Re: WPA-EAP/802.1x AP mode without NL80211_CMD_SET_STATION driver support

Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> · Fri, 9 Oct 2020 10:53:21 +0200

On 10/9/2020 10:03 AM, Pali Rohár wrote:
On Friday 09 October 2020 09:28:59 Arend Van Spriel wrote:
On 10/7/2020 10:30 AM, Pali Rohár wrote:
Hello! I would like to remind this issue.

Hi Pali,

Why not follow the regular contribution process and submit a patch?

Hello Arend! Because I have sent another patch months ago which was
still not processed yet (therefore I do not know if regular contribution
process is working) and more important, I do not know how to fix this
issue, so I have nothing to send yet. If you look at the issue, you
could see it is more complicated and I just provided two changes which
allowed me to identify main problems.

Fair enough. I stopped reading after the first few paragraphs, but I 
looked at the driver. The NL80211_CMD_SET_STATION ends up calling the 
.change_station() cfg80211 driver callback. The mwifiex driver does 
implement it [1], but states that is only works for TDLS.

Personally, I have not played much with VLANs. For non-vlan the AP uses 
NL80211_CMD_SET_STATION to authorize the associated station to send 
regular data traffic. Bottom line is that your wifi card or at least the 
mwifiex driver does not seem to support both scenarios, ie. authorize 
station and vlan. Also don't see anything obvious in the drivers 
firmware API (fw.h). At least not upstream.

Regards,
Arend

[1] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/wireless/marvell/mwifiex/cfg80211.c#n4145

Regards,
Arend

On Tuesday 02 June 2020 10:49:17 Pali Rohár wrote:
Jouni or Johannes, when you have a time, could you please look at this
issue below?

I would like to enable WPA-EAP mode on mwifiex_sdio wifi card but due to
hostapd issue described bellow it is not possible right now.

On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
Hello Jouni!

When hostapd is compiled without CONFIG_NO_VLAN option then
WPA-EAP/802.1x AP mode is not working with wifi card which does not
support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.

NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.

Here is hostapd log from Turris MOX router when is configured in WPA-EAP
AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
which does not implement NL80211_CMD_SET_STATION command when card is in
AP mode.

May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification

EAP authentication from radius server is successful, wpa_supplicant on
client side also see successful authentication, but link is not
established.

That failed error code 524 is internal Linux kernel number for ENOTSUPP
(double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.

Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
file.

ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
unsupported hostapd driver returns zero and for supported hostapd driver
calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
Which for card with unsupported NL80211_CMD_SET_STATION command returns
error code -524.

When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
always returns zero.

I applied following change to hostapd sources:

diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
index 93f1f0c20..9059162a8 100644
--- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c
@@ -1092,6 +1092,10 @@ skip_counting:
   		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
   			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
   			       "entry to vlan_id=%d", sta->vlan_id);
+		/* Ignore error when driver does not support setting vlan
+		 * and we were not requested to set non-zero vlan id */
+		if (ret == -ENOTSUP && sta->vlan_id == 0)
+			ret = 0;
   	}
   	/* During 1x reauth, if the vlan id changes, then remove the old id. */
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index d48f8cb76..0906508d4 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
   	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
   	if (ret < 0) {
+		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
+			ret = -ENOTSUP;
   		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
   			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
   			   MAC2STR(addr), ifname, vlan_id, ret,

It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
to zero, which is propagated back to the ieee802_1x_receive_auth()
function.

And with this change WPA-EAP/802.1x AP mode started working. Here is
hostapd log:

May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec

Jouni, I think this is bug in hostapd's 802.1X code. Function
ieee802_1x_receive_auth() skips whole processing of 802.1X path when
receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
function fails.

The most suspicious part for me is why hostapd_drv_set_sta_vlan()
function returns zero when hostapd driver does not support
set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
driver does not support this functionality. And also why this code path
is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
option.

Do you have any suggestions how to make AP working in WPA-EAP/802.1x
mode for cards without NL80211_CMD_SET_STATION command? I would like to
avoid having custom hostapd patch (like one above) and have ability to
use upstream unpatched hostapd daemon.

[1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap




