Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Apr 2008 21:58:31 +0200
From:      Guido van Rooij <guido@gvr.org>
To:        Sam Leffler <sam@freebsd.org>
Cc:        freebsd-net@freebsd.org, Brooks Davis <brooks@freebsd.org>
Subject:   Re: 802.1x for wired networks
Message-ID:  <20080409195831.GA79835@gvr.gvr.org>
In-Reply-To: <47FCEA99.4050000@freebsd.org>
References:  <20080409130531.GA73375@gvr.gvr.org> <20080409141324.GA43689@lor.one-eyed-alien.net> <47FCEA99.4050000@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 09, 2008 at 09:11:05AM -0700, Sam Leffler wrote:
> Brooks Davis wrote:
>> On Wed, Apr 09, 2008 at 03:05:31PM +0200, Guido van Rooij wrote:
>>> What is the best way to be able to have a FreeBSD system connect
>>> via 802.1x to a wired network?  Wap_supplicant seems to insist on
>>> calling 80211 ioctl's and thus fails.
>>> 
>>> I found the open1x project, but did not find it in the ports tree.
>>> This suggests that perhaps there is a native solution after all, yet
>>> I can't seem to find it.
>>> 
>>> Any suggestions?
>> Sam just comitted support to /etc/rc.d/wpa_supplicant in head to set the
>> driver to bsd or wired based on the device media type.
>> -- Brooks
> 
> Right; you need to specify -Dwired to get the "wired driver".  Note I have 
> no way of testing wired supplicant operation so if it works I'd like to 
> hear about it.

I backported the latest wap_supplicant to FreeBSD 6 but with no luck on a
HP procurve 2610. What I see is that there seems to be some
kind of protocol mismatch. I have no clue if this is due to wpa_supplicant or
the procurve being non-cmpliant.
Here's what happens, packet wise:

wpa_supplicant send a EAPOL start (version 1, type start)
procurve sends EAP failure (version 1, type: eap packet (code failure, id: 2)
procurve send EAP request identify (veersion 1, type: eap packet (code: request
type: identify).

And that's it. wpa_supplicant does not respond. After a timeout, the
start eapol packet is sent again.

Here's wpa_supplicant output with -dd:
beck# obj/wpa_supplicant -D wired -dd -c /etc/wpa_supplicant.conf -i bge0
Initializing interface 'bge0' conf '/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='wheel' (DEPRECATED)
ap_scan=0
eapol_version=1
fast_reauth=1
Line: 14 - start of a new network block
key_mgmt: 0x1
identity - hexdump_ascii(len=4):
     6f 70 65 72                                       oper            
password - hexdump_ascii(len=6): [REMOVED]
eapol_flags=0 (0x0)
Priority group 0
   id=0 ssid=''
Initializing interface (2) 'bge0'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
wpa_driver_wired_init: Added multicast membership with SIOCADDMULTI
Own MAC address: 00:19:b9:58:51:22
Setting scan request: 0 sec 100000 usec
ctrl_interface_group=0 (from group name 'wheel')
Added interface bge0
EAPOL: External notification - portControl=Auto
Already associated with a configured network - generating associated event
Association info event
State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=01:80:c2:00:00:03
No keys have been configured - skip key clearing
Network configuration found for the current AP
WPA: No WPA/RSN IE available from association info
WPA: Set cipher suites based on configuration
WPA: Selected cipher suites: group 30 pairwise 24 key_mgmt 1 proto 2
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: using GTK CCMP
WPA: using PTK CCMP
WPA: using KEY_MGMT 802.1X
WPA: Set own WPA IE default - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
EAPOL: External notification - portControl=Auto
Associated with 01:80:c2:00:00:03
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL - hexdump(len=4): 01 01 00 00
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL - hexdump(len=4): 01 01 00 00
etc.

wpa_supllicant.conf:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
eapol_version=1
fast_reauth=1
network={
        #key_mgmt=IEEE8021X
        key_mgmt=WPA-EAP
        identity="oper"
        password="xxx"
        eapol_flags=0
}

Note that the key_mgmt value seems of no importance to the observed
behaviour.

It seems to me like the procurve is somehow not reacting to the EAPOL start
request but immediately enters the EAP phase. I am not sure how to
make wpa_supplicant do the same (if at all possible).

-Guido



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080409195831.GA79835>