On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
> Hello Jouni!
>
> When hostapd is compiled without CONFIG_NO_VLAN option then
> WPA-EAP/802.1x AP mode is not working with wifi card which does not
> support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
>
> NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
> configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
>
> Here is hostapd log from Turris MOX router when is configured in WPA-EAP
> AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
> which does not implement NL80211_CMD_SET_STATION command when card is in
> AP mode.
>
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
>
> EAP authentication from radius server is successful, wpa_supplicant on
> client side also see successful authentication, but link is not
> established.
>
> That failed error code 524 is internal Linux kernel number for ENOTSUPP
> (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
>
> Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
> from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
> file.
>
> ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
> unsupported hostapd driver returns zero and for supported hostapd driver
> calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
> Which for card with unsupported NL80211_CMD_SET_STATION command returns
> error code -524.
>
> When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
> always returns zero.
>
> I applied following change to hostapd sources:
>
> diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
> index 93f1f0c20..9059162a8 100644
> --- a/src/ap/sta_info.c
> +++ b/src/ap/sta_info.c
> @@ -1092,6 +1092,10 @@ skip_counting:
> hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
> HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
> "entry to vlan_id=%d", sta->vlan_id);
> + /* Ignore error when driver does not support setting vlan
> + * and we were not requested to set non-zero vlan id */
> + if (ret == -ENOTSUP && sta->vlan_id == 0)
> + ret = 0;
> }
>
> /* During 1x reauth, if the vlan id changes, then remove the old id. */
> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> index d48f8cb76..0906508d4 100644
> --- a/src/drivers/driver_nl80211.c
> +++ b/src/drivers/driver_nl80211.c
> @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
>
> ret = send_and_recv_msgs(drv, msg, NULL, NULL);
> if (ret < 0) {
> + if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
> + ret = -ENOTSUP;
> wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
> MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
> MAC2STR(addr), ifname, vlan_id, ret,
>
> It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
> to zero, which is propagated back to the ieee802_1x_receive_auth()
> function.
>
> And with this change WPA-EAP/802.1x AP mode started working. Here is
> hostapd log:
>
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
> May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>
> Jouni, I think this is bug in hostapd's 802.1X code. Function
> ieee802_1x_receive_auth() skips whole processing of 802.1X path when
> receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
> function fails.
>
> The most suspicious part for me is why hostapd_drv_set_sta_vlan()
> function returns zero when hostapd driver does not support
> set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
> driver does not support this functionality. And also why this code path
> is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
> option.
Also, it is not clear to me, why is hostapd trying to use VLANs even
when they were not enabled in config file. Also suspicious is why is
hostapd trying to use VLANs as that kernel driver does not announce
support for AP/VLAN mode (announces only AP mode).
iw phy phy0 info says:
valid interface combinations:
* #{ managed, AP, P2P-client, P2P-GO } <= 3,
total <= 3, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz }
> Do you have any suggestions how to make AP working in WPA-EAP/802.1x
> mode for cards without NL80211_CMD_SET_STATION command? I would like to
> avoid having custom hostapd patch (like one above) and have ability to
> use upstream unpatched hostapd daemon.
>
> [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
