|
List Info
Thread: 802.1x for wired networks
|
|
| 802.1x for wired networks |
 
Netherlands |
2008-04-09 08:05:31 |
What is the best way to be able to have a FreeBSD system
connect
via 802.1x to a wired network? Wap_supplicant seems to
insist on
calling 80211 ioctl's and thus fails.
I found the open1x project, but did not find it in the ports
tree.
This suggests that perhaps there is a native solution after
all, yet
I can't seem to find it.
Any suggestions?
-Guido
_______________________________________________
freebsd-net freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
|
|
| Re: 802.1x for wired networks |
 
United States |
2008-04-09 09:13:24 |
On Wed, Apr 09, 2008 at 03:05:31PM +0200, Guido van Rooij
wrote:
> What is the best way to be able to have a FreeBSD
system connect
> via 802.1x to a wired network? Wap_supplicant seems to
insist on
> calling 80211 ioctl's and thus fails.
>
> I found the open1x project, but did not find it in the
ports tree.
> This suggests that perhaps there is a native solution
after all, yet
> I can't seem to find it.
>
> Any suggestions?
Sam just comitted support to /etc/rc.d/wpa_supplicant in
head to set the
driver to bsd or wired based on the device media type.
-- Brooks
|
|
| Re: 802.1x for wired networks |
United States |
2008-04-09 11:11:05 |
Brooks Davis wrote:
> On Wed, Apr 09, 2008 at 03:05:31PM +0200, Guido van
Rooij wrote:
>> What is the best way to be able to have a FreeBSD
system connect
>> via 802.1x to a wired network? Wap_supplicant
seems to insist on
>> calling 80211 ioctl's and thus fails.
>>
>> I found the open1x project, but did not find it in
the ports tree.
>> This suggests that perhaps there is a native
solution after all, yet
>> I can't seem to find it.
>>
>> Any suggestions?
>
> Sam just comitted support to /etc/rc.d/wpa_supplicant
in head to set the
> driver to bsd or wired based on the device media type.
>
> -- Brooks
Right; you need to specify -Dwired to get the "wired
driver". Note I
have no way of testing wired supplicant operation so if it
works I'd
like to hear about it.
Sam
_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
|
|
| Re: 802.1x for wired networks |
Netherlands |
2008-04-09 14:58:31 |
On Wed, Apr 09, 2008 at 09:11:05AM -0700, Sam Leffler
wrote:
> Brooks Davis wrote:
>> On Wed, Apr 09, 2008 at 03:05:31PM +0200, Guido van
Rooij wrote:
>>> What is the best way to be able to have a
FreeBSD system connect
>>> via 802.1x to a wired network? Wap_supplicant
seems to insist on
>>> calling 80211 ioctl's and thus fails.
>>>
>>> I found the open1x project, but did not find it
in the ports tree.
>>> This suggests that perhaps there is a native
solution after all, yet
>>> I can't seem to find it.
>>>
>>> Any suggestions?
>> Sam just comitted support to
/etc/rc.d/wpa_supplicant in head to set the
>> driver to bsd or wired based on the device media
type.
>> -- Brooks
>
> Right; you need to specify -Dwired to get the
"wired driver". Note I have
> no way of testing wired supplicant operation so if it
works I'd like to
> hear about it.
I backported the latest wap_supplicant to FreeBSD 6 but with
no luck on a
HP procurve 2610. What I see is that there seems to be some
kind of protocol mismatch. I have no clue if this is due to
wpa_supplicant or
the procurve being non-cmpliant.
Here's what happens, packet wise:
wpa_supplicant send a EAPOL start (version 1, type start)
procurve sends EAP failure (version 1, type: eap packet
(code failure, id: 2)
procurve send EAP request identify (veersion 1, type: eap
packet (code: request
type: identify).
And that's it. wpa_supplicant does not respond. After a
timeout, the
start eapol packet is sent again.
Here's wpa_supplicant output with -dd:
beck# obj/wpa_supplicant -D wired -dd -c
/etc/wpa_supplicant.conf -i bge0
Initializing interface 'bge0' conf
'/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface
'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' ->
'/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='wheel' (DEPRECATED)
ap_scan=0
eapol_version=1
fast_reauth=1
Line: 14 - start of a new network block
key_mgmt: 0x1
identity - hexdump_ascii(len=4):
6f 70 65 72 oper
password - hexdump_ascii(len=6): [REMOVED]
eapol_flags=0 (0x0)
Priority group 0
id=0 ssid=''
Initializing interface (2) 'bge0'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
wpa_driver_wired_init: Added multicast membership with
SIOCADDMULTI
Own MAC address: 00:19:b9:58:51:22
Setting scan request: 0 sec 100000 usec
ctrl_interface_group=0 (from group name 'wheel')
Added interface bge0
EAPOL: External notification - portControl=Auto
Already associated with a configured network - generating
associated event
Association info event
State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=01:80:c2:00:00:03
No keys have been configured - skip key clearing
Network configuration found for the current AP
WPA: No WPA/RSN IE available from association info
WPA: Set cipher suites based on configuration
WPA: Selected cipher suites: group 30 pairwise 24 key_mgmt 1
proto 2
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: using GTK CCMP
WPA: using PTK CCMP
WPA: using KEY_MGMT 802.1X
WPA: Set own WPA IE default - hexdump(len=22): 30 14 01 00
00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
EAPOL: External notification - portControl=Auto
Associated with 01:80:c2:00:00:03
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL - hexdump(len=4): 01 01 00 00
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL - hexdump(len=4): 01 01 00 00
etc.
wpa_supllicant.conf:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
eapol_version=1
fast_reauth=1
network={
#key_mgmt=IEEE8021X
key_mgmt=WPA-EAP
identity="oper"
password="xxx"
eapol_flags=0
}
Note that the key_mgmt value seems of no importance to the
observed
behaviour.
It seems to me like the procurve is somehow not reacting to
the EAPOL start
request but immediately enters the EAP phase. I am not sure
how to
make wpa_supplicant do the same (if at all possible).
-Guido
_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
|
|
| Re: 802.1x for wired networks |
Netherlands |
2008-04-09 15:38:40 |
On Wed, Apr 09, 2008 at 09:58:31PM +0200, Guido van Rooij
wrote:
>
> wpa_supplicant send a EAPOL start (version 1, type
start)
> procurve sends EAP failure (version 1, type: eap packet
(code failure, id: 2)
> procurve send EAP request identify (veersion 1, type:
eap packet (code: request
> type: identify).
>
> And that's it. wpa_supplicant does not respond. After a
timeout, the
> start eapol packet is sent again.
After some research, it seems that wpa_supplicant is
supposed to indeed
react to the requests identity with a repsonse identity. It
does not
however. I verified that the multicast address as used by
the switch
is the correct one. On the other hand it seems that the
request identity
is not received..
I tried debugging and it seems that indeed nothing is
received (I asume
that reception of packets is handled in
eloop.c:eloop_run(),
and I see no calling of eloop_sock_table_dispatch() there.
Right now, I can't find thee place where a socket is created
from which
to read the multicast frames.
-Guido
_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
|
|
| Re: 802.1x for wired networks |
Netherlands |
2008-04-10 05:03:14 |
On Wed, Apr 09, 2008 at 01:43:07PM -0700, Sam Leffler
wrote:
>
> I believe it's done w/ bpf and the important change for
wired support was
> to accept mcast frames from the PAE mcast address.
Like I said to you
> privately; you might try this on releng7 where it was
tested by someone.
I debuged further and it turns out that my backporting did
not include the
update l2_packet.c in the usr.sbin/wpa directory. After
updating that
file, everything works as expected.
-Guido
_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
|
|
[1-6]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|