Re: [Madwifi-users] Making an Access Point (Encription Problem)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

>
>
> > Anyone can help me?
>
> Yes, you could help yourself. You did a great start with a very detailed
> report about the AP setup, but failed to continue this level of
> verbosity when it comes to the interesting part. Means: please let us
> know what steps you took in order to make the client connecting to the
> AP, and what error messages you saw (if any). In addition, a detailed
> description of the client configuration could be helpful.
>
> Bye, Mike

Ok,
I tried to connect with a notebook (S.O. Windows Xp Sp2).
When i connect windows ask me the Password i write it and connect, but
when i try to ping an host (also the AP) doesn't work.

I have tried also this configuration ::

####################################
 i have an Atheros Card

         Codice:

 0000:00:13.0 Ethernet controller: Atheros Communications, Inc. AR5212
802.11abg NIC (rev 01)

 First To test it, i have configured my AP with NO ENCRYPTION and it
works fine.

         Codice:

 iwconfig ath0 mode master
 iwconfig ath0 essid EpiaLinux
 iwpriv ath0 mode 0
 brctl addbr br0
 brctl addif br0 ath0
 brctl addif br0 eth1
 ifconfig ath0 0.0.0.0
 ifconfig eth1 0.0.0.0
 ifconfig br0 192.168.1.130

 When i try to connect it from linux or windows (client) i haven't any
problem it works!!!
 Now i want to make my AP more secure (WPA Enc), so i have build
hostapd with this .config

         Codice:

 # Driver interface for Host AP driver
 CONFIG_DRIVER_HOSTAP=3Dy

 # Driver interface for wired authenticator
 #CONFIG_DRIVER_WIRED=3Dy

 # Driver interface for madwifi driver
 CONFIG_DRIVER_MADWIFI=3Dy
 CFLAGS +=3D -I /home/madwifi-ng
 # change to reflect local setup; directory for madwifi src

 # Driver interface for Prism54 driver
 #CONFIG_DRIVER_PRISM54=3Dy

 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=3Dy
 #CFLAGS +=3D -I/usr/local/include
 #LIBS +=3D -L/usr/local/lib

 # IEEE 802.11F/IAPP
 CONFIG_IAPP=3Dy

 # WPA2/IEEE 802.11i RSN pre-authentication
 CONFIG_RSN_PREAUTH=3Dy

 # Integrated EAP server
 CONFIG_EAP=3Dy

 # EAP-MD5 for the integrated EAP server
 CONFIG_EAP_MD5=3Dy

 # EAP-TLS for the integrated EAP server
 CONFIG_EAP_TLS=3Dy

 # EAP-MSCHAPv2 for the integrated EAP server
 CONFIG_EAP_MSCHAPV2=3Dy

 # EAP-PEAP for the integrated EAP server
 CONFIG_EAP_PEAP=3Dy

 # EAP-GTC for the integrated EAP server
 CONFIG_EAP_GTC=3Dy

 # EAP-TTLS for the integrated EAP server
 CONFIG_EAP_TTLS=3Dy

 # EAP-SIM for the integrated EAP server
 #CONFIG_EAP_SIM=3Dy

 # EAP-PAX for the integrated EAP server
 #CONFIG_EAP_PAX=3Dy

 # EAP-PSK for the integrated EAP server
 #CONFIG_EAP_PSK=3Dy

 # PKCS#12 (PFX) support (used to read private key and certificate file fro=
m
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=3Dy

 # RADIUS authentication server. This provides access to the integrated EAP
 # server from external hosts using RADIUS.
 #CONFIG_RADIUS_SERVER=3Dy

 # Build IPv6 support for RADIUS operations
 CONFIG_IPV6=3Dy

 i have build it, next i configured it: hostap.conf

         Codice:

 ##### hostapd configuration file
##############################################
 # Empty lines and lines starting with # are ignored

 # AP netdevice name (without 'ap' prefix, i.e., wlan0 uses wlan0ap for
 # management frames)
 interface=3Dath0

 # Driver interface type (hostap/wired/madwifi/prism54; default: hostap)
 driver=3Dmadwifi

 # hostapd event logger configuration
 #
 # Two output method: syslog and stdout (only usable if not forking to
 # background).
 #
 # Module bitfield (ORed bitfield of modules that will be logged; -1 =3D al=
l
 # modules):
 # bit 0 (1) =3D IEEE 802.11
 # bit 1 (2) =3D IEEE 802.1X
 # bit 2 (4) =3D RADIUS
 # bit 3 (8) =3D WPA
 # bit 4 (16) =3D driver interface
 # bit 5 (32) =3D IAPP
 #
 # Levels (minimum value for logged events):
 #  0 =3D verbose debugging
 #  1 =3D debugging
 #  2 =3D informational messages
 #  3 =3D notification
 #  4 =3D warning
 #
 logger_syslog=3D8
 logger_syslog_level=3D2
 logger_stdout=3D-1
 logger_stdout_level=3D2

 # Debugging: 0 =3D no, 1 =3D minimal, 2 =3D verbose, 3 =3D msg dumps, 4 =
=3D excessive
 debug=3D0

 # Dump file for state information (on SIGUSR1)
 dump_file=3D/tmp/hostapd.dump

 # Interface for separate control program. If this is specified, wpa_suppli=
cant
 # will create this directory and a UNIX domain socket for listening
to requests
 # from external programs (CLI/GUI, etc.) for status information and
 # configuration. The socket file will be named based on the interface name=
, so
 # multiple hostapd processes/interfaces can be run at the same time if mor=
e
 # than one interface is used.
 # /var/run/hostapd is the recommended directory for sockets and by default=
,
 # hostapd_cli will use it when trying to connect with hostapd.
 ctrl_interface=3D/var/run/hostapd

 # Access control for the control interface can be configured by setting th=
e
 # directory to allow only members of a group to use sockets. This way, it =
is
 # possible to run wpa_supplicant as root (since it needs to change network
 # configuration and open raw sockets) and still allow GUI/CLI components t=
o be
 # run as non-root users. However, since the control interface can be used =
to
 # change the network configuration, this access needs to be protected in m=
any
 # cases. By default, wpa_supplicant is configured to use gid 0 (root). If =
you
 # want to allow non-root users to use the contron interface, add a new gro=
up
 # and change this value to match with that group. Add users that should ha=
ve
 # control interface access to this group.
 #
 # This variable can be a group name or gid.
 ctrl_interface_group=3Dwheel
 #ctrl_interface_group=3D0

 ##### IEEE 802.11 related configuration
#######################################

 # SSID to be used in IEEE 802.11 management frames
 ssid=3Dgunhead

 # Station MAC address -based authentication
 # 0 =3D accept unless in deny list
 # 1 =3D deny unless in accept list
 # 2 =3D use external RADIUS server (accept/deny lists are searched first)
 macaddr_acl=3D0

 # Accept/deny lists are read from separate files (containing list of
 # MAC addresses, one per line). Use absolute path name to make sure that t=
he
 # files can be read on SIGHUP configuration reloads.
 #accept_mac_file=3D/etc/hostapd/hostapd.accept
 deny_mac_file=3D/etc/hostapd/hostapd.deny

 # IEEE 802.11 specifies two authentication algorithms. hostapd can be
 # configured to allow both of these or only one. Open system authenticatio=
n
 # should be used with IEEE 802.1X.
 # Bit fields of allowed authentication algorithms:
 # bit 0 =3D Open System Authentication
 # bit 1 =3D Shared Key Authentication (requires WEP)
 auth_algs=3D1

 # Associate as a station to another AP while still acting as an AP on the =
same
 # channel.
 #assoc_ap_addr=3D00:12:34:56:78:9a

 ##### IEEE 802.1X (and IEEE 802.1aa/D4) related configuration
#################

 # Require IEEE 802.1X authorization
 ieee8021x=3D0

 # Use integrated EAP authenticator instead of external RADIUS authenticati=
on
 # server
 eap_authenticator=3D0

 # Path for EAP authenticator user database
 #eap_user_file=3D/etc/hostapd.eap_user

 # CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
 #ca_cert=3D/etc/hostapd.ca.pem

 # Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
 #server_cert=3D/etc/hostapd.server.pem

 # Private key matching with the server certificate for EAP-TLS/PEAP/TTLS
 # This may point to the same file as server_cert if both certificate and k=
ey
 # are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also b=
e
 # used by commenting out server_cert and specifying the PFX file as the
 # private_key.
 #private_key=3D/etc/hostapd.server.prv

 # Passphrase for private key
 #private_key_passwd=3Dsecret passphrase

 # Configuration data for EAP-SIM database/authentication gateway interface=
.
 # This is a text string in implementation specific format. The example
 # implementation in eap_sim_db.c uses this as the file name for the GSM
 # authentication triplets.
 #eap_sim_db=3D/etc/hostapd.sim_db

 # Optional displayable message sent with EAP Request-Identity
 #eap_message=3Dhello

 # WEP rekeying (disabled if key lengths are not set or are set to 0)
 # Key lengths for default/broadcast and individual/unicast keys:
 # 5 =3D 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
 # 13 =3D 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
 #wep_key_len_broadcast=3D5
 #wep_key_len_unicast=3D5
 # Rekeying period in seconds. 0 =3D do not rekey (i.e., set keys only once=
)
 #wep_rekey_period=3D300

 # EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only =
if
 # only broadcast keys are used)
 eapol_key_index_workaround=3D128

 # EAP reauthentication period in seconds (default: 3600 seconds; 0 =3D dis=
able
 # reauthentication).
 #eap_reauth_period=3D3600

 ##### IEEE 802.11f - Inter-Access Point Protocol (IAPP)
#######################

 # Interface to be used for IAPP broadcast packets
 #iapp_interface=3Deth0

 ##### RADIUS configuration
####################################################
 # for IEEE 802.1X with external Authentication Server, IEEE 802.11
 # authentication with external ACL for MAC addresses, and accounting

 # The own IP address of the access point (used as NAS-IP-Address)
 #own_ip_addr=3D127.0.0.1

 # Optional NAS-Identifier string for RADIUS messages. When used, this
should be
 # a unique to the NAS within the scope of the RADIUS server. For example, =
a
 # fully qualified domain name can be used here.
 #nas_identifier=3Dap.example.com

 # RADIUS authentication server
 #auth_server_addr=3D127.0.0.1
 #auth_server_port=3D1812
 #auth_server_shared_secret=3Dsecret

 # RADIUS accounting server
 #acct_server_addr=3D127.0.0.1
 #acct_server_port=3D1813
 #acct_server_shared_secret=3Dsecret

 # Secondary RADIUS servers; to be used if primary one does not reply to
 # RADIUS packets. These are optional and there can be more than one second=
ary
 # server listed.
 #auth_server_addr=3D127.0.0.2
 #auth_server_port=3D1812
 #auth_server_shared_secret=3Dsecret2
 #
 #acct_server_addr=3D127.0.0.2
 #acct_server_port=3D1813
 #acct_server_shared_secret=3Dsecret2

 # Retry interval for trying to return to the primary RADIUS server (in
 # seconds). RADIUS client code will automatically try to use the next serv=
er
 # when the current server is not replying to requests. If this
interval is set,
 # primary server will be retried after configured amount of time even if t=
he
 # currently used secondary server is still working.
 #radius_retry_primary_interval=3D600

 # Interim accounting update interval
 # If this is set (larger than 0) and acct_server is configured, hostapd wi=
ll
 # send interim accounting updates every N seconds. Note: if set, this
overrides
 # possible Acct-Interim-Interval attribute in Access-Accept message.
Thus, this
 # value should not be configured in hostapd.conf, if RADIUS server is used=
 to
 # control the interim interval.
 # This value should not be less 600 (10 minutes) and must not be less than
 # 60 (1 minute).
 #radius_acct_interim_interval=3D600

 # hostapd can be used as a RADIUS authentication server for other hosts. T=
his
 # requires that the integrated EAP authenticator is also enabled and both
 # authentication services are sharing the same configuration.

 # File name of the RADIUS clients configuration for the RADIUS server. If =
this
 # commented out, RADIUS server is disabled.
 #radius_server_clients=3D/etc/hostapd.radius_clients

 # The UDP port number for the RADIUS authentication server
 #radius_server_auth_port=3D1812

 ##### WPA/IEEE 802.11i configuration
##########################################

 # Enable WPA. Setting this variable configures the AP to require WPA (eith=
er
 # WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, ei=
ther
 # wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-=
PSK.
 # For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys)=
,
 # RADIUS authentication server must be configured, and WPA-EAP must
be included
 # in wpa_key_mgmt.
 # This field is a bit field that can be used to enable WPA (IEEE 802.11i/D=
3.0)
 # and/or WPA2 (full IEEE 802.11i/RSN):
 # bit0 =3D WPA
 # bit1 =3D IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
 wpa=3D1

 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
 # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
 # (8..63 characters) that will be converted to PSK. This conversion uses S=
SID
 # so the PSK changes when ASCII passphrase is used and the SSID is changed=
.
 # wpa_psk (dot11RSNAConfigPSKValue)
 # wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
 #wpa_psk=3D
 wpa_passphrase=3Dsecret_passphrase

 # Optionally, WPA PSKs can be read from a separate text file (containing l=
ist
 # of (PSK,MAC address) pairs. This allows more than one PSK to be configur=
ed.
 # Use absolute path name to make sure that the files can be read on SIGHUP
 # configuration reloads.
 #wpa_psk_file=3D/etc/hostapd.wpa_psk

 # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). T=
he
 # entries are separated with a space.
 # (dot11RSNAConfigAuthenticationSuitesTable)
 wpa_key_mgmt=3DWPA-PSK

 # Set of accepted cipher suites (encryption algorithms) for pairwise keys
 # (unicast packets). This is a space separated list of algorithms:
 # CCMP =3D AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
 # TKIP =3D Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
 # Group cipher suite (encryption algorithm for broadcast and multicast fra=
mes)
 # is automatically selected based on this configuration. If only CCMP is
 # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwis=
e,
 # TKIP will be used as the group cipher.
 # (dot11RSNAConfigPairwiseCiphersTable)
 wpa_pairwise=3DTKIP

 # Time interval for rekeying GTK (broadcast/multicast encryption keys) in
 # seconds. (dot11RSNAConfigGroupRekeyTime)
 wpa_group_rekey=3D180

 # Rekey GTK when any STA that possesses the current GTK is leaving the BSS=
.
 # (dot11RSNAConfigGroupRekeyStrict)
 wpa_strict_rekey=3D0

 # Time interval for rekeying GMK (master key used internally to generate G=
TKs
 # (in seconds).
 wpa_gmk_rekey=3D1800

 # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed u=
p
 # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
 # authentication and key handshake before actually associating with a new =
AP.
 # (dot11RSNAPreauthenticationEnabled)
 #rsn_preauth=3D1
 #
 # Space separated list of interfaces from which pre-authentication frames =
are
 # accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
 # interface that are used for connections to other APs. This could include
 # wired interfaces and WDS links. The normal wireless data interface towar=
ds
 # associated stations (e.g., wlan0) should not be added, since
 # pre-authentication is only used with APs other than the currently associ=
ated
 # one.
 #rsn_preauth_interfaces=3Deth0

 then i started it:

         Codice:

 ./hostapd -B /root/hostup
 Configuration file: /root/hostup
 Using interface ath0 with hwaddr 00:90:96:9b:e8:e6 and ssid 'gunhead'
 Flushing old station entries
 Deauthenticate all stations

next i tried from a windows client to connect, windows ask the
password i inserted it and it reply "Connected" but when i try to ping
192.168.1.130 (AP ip)and it doesn't ping.
next i tried to insert a Fake (wrong) password and the notebook
connect but i have the same problem (no ping).

Thanks