Hi,
I am using hostapd as an 802.1X authenticator and am trying to get the
username of authenticated clients using the hostapd ctrl interface, both
with hostapd_cli and directly with the ctrl socket, so they can be
processed by an external application.
Using hostapd_cli 'sta <mac-addr>' there is a line:
"dot1xAuthSessionUserName=(null)"
which seems to always be '(null)' and not an actual username when
hostpad is using the integrated eap server.
However if I don't use the eap_server and use an external (freeradius),
'sta <mac-addr>' does return the username.
Is there something (compile/config option/etc) that I'm missing? or is
it a bug/intended behavior?
Ubuntu 16.04
hostapd 2.6
.config:
"# Driver interface for wired authenticator
CONFIG_DRIVER_WIRED=y
# WPA2/IEEE 802.11i RSN pre-authentication
CONFIG_RSN_PREAUTH=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection)
CONFIG_IEEE80211W=y
# Integrated EAP server
CONFIG_EAP=y
# EAP Re-authentication Protocol (ERP) in integrated EAP server
CONFIG_ERP=y
# EAP-MD5 for the integrated EAP server
CONFIG_EAP_MD5=y
# EAP-TLS for the integrated EAP server
CONFIG_EAP_TLS=y
# EAP-MSCHAPv2 for the integrated EAP server
CONFIG_EAP_MSCHAPV2=y
# EAP-PEAP for the integrated EAP server
CONFIG_EAP_PEAP=y
# EAP-GTC for the integrated EAP server
CONFIG_EAP_GTC=y
# EAP-TTLS for the integrated EAP server
CONFIG_EAP_TTLS=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
# Build IPv6 support for RADIUS operations
CONFIG_IPV6=y
"
wired.conf:
"
ctrl_interface=/var/run/hostapd
interface=eth0
driver=wired
logger_stdout=-1
logger_stdout_level=0
#debug=2
#dump_file=/tmp/hostapd.dump
ieee8021x=1
eap_reauth_period=3600
use_pae_group_addr=0
eap_server=1
eap_user_file=/etc/hostapd/hostapd.eap_user
"
Attached is the stdout & stderr from 'hostapd -dd
/etc/hostapd/wired.conf > sta-hostapd.log 2>&1 &'.
and the object returned from the command 'sta 00:00:00:11:11:00'
The authenticating client is user: hostuser0, mac 00:00:00:11:11:00
Thanks,
Michael
random: Trying to read entropy from /dev/random
Configuration file: /etc/hostapd/wired.conf
Opening raw packet socket for ifindex 1966
BSS count 1, BSSID mask 00:00:00:00:00:00 (0 bits)
Completing interface initialization
hostapd_setup_bss(hapd=0x1abd7f0 (eth0), first=1)
eth0: Flushing old station entries
eth0: Deauthenticate all stations
Using interface eth0 with hwaddr 02:42:ac:11:00:02 and ssid ""
eth0: interface state UNINITIALIZED->ENABLED
eth0: AP-ENABLED
eth0: Setup of interface done.
ctrl_iface not configured!
random: Got 20/20 bytes from /dev/random
RX ctrl_iface - hexdump_ascii(len=6):
41 54 54 41 43 48 ATTACH
CTRL_IFACE monitor attached /tmp/92\x00
Received EAPOL packet
eth0: Event NEW_STA (23) received
Data frame from unknown STA 00:00:00:11:11:00 - adding a new STA
New STA
ap_sta_add: register ap_handle_timer timeout for 00:00:00:11:11:00 (300 seconds - ap_max_inactivity)
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: start authentication
EAP: Server state machine created
IEEE 802.1X: 00:00:00:11:11:00 BE_AUTH entering state IDLE
IEEE 802.1X: 00:00:00:11:11:00 CTRL_DIR entering state FORCE_BOTH
eth0: hostapd_new_assoc_sta: reschedule ap_handle_timer timeout for 00:00:00:11:11:00 (300 seconds - ap_max_inactivity)
eth0: Event EAPOL_RX (24) received
IEEE 802.1X: 4 bytes from 00:00:00:11:11:00
IEEE 802.1X: version=2 type=1 length=0
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: received EAPOL-Start from STA
IEEE 802.1X: 00:00:00:11:11:00 AUTH_PAE entering state DISCONNECTED
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: unauthorizing port
IEEE 802.1X: 00:00:00:11:11:00 AUTH_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
eth0: CTRL-EVENT-EAP-STARTED 00:00:00:11:11:00
CTRL_IFACE monitor send /tmp/92\x00
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 1
eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
CTRL_IFACE monitor send /tmp/92\x00
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 103
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:00:00:11:11:00 AUTH_PAE entering state CONNECTING
IEEE 802.1X: 00:00:00:11:11:00 AUTH_PAE entering state AUTHENTICATING
IEEE 802.1X: 00:00:00:11:11:00 BE_AUTH entering state REQUEST
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: Sending EAP Packet (identifier 103)
Received EAPOL packet
eth0: Event NEW_STA (23) received
eth0: Event EAPOL_RX (24) received
IEEE 802.1X: 18 bytes from 00:00:00:11:11:00
IEEE 802.1X: version=2 type=0 length=14
EAP: code=2 identifier=103 length=14
(response)
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: received EAP packet (code=2 id=103 len=14) from STA: EAP Response-Identity (1)
IEEE 802.1X: 00:00:00:11:11:00 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=103 respMethod=1 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-Identity: Peer identity - hexdump_ascii(len=9):
68 6f 73 74 30 75 73 65 72 host0user
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: another method available -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 4
eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4
CTRL_IFACE monitor send /tmp/92\x00
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 104
Get randomness: len=16 entropy=0
EAP-MD5: Challenge - hexdump(len=16): b9 24 1e 6a f2 32 ab ce 31 50 13 f8 01 08 67 05
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:00:00:11:11:00 BE_AUTH entering state REQUEST
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: Sending EAP Packet (identifier 104)
Received EAPOL packet
eth0: Event NEW_STA (23) received
eth0: Event EAPOL_RX (24) received
IEEE 802.1X: 26 bytes from 00:00:00:11:11:00
IEEE 802.1X: version=2 type=0 length=22
EAP: code=2 identifier=104 length=22
(response)
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: received EAP packet (code=2 id=104 len=22) from STA: EAP Response-MD5 (4)
IEEE 802.1X: 00:00:00:11:11:00 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=104 respMethod=4 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-MD5: Response - hexdump(len=16): a6 4e 8e dc e3 0e 05 ff d5 45 29 f7 f2 a9 7e fe
EAP-MD5: Done - Success
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: method succeeded -> SUCCESS
EAP: EAP entering state SUCCESS
EAP: Building EAP-Success (id=104)
eth0: CTRL-EVENT-EAP-SUCCESS 00:00:00:11:11:00
CTRL_IFACE monitor send /tmp/92\x00
IEEE 802.1X: 00:00:00:11:11:00 BE_AUTH entering state SUCCESS
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: Sending EAP Packet (identifier 104)
IEEE 802.1X: 00:00:00:11:11:00 AUTH_PAE entering state AUTHENTICATED
eth0: AP-STA-CONNECTED 00:00:00:11:11:00
CTRL_IFACE monitor send /tmp/92\x00
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: authorizing port
eth0: STA 00:00:00:11:11:00 RADIUS: starting accounting session F13FB9FA24E41CF2
eth0: STA 00:00:00:11:11:00 IEEE 802.1X: authenticated - EAP type: 0 (unknown)
IEEE 802.1X: 00:00:00:11:11:00 BE_AUTH entering state IDLE
RX ctrl_iface - hexdump_ascii(len=21):
53 54 41 20 30 30 3a 30 30 3a 30 30 3a 31 31 3a STA 00:00:00:11:
31 31 3a 30 30 11:00
IEEE 802.1X: 00:00:00:11:11:00 - (EAP) retransWhile --> 0
IEEE 802.1X: 00:00:00:11:11:00 - aWhile --> 0
00:00:00:11:11:00
flags=[AUTHORIZED]
aid=0
capability=0x0
listen_interval=0
supported_rates=
timeout_next=NULLFUNC POLL
dot1xPaePortNumber=0
dot1xPaePortProtocolVersion=2
dot1xPaePortCapabilities=1
dot1xPaePortInitialize=0
dot1xPaePortReauthenticate=FALSE
dot1xAuthPaeState=5
dot1xAuthBackendAuthState=6
dot1xAuthAdminControlledDirections=0
dot1xAuthOperControlledDirections=0
dot1xAuthAuthControlledPortStatus=1
dot1xAuthAuthControlledPortControl=2
dot1xAuthQuietPeriod=60
dot1xAuthServerTimeout=30
dot1xAuthReAuthPeriod=3600
dot1xAuthReAuthEnabled=TRUE
dot1xAuthKeyTxEnabled=FALSE
dot1xAuthEapolFramesRx=3
dot1xAuthEapolFramesTx=3
dot1xAuthEapolStartFramesRx=1
dot1xAuthEapolLogoffFramesRx=0
dot1xAuthEapolRespIdFramesRx=0
dot1xAuthEapolRespFramesRx=2
dot1xAuthEapolReqIdFramesTx=1
dot1xAuthEapolReqFramesTx=2
dot1xAuthInvalidEapolFramesRx=0
dot1xAuthEapLengthErrorFramesRx=0
dot1xAuthLastEapolFrameVersion=2
dot1xAuthLastEapolFrameSource=00:00:00:11:11:00
dot1xAuthEntersConnecting=1
dot1xAuthEapLogoffsWhileConnecting=0
dot1xAuthEntersAuthenticating=0
dot1xAuthAuthSuccessesWhileAuthenticating=1
dot1xAuthAuthTimeoutsWhileAuthenticating=0
dot1xAuthAuthFailWhileAuthenticating=0
dot1xAuthAuthEapStartsWhileAuthenticating=0
dot1xAuthAuthEapLogoffWhileAuthenticating=0
dot1xAuthAuthReauthsWhileAuthenticated=0
dot1xAuthAuthEapStartsWhileAuthenticated=0
dot1xAuthAuthEapLogoffWhileAuthenticated=0
dot1xAuthBackendResponses=2
dot1xAuthBackendAccessChallenges=1
dot1xAuthBackendOtherRequestsToSupplicant=2
dot1xAuthBackendAuthSuccesses=1
dot1xAuthBackendAuthFails=0
dot1xAuthSessionId=F13FB9FA24E41CF2
dot1xAuthSessionAuthenticMethod=1
dot1xAuthSessionTime=0
dot1xAuthSessionTerminateCause=999
dot1xAuthSessionUserName=(null)
authMultiSessionId=77994CF543EAAC8A
last_eap_type_as=0 (unknown)
last_eap_type_sta=4 (MD5)
connected_time=0
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap