Upon further investigation/tracing, it appears that after association and EAPOL authentication
the supplicant isn't receiving a WPA_4WAY_HANDSHAKE state transition.
At startup I have
wpan0: State: DISCONNECTED -> ASSOCIATED
but no equivalent ASSOCIATED -> 4WAY_HANDSHAKE later.
The transition should be triggered by the Authenticator sending Message 1 of 4
and the Supplicant receiving it.
After the IEEE 802.1X Authenticator sends the SUCCESS packet I see it transition to IDLE
IEEE 802.1X: xx:xx:... BE_AUTH entering state SUCCESS
IEEE 802.1X: xx:xx:... BE_AUTH entering state IDLE
Where is the trigger for eapol to send the success to the hostapd to start the 4-way handshake?
Who is responsible for calling the trigger? driver? eapol?
Jim
From: Hostap <hostap-bounces@xxxxxxxxxxxxxxxxxxx> on behalf of James Ko <jim.list@xxxxxxxxxxx>
Sent: Tuesday, August 13, 2019 22:51
To: hostap@xxxxxxxxxxxxxxxxxxx <hostap@xxxxxxxxxxxxxxxxxxx>
Subject: Q? Configuration for EAP-TLS Auth + 4-Way Handshake
Hi,
I'm porting the hostapd/wpa_supplicant to a new embedded platform in which the
network discovery/selection is done externally and prior to starting the
supplicant. The supplicant needs to do EAPOL Authentication using EAP-TLS and
perform the 4-Way Handshake to install the PTK, GTK and do GTK updates.
I have drivers, l2, config, os, etc all ported over. The driver is for a IEEE
802.15.4 MAC which I've configured with the WIRED flag since all the AP
functions/beacons/ssid selection is done outside of the supplicant/hostapd.
The EAP-TLS Authentication finished with PMK install according to the logs...
supplicant:
EAP-TLS: Derived key - hexdump(len=64): [REMOVED]
EAP-TLS: Derived EMSK - hexdump(len=64): [REMOVED]
EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC eapRespData=0x200340c0
EAP: Session-Id - hexdump(len=65): 0d 00 00 00 24 e5 2d 80 19 0b 05 14 65 c6 3f 77 2d 91 43 9d 76 59 41 47 04 f2 4d 74 e0 4e 32 2e 5e 44 c5 9b dc 32 0f 85 1a
wpan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
authenticator:
MS-MPPE-Send-Key - hexdump(len=32): [REMOVED]
MS-MPPE-Recv-Key - hexdump(len=32): [REMOVED]
IEEE 802.1X: ac:de:48:00:b8:85:95:80 BE_AUTH entering state SUCCESS
but the state machines do not seem to proceed to 4-way handshake after that.
====== wpa_supplicant.conf ======
eapol_version=2
ap_scan=0
passive_scan=1
fast_reauth=1
cred={
eap=TLS
username="info@xxxxxxxxxxx"
ca_cert="blob://ca_chain"
client_cert="blob://client_cert"
private_key="blob://client_key"
domain=" abc.com"
}
network={
ssid="foo"
proto=RSN
pairwise=CCMP
group=CCMP
key_mgmt=IEEE8021X WPA-EAP
eap=TLS
identity="xxx@xxxxxxx"
ca_cert="blob://ca_chain"
client_cert="blob://client_cert"
private_key="blob://client_key"
phase1="tls_disable_tlsv1_0=1,tls_disable_tlsv1_1=1,tls_disable_time_checks=1"
eapol_flags=3
eap_workaround=0
wps_disabled=1
}
<<<< blobs deleted >>>>
===== hostapd.conf =====
interface=lpw0
driver=wpan
use_driver_iface_addr=1
auth_algs=1
start_disabled=1
ieee8021x=1
eapol_version=2
eapol_key_index_workaround=0
eap_reauth_period=3600
own_ip_addr=fd03::###
auth_server_addr=fd03::####
auth_server_port=1812
auth_server_shared_secret=password
# external RADIUS server
acct_server_addr=fd03::###
acct_server_port=1813
acct_server_shared_secret=password
wpa=2
wpa_key_mgmt=IEEE8021X WPA-EAP
wpa_pairwise=CCMP
rsn_pairwise=CCMP
group_cipher=CCMP
Am I still missing something in the config to trigger the 4-way handshake?
Is there a particular function in the driver which needs to be implemented?
The device doesn't have 4-way handshake offload so I need the supplicant/hostapd to do it.
Any guidance is appreciated.
Thanks,
Jim
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
