How to control a wpa_supplicant client request can only send to a hostapd NAS?
How to control a wpa_supplicant client request can only send to a hostapd NAS? My network struct was following: RADIUS(freeradius) | | SWITCH(cisco) | | ------------------------------------------------ | | NAS1(hostapd) NAS2(hostapd) | | CLIENT1(wpa_supplicant) CLIENT2(wpa_supplicant) If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? Thank you very much! The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83 The CLIENT1 log -------------------------- EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *---00:0f:1e:34:26:50---* RX EAPOL - hexdump(len=14): 02 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=1 id=0 EAP: EAP entering state RETRANSMIT EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31 45 3a 33 34 3a 32 38 3a 42 34 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from *---**00:0f:1e:00:00:83**---* RX EAPOL - hexdump(len=46): 02 00 00 16 01 01 00 16 04 10 e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: EAP entering state GET_METHOD EAP: initialize selected EAP method (4, MD5) CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc 2a 24 fb EAP-MD5: generating Challenge Response EAP-MD5: Response - hexdump(len=16): 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61 b5 ab 41 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=26): 02 00 00 16 01 01 00 16 04 10 02 c8 6c 9b 31 7d 34 bc 09 6a 0f f2 c3 a8 01 54 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request method=4 id=1 EAP: AS used the same Id again, but EAP packets were not identical EAP: workaround - assume this is not a duplicate packet EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:34:26:50 RX EAPOL - hexdump(len=8): 02 00 00 04 04 01 00 04 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:0f:1e:00:00:83 RX EAPOL - hexdump(len=46): 02 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS The NAS1 log -------------------------- Deauthenticate all stations br0: STA *00:0f:1e:34:28:b4* IEEE 802.1X: start authentication br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4' br0: RADIUS Sending RADIUS message to authentication server br0: RADIUS Next RADIUS client retransmit in 3 seconds br0: RADIUS Received 80 bytes from RADIUS server br0: RADIUS Received RADIUS message br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.03 sec br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: using EAP timeout of 30 seconds br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5-Challenge (4) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=1 len=22) from STA: EAP Response-MD5-Challenge (4) br0: RADIUS Sending RADIUS message to authentication server br0: RADIUS Next RADIUS client retransmit in 3 seconds br0: RADIUS Received 44 bytes from RADIUS server br0: RADIUS Received RADIUS message br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP Failure br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: authentication failed The NAS2 log -------------------------- Deauthenticate all stations br0: STA *---**00:0f:1e:34:28:b4**---* IEEE 802.1X: start authentication br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4' br0: RADIUS Sending RADIUS message to authentication server br0: RADIUS Next RADIUS client retransmit in 3 seconds br0: RADIUS Received 80 bytes from RADIUS server br0: RADIUS Received RADIUS message br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.02 sec br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: using EAP timeout of 30 seconds br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5-Challenge (4) br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=1 len=22) from STA: EAP Response-MD5-Challenge (4) br0: RADIUS Sending RADIUS message to authentication server br0: RADIUS Next RADIUS client retransmit in 3 seconds br0: RADIUS Received 63 bytes from RADIUS server br0: RADIUS Received RADIUS message br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.01 sec br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: old identity '00:0F:1E:34:28:B4' updated with User-Name from Access-Accept '00:0F:1E:34:28:B4' br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=3 id=1 len=4) from RADIUS server: EAP Success The RADIUS log -------------------------- rad_recv: Access-Request packet from host 192.168.1.45 port 1024, id=0, length=168 User-Name = "00:0F:1E:34:28:B4" NAS-IP-Address = 192.168.1.45 NAS-Port = 0 Called-Station-Id = "*---**00-0F-1E-34-26-50:**---*" Calling-Station-Id = "*---**00-0F-1E-34-28-B4**---*" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020000160130303a30463a31453a33343a32383a4234 Message-Authenticator = 0xdfe32c5308f652199fc3f87459b2f8b8 +- entering group authorize {...} rad_recv: Access-Request packet from host 192.168.1.44 port 1024, id=1, length=186 User-Name = "00:0F:1E:34:28:B4" NAS-IP-Address = 192.168.1.44 NAS-Port = 0 Called-Station-Id = "*---**00-0F-1E-00-00-83:**---*" Calling-Station-Id = "*---**00-0F-1E-34-28-B4**---**"* Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201001604107d5ea6ea11c7d9aded44a4b961b5ab41 State = 0x532668a453276c3283f462034e3542a3 Message-Authenticator = 0x98ac376bdacceb01003f6f6bb9604f9c +- entering group authorize {...} Sending Access-Accept of id 1 to 192.168.1.44 port 1024 EAP-Message = 0x03010004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "00:0F:1E:34:28:B4"
If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83
That's one way - NAS mac address will be in Called-Station-Id. Or use NAS-IP-Address.
The RADIUS log -------------------------- rad_recv: Access-Request packet from host 192.168.1.45 port 1024, id=0, length=168 User-Name = "00:0F:1E:34:28:B4" NAS-IP-Address = 192.168.1.45 Called-Station-Id = "*---**00-0F-1E-34-26-50:**---*"
rad_recv: Access-Request packet from host 192.168.1.44 port 1024, id=1, length=186 User-Name = "00:0F:1E:34:28:B4" NAS-IP-Address = 192.168.1.44 Called-Station-Id = "*---**00-0F-1E-00-00-83:**---*"
Ivan Kalik Kalik Informatika ISP
2009/7/9 Ivan Kalik <tnt@kalik.net>
If the network only has the NAS1 device, the CLIENT1 can pass the authentication. When the network have two NAS device, which one is NAS1 and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2, then NAS1 and NAS2 all send the request to radius. I don't know whether CLIENT1 under NAS1 or NAS2 in radius. How to control a wpa_supplicant client request can only send to a hostapd NAS? The CLIENT1 MAC: 00:0F:1E:34:28:B4 The NAS1 MAC: 00:0F:1E:34:26:50 The NAS2 MAC: 00:0f:1e:00:00:83
That's one way - NAS mac address will be in Called-Station-Id. Or use NAS-IP-Address.
The RADIUS log -------------------------- rad_recv: Access-Request packet from host 192.168.1.45 port 1024, id=0, length=168 User-Name = "00:0F:1E:34:28:B4" NAS-IP-Address = 192.168.1.45 Called-Station-Id = "00-0F-1E-34-26-50:"
rad_recv: Access-Request packet from host 192.168.1.44 port 1024, id=1, length=186 User-Name = "00:0F:1E:34:28:B4" NAS-IP-Address = 192.168.1.44 Called-Station-Id = "00-0F-1E-00-00-83:"
Ivan Kalik Kalik Informatika ISP <http://www.freeradius.org/list/users.html>
Hi: Ivan Kalik Thank your suggestion! In that, The NAS1 MAC is 00:0F:1E:34:26:50, The NAS2 MAC is 00:0f:1e:00:00:83. The problem was that they all could received the request of The CLIENT1, so I couldn't known whether CLIENT1 under NAS1 or NAS2 in radius.
participants (2)
-
DJ HENRY -
Ivan Kalik