Re: [Madwifi-users] Making an Access Point (Encription Problem)
Status: Beta
Brought to you by:
otaku
From: MaTz! <ma...@gm...> - 2005-12-27 15:14:50
|
> > > > Anyone can help me? > > Yes, you could help yourself. You did a great start with a very detailed > report about the AP setup, but failed to continue this level of > verbosity when it comes to the interesting part. Means: please let us > know what steps you took in order to make the client connecting to the > AP, and what error messages you saw (if any). In addition, a detailed > description of the client configuration could be helpful. > > Bye, Mike Ok, I tried to connect with a notebook (S.O. Windows Xp Sp2). When i connect windows ask me the Password i write it and connect, but when i try to ping an host (also the AP) doesn't work. I have tried also this configuration :: #################################### i have an Atheros Card Codice: 0000:00:13.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01) First To test it, i have configured my AP with NO ENCRYPTION and it works fine. Codice: iwconfig ath0 mode master iwconfig ath0 essid EpiaLinux iwpriv ath0 mode 0 brctl addbr br0 brctl addif br0 ath0 brctl addif br0 eth1 ifconfig ath0 0.0.0.0 ifconfig eth1 0.0.0.0 ifconfig br0 192.168.1.130 When i try to connect it from linux or windows (client) i haven't any problem it works!!! Now i want to make my AP more secure (WPA Enc), so i have build hostapd with this .config Codice: # Driver interface for Host AP driver CONFIG_DRIVER_HOSTAP=3Dy # Driver interface for wired authenticator #CONFIG_DRIVER_WIRED=3Dy # Driver interface for madwifi driver CONFIG_DRIVER_MADWIFI=3Dy CFLAGS +=3D -I /home/madwifi-ng # change to reflect local setup; directory for madwifi src # Driver interface for Prism54 driver #CONFIG_DRIVER_PRISM54=3Dy # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) #CONFIG_DRIVER_BSD=3Dy #CFLAGS +=3D -I/usr/local/include #LIBS +=3D -L/usr/local/lib # IEEE 802.11F/IAPP CONFIG_IAPP=3Dy # WPA2/IEEE 802.11i RSN pre-authentication CONFIG_RSN_PREAUTH=3Dy # Integrated EAP server CONFIG_EAP=3Dy # EAP-MD5 for the integrated EAP server CONFIG_EAP_MD5=3Dy # EAP-TLS for the integrated EAP server CONFIG_EAP_TLS=3Dy # EAP-MSCHAPv2 for the integrated EAP server CONFIG_EAP_MSCHAPV2=3Dy # EAP-PEAP for the integrated EAP server CONFIG_EAP_PEAP=3Dy # EAP-GTC for the integrated EAP server CONFIG_EAP_GTC=3Dy # EAP-TTLS for the integrated EAP server CONFIG_EAP_TTLS=3Dy # EAP-SIM for the integrated EAP server #CONFIG_EAP_SIM=3Dy # EAP-PAX for the integrated EAP server #CONFIG_EAP_PAX=3Dy # EAP-PSK for the integrated EAP server #CONFIG_EAP_PSK=3Dy # PKCS#12 (PFX) support (used to read private key and certificate file fro= m # a file that usually has extension .p12 or .pfx) CONFIG_PKCS12=3Dy # RADIUS authentication server. This provides access to the integrated EAP # server from external hosts using RADIUS. #CONFIG_RADIUS_SERVER=3Dy # Build IPv6 support for RADIUS operations CONFIG_IPV6=3Dy i have build it, next i configured it: hostap.conf Codice: ##### hostapd configuration file ############################################## # Empty lines and lines starting with # are ignored # AP netdevice name (without 'ap' prefix, i.e., wlan0 uses wlan0ap for # management frames) interface=3Dath0 # Driver interface type (hostap/wired/madwifi/prism54; default: hostap) driver=3Dmadwifi # hostapd event logger configuration # # Two output method: syslog and stdout (only usable if not forking to # background). # # Module bitfield (ORed bitfield of modules that will be logged; -1 =3D al= l # modules): # bit 0 (1) =3D IEEE 802.11 # bit 1 (2) =3D IEEE 802.1X # bit 2 (4) =3D RADIUS # bit 3 (8) =3D WPA # bit 4 (16) =3D driver interface # bit 5 (32) =3D IAPP # # Levels (minimum value for logged events): # 0 =3D verbose debugging # 1 =3D debugging # 2 =3D informational messages # 3 =3D notification # 4 =3D warning # logger_syslog=3D8 logger_syslog_level=3D2 logger_stdout=3D-1 logger_stdout_level=3D2 # Debugging: 0 =3D no, 1 =3D minimal, 2 =3D verbose, 3 =3D msg dumps, 4 = =3D excessive debug=3D0 # Dump file for state information (on SIGUSR1) dump_file=3D/tmp/hostapd.dump # Interface for separate control program. If this is specified, wpa_suppli= cant # will create this directory and a UNIX domain socket for listening to requests # from external programs (CLI/GUI, etc.) for status information and # configuration. The socket file will be named based on the interface name= , so # multiple hostapd processes/interfaces can be run at the same time if mor= e # than one interface is used. # /var/run/hostapd is the recommended directory for sockets and by default= , # hostapd_cli will use it when trying to connect with hostapd. ctrl_interface=3D/var/run/hostapd # Access control for the control interface can be configured by setting th= e # directory to allow only members of a group to use sockets. This way, it = is # possible to run wpa_supplicant as root (since it needs to change network # configuration and open raw sockets) and still allow GUI/CLI components t= o be # run as non-root users. However, since the control interface can be used = to # change the network configuration, this access needs to be protected in m= any # cases. By default, wpa_supplicant is configured to use gid 0 (root). If = you # want to allow non-root users to use the contron interface, add a new gro= up # and change this value to match with that group. Add users that should ha= ve # control interface access to this group. # # This variable can be a group name or gid. ctrl_interface_group=3Dwheel #ctrl_interface_group=3D0 ##### IEEE 802.11 related configuration ####################################### # SSID to be used in IEEE 802.11 management frames ssid=3Dgunhead # Station MAC address -based authentication # 0 =3D accept unless in deny list # 1 =3D deny unless in accept list # 2 =3D use external RADIUS server (accept/deny lists are searched first) macaddr_acl=3D0 # Accept/deny lists are read from separate files (containing list of # MAC addresses, one per line). Use absolute path name to make sure that t= he # files can be read on SIGHUP configuration reloads. #accept_mac_file=3D/etc/hostapd/hostapd.accept deny_mac_file=3D/etc/hostapd/hostapd.deny # IEEE 802.11 specifies two authentication algorithms. hostapd can be # configured to allow both of these or only one. Open system authenticatio= n # should be used with IEEE 802.1X. # Bit fields of allowed authentication algorithms: # bit 0 =3D Open System Authentication # bit 1 =3D Shared Key Authentication (requires WEP) auth_algs=3D1 # Associate as a station to another AP while still acting as an AP on the = same # channel. #assoc_ap_addr=3D00:12:34:56:78:9a ##### IEEE 802.1X (and IEEE 802.1aa/D4) related configuration ################# # Require IEEE 802.1X authorization ieee8021x=3D0 # Use integrated EAP authenticator instead of external RADIUS authenticati= on # server eap_authenticator=3D0 # Path for EAP authenticator user database #eap_user_file=3D/etc/hostapd.eap_user # CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS #ca_cert=3D/etc/hostapd.ca.pem # Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS #server_cert=3D/etc/hostapd.server.pem # Private key matching with the server certificate for EAP-TLS/PEAP/TTLS # This may point to the same file as server_cert if both certificate and k= ey # are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also b= e # used by commenting out server_cert and specifying the PFX file as the # private_key. #private_key=3D/etc/hostapd.server.prv # Passphrase for private key #private_key_passwd=3Dsecret passphrase # Configuration data for EAP-SIM database/authentication gateway interface= . # This is a text string in implementation specific format. The example # implementation in eap_sim_db.c uses this as the file name for the GSM # authentication triplets. #eap_sim_db=3D/etc/hostapd.sim_db # Optional displayable message sent with EAP Request-Identity #eap_message=3Dhello # WEP rekeying (disabled if key lengths are not set or are set to 0) # Key lengths for default/broadcast and individual/unicast keys: # 5 =3D 40-bit WEP (also known as 64-bit WEP with 40 secret bits) # 13 =3D 104-bit WEP (also known as 128-bit WEP with 104 secret bits) #wep_key_len_broadcast=3D5 #wep_key_len_unicast=3D5 # Rekeying period in seconds. 0 =3D do not rekey (i.e., set keys only once= ) #wep_rekey_period=3D300 # EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only = if # only broadcast keys are used) eapol_key_index_workaround=3D128 # EAP reauthentication period in seconds (default: 3600 seconds; 0 =3D dis= able # reauthentication). #eap_reauth_period=3D3600 ##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### # Interface to be used for IAPP broadcast packets #iapp_interface=3Deth0 ##### RADIUS configuration #################################################### # for IEEE 802.1X with external Authentication Server, IEEE 802.11 # authentication with external ACL for MAC addresses, and accounting # The own IP address of the access point (used as NAS-IP-Address) #own_ip_addr=3D127.0.0.1 # Optional NAS-Identifier string for RADIUS messages. When used, this should be # a unique to the NAS within the scope of the RADIUS server. For example, = a # fully qualified domain name can be used here. #nas_identifier=3Dap.example.com # RADIUS authentication server #auth_server_addr=3D127.0.0.1 #auth_server_port=3D1812 #auth_server_shared_secret=3Dsecret # RADIUS accounting server #acct_server_addr=3D127.0.0.1 #acct_server_port=3D1813 #acct_server_shared_secret=3Dsecret # Secondary RADIUS servers; to be used if primary one does not reply to # RADIUS packets. These are optional and there can be more than one second= ary # server listed. #auth_server_addr=3D127.0.0.2 #auth_server_port=3D1812 #auth_server_shared_secret=3Dsecret2 # #acct_server_addr=3D127.0.0.2 #acct_server_port=3D1813 #acct_server_shared_secret=3Dsecret2 # Retry interval for trying to return to the primary RADIUS server (in # seconds). RADIUS client code will automatically try to use the next serv= er # when the current server is not replying to requests. If this interval is set, # primary server will be retried after configured amount of time even if t= he # currently used secondary server is still working. #radius_retry_primary_interval=3D600 # Interim accounting update interval # If this is set (larger than 0) and acct_server is configured, hostapd wi= ll # send interim accounting updates every N seconds. Note: if set, this overrides # possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this # value should not be configured in hostapd.conf, if RADIUS server is used= to # control the interim interval. # This value should not be less 600 (10 minutes) and must not be less than # 60 (1 minute). #radius_acct_interim_interval=3D600 # hostapd can be used as a RADIUS authentication server for other hosts. T= his # requires that the integrated EAP authenticator is also enabled and both # authentication services are sharing the same configuration. # File name of the RADIUS clients configuration for the RADIUS server. If = this # commented out, RADIUS server is disabled. #radius_server_clients=3D/etc/hostapd.radius_clients # The UDP port number for the RADIUS authentication server #radius_server_auth_port=3D1812 ##### WPA/IEEE 802.11i configuration ########################################## # Enable WPA. Setting this variable configures the AP to require WPA (eith= er # WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, ei= ther # wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-= PSK. # For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys)= , # RADIUS authentication server must be configured, and WPA-EAP must be included # in wpa_key_mgmt. # This field is a bit field that can be used to enable WPA (IEEE 802.11i/D= 3.0) # and/or WPA2 (full IEEE 802.11i/RSN): # bit0 =3D WPA # bit1 =3D IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) wpa=3D1 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase # (8..63 characters) that will be converted to PSK. This conversion uses S= SID # so the PSK changes when ASCII passphrase is used and the SSID is changed= . # wpa_psk (dot11RSNAConfigPSKValue) # wpa_passphrase (dot11RSNAConfigPSKPassPhrase) #wpa_psk=3D wpa_passphrase=3Dsecret_passphrase # Optionally, WPA PSKs can be read from a separate text file (containing l= ist # of (PSK,MAC address) pairs. This allows more than one PSK to be configur= ed. # Use absolute path name to make sure that the files can be read on SIGHUP # configuration reloads. #wpa_psk_file=3D/etc/hostapd.wpa_psk # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). T= he # entries are separated with a space. # (dot11RSNAConfigAuthenticationSuitesTable) wpa_key_mgmt=3DWPA-PSK # Set of accepted cipher suites (encryption algorithms) for pairwise keys # (unicast packets). This is a space separated list of algorithms: # CCMP =3D AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] # TKIP =3D Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] # Group cipher suite (encryption algorithm for broadcast and multicast fra= mes) # is automatically selected based on this configuration. If only CCMP is # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwis= e, # TKIP will be used as the group cipher. # (dot11RSNAConfigPairwiseCiphersTable) wpa_pairwise=3DTKIP # Time interval for rekeying GTK (broadcast/multicast encryption keys) in # seconds. (dot11RSNAConfigGroupRekeyTime) wpa_group_rekey=3D180 # Rekey GTK when any STA that possesses the current GTK is leaving the BSS= . # (dot11RSNAConfigGroupRekeyStrict) wpa_strict_rekey=3D0 # Time interval for rekeying GMK (master key used internally to generate G= TKs # (in seconds). wpa_gmk_rekey=3D1800 # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed u= p # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN # authentication and key handshake before actually associating with a new = AP. # (dot11RSNAPreauthenticationEnabled) #rsn_preauth=3D1 # # Space separated list of interfaces from which pre-authentication frames = are # accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all # interface that are used for connections to other APs. This could include # wired interfaces and WDS links. The normal wireless data interface towar= ds # associated stations (e.g., wlan0) should not be added, since # pre-authentication is only used with APs other than the currently associ= ated # one. #rsn_preauth_interfaces=3Deth0 then i started it: Codice: ./hostapd -B /root/hostup Configuration file: /root/hostup Using interface ath0 with hwaddr 00:90:96:9b:e8:e6 and ssid 'gunhead' Flushing old station entries Deauthenticate all stations next i tried from a windows client to connect, windows ask the password i inserted it and it reply "Connected" but when i try to ping 192.168.1.130 (AP ip)and it doesn't ping. next i tried to insert a Fake (wrong) password and the notebook connect but i have the same problem (no ping). Thanks |