next RADIUS client retransmit in 3 seconds<br>
<br>br0: RADIUS Received 63 bytes from RADIUS server<br>br0: RADIUS Received RADIUS message<br>br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.01 sec<br>br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: old identity '00:0F:1E:34:28:B4' updated with User-Name from Access-Accept '00:0F:1E:34:28:B4'<br>
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=3 id=1 len=4) from RADIUS server: EAP Success<br><br>The RADIUS log<br>--------------------------<br>rad_recv: Access-Request packet from host 192.168.1.45 port 1024, id=0, length=168<br>
User-Name = "00:0F:1E:34:28:B4"<br> NAS-IP-Address = 192.168.1.45<br> NAS-Port = 0<br> Called-Station-Id = "<i><b>00-0F-1E-34-26-50:</b></i>"<br> Calling-Station-Id = "<i><b>00-0F-1E-34-28-B4</b></i>"<br>
Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 11Mbps 802.11b"<br> EAP-Message = 0x020000160130303a30463a31453a33343a32383a4234<br> Message-Authenticator = 0xdfe32c5308f652199fc3f87459b2f8b8<br>
+- entering group authorize {...}<br><br>rad_recv: Access-Request packet from host 192.168.1.44 port 1024, id=1, length=186<br> User-Name = "00:0F:1E:34:28:B4"<br> NAS-IP-Address = 192.168.1.44<br>
NAS-Port = 0<br> Called-Station-Id = "<b>00-0F-1E-00-00-83:</b>"<br> Calling-Station-Id = "<i><b>00-0F-1E-34-28-B4</b>"</i><br> Framed-MTU = 1400<br> NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br> EAP-Message = 0x0201001604107d5ea6ea11c7d9aded44a4b961b5ab41<br> State = 0x532668a453276c3283f462034e3542a3<br> Message-Authenticator = 0x98ac376bdacceb01003f6f6bb9604f9c<br>
+- entering group authorize {...}<br><br>Sending Access-Accept of id 1 to 192.168.1.44 port 1024<br> EAP-Message = 0x03010004<br> Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "00:0F:1E:34:28:B4"<br>
<br><br>
</div><br>