MAC-based authentication with hostapd on FreeBSD

Настройка сетевых служб, маршрутизации, фаерволлов. Проблемы с сетевым оборудованием.
Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
hzres
рядовой
Сообщения: 12
Зарегистрирован: 2008-04-19 17:14:26

MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение hzres » 2008-04-19 19:36:29

Актуальность такой защиты невысока, поскольку MAC-адрес можно изменить, но все-таки это лишний барьер на пути соседей по дому к подключению к вашей беспроводной сети.
Есть подключенный к LAN комп с фрей и WiFi картой, поддерживающей hostap (ASUS WL-107G). Комп служит маршрутизатором между сетями LAN и WLAN. Настроил точку доступа с шифрованием WPA2-PSK, все работает. Пользовался материалами из
/usr/share/doc/handbook/book.txt
/usr/share/examples/hostapd/
hostapd(8)
hostapd.conf(5)
Проблема в том, что независимо от содержимого /etc/hostapd.accept и /etc/hostapd.deny все, кто знает пароль могут подключиться. Вот мои настройки

Код: Выделить всё

scerzh# uname -a
FreeBSD scerzh 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sat Apr  5 00:01:34 MSD 2008     root@scerzh:/usr/obj/usr/src/sys/SCERZH  i386
scerzh# dmesg | grep ral0
ral0: <Ralink Technology RT2560> mem 0xe8204000-0xe8205fff irq 9 at device 0.0 on cardbus1
ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
ral0: Ethernet address: 00:1b:fc:bf:f0:28
ral0: [ITHREAD]
scerzh# ifconfig ral0 list caps
ral0=2181e500<IBSS,HOSTAP,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,BGSCAN>
scerzh# ifconfig ral0
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
        ether 00:1b:fc:bf:f0:28
        inet 172.16.0.17 netmask 0xfffffff0 broadcast 172.16.0.31
        media: IEEE 802.11 Wireless Ethernet autoselect (autoselect <hostap>)
        status: associated
        ssid scerzhnet channel 1 (2412 Mhz 11g) bssid 00:1b:fc:bf:f0:28
        authmode WPA2/802.11i privacy MIXED deftxkey 3 AES-CCM 2:128-bit
        AES-CCM 3:128-bit txpower 50 bmiss 7 scanvalid 60 bgscan
        bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5
        protmode CTS
scerzh# cat /etc/hostapd.conf
interface=ral0
driver=bsd
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=1
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=scerzhnet
max_num_sta=13
macaddr_acl=1
accept_mac_file=/etc/hostapd.accept
ap_max_inactivity=300
wpa=2
wpa_passphrase=qwertyui
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=600
wpa_strict_rekey=1
wpa_gmk_rekey=86400
в файле /etc/hostapd.conf пробовал менять строки

Код: Выделить всё

macaddr_acl=1
accept_mac_file=/etc/hostapd.accept
на

Код: Выделить всё

macaddr_acl=0
deny_mac_file=/etc/hostapd.deny
на

Код: Выделить всё

macaddr_acl=0
accept_mac_file=/etc/hostapd.accept
deny_mac_file=/etc/hostapd.deny
и на

Код: Выделить всё

macaddr_acl=1
accept_mac_file=/etc/hostapd.accept
deny_mac_file=/etc/hostapd.deny
пробовал также это

Код: Выделить всё

scerzh# ifconfig ral0 mac:add 00:14:d1:46:14:5e
scerzh# ifconfig ral0 mac:deny

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2460 рублей (8 CPU, 8Gb RAM, 2x500Gb HDD, RAID 3ware 9750):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

hzres
рядовой
Сообщения: 12
Зарегистрирован: 2008-04-19 17:14:26

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение hzres » 2008-04-19 22:40:55

В общем ограничения по MAC-адресам я сделал. У меня получилось 2 способа
1. использовать ipfw, или какой-нибудь другой файрвол, но это не сабж.
2. использовать hostapd. В hostapd.conf нужно заменить

Код: Выделить всё

wpa_passphrase=qwertyui
на

Код: Выделить всё

wpa_psk_file=/etc/hostapd.wpa_psk
Формат файла hostapd.wpa_psk следующий

Код: Выделить всё

scerzh# cat /etc/hostapd.wpa_psk
00:1e:8c:99:1d:f8 qwertyui
00:14:d1:46:14:5e asdfghjk
в каждой строке мак и через пробел пароль или psk. Мак 00:00:00:00:00:00 обозначает произвольный мак. Если в какой-либо строке забыть написать пароль, то hostapd не запускается.
Теперь подсоединиться к сети можно зная и мак и пароль. Это то, чего я и хотел, но все-равно не ясно, почему не работают настройки с /etc/hostad.deny и /etc/hostapd.accept и команды

Код: Выделить всё

scerzh# ifconfig ral0 mac:add 00:14:d1:46:14:5e
scerzh# ifconfig ral0 mac:deny
может у кого есть работающая конфигурация с /etc/hostad.deny и /etc/hostapd.accept? Или может дело в железе?

Аватара пользователя
Alex Keda
стреляли...
Сообщения: 35035
Зарегистрирован: 2004-10-18 14:25:19
Откуда: Made in USSR
Контактная информация:

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение Alex Keda » 2008-04-22 0:03:56

даже не заморачивался както..
=======
может не стоит раздавать пассфразу кому не попадя?
Убей их всех! Бог потом рассортирует...

Аватара пользователя
mr_A3ap41k
рядовой
Сообщения: 25
Зарегистрирован: 2008-03-05 14:03:40

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение mr_A3ap41k » 2008-04-22 13:10:10

А у меня чет так и не получилось шифрование настроить.

hzres
рядовой
Сообщения: 12
Зарегистрирован: 2008-04-19 17:14:26

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение hzres » 2008-04-22 23:25:04

А ты опиши, че делал. В каком режиме работало сетевое устройство (infrastructure, adhoc, hostap). Какое шифрование пытался использовать?

pimlab
прапорщик
Сообщения: 475
Зарегистрирован: 2007-10-09 11:31:03

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение pimlab » 2008-10-05 19:05:16

Как в hostapd прописать чтоб скрыть сеть?

snorlov
подполковник
Сообщения: 3616
Зарегистрирован: 2008-09-04 11:51:25
Откуда: Санкт-Петербург

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение snorlov » 2008-10-07 13:28:05

Все это конечно хорошо, но лучше поставить openssl, freeradius и заставить работать по сетртификатам...

pimlab
прапорщик
Сообщения: 475
Зарегистрирован: 2007-10-09 11:31:03

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение pimlab » 2008-12-20 21:19:21

Есть домашний сервер на Freebsd 7.0 , который раздаёт wifi и всё бы хорошо ,но при большой нагрузке на процесоре и wifi сети hostapd начинает работать не адекватно т.е. не принимает пароль от клиента.
помогает тока перезагрузка hostapd демона.
monitord не помогает так как процесс не падает.
Помогите придумать/реолизовать ,как автоматически при этом его перезапускать.

Код: Выделить всё

##### hostapd configuration file ##############################################
# Empty lines and lines starting with # are ignored

# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for
# management frames); ath0 for madwifi
interface=ral0

# In case of madwifi driver, an additional configuration parameter, bridge,
# must be used to notify hostapd if the interface is included in a bridge. This
# parameter is not used with Host AP driver.
#bridge=br0

# Driver interface type (hostap/wired/madwifi/prism54; default: hostap)
# driver=hostap

# hostapd event logger configuration
#
# Two output method: syslog and stdout (only usable if not forking to
# background).
#
# Module bitfield (ORed bitfield of modules that will be logged; -1 = all
# modules):
# bit 0 (1) = IEEE 802.11
# bit 1 (2) = IEEE 802.1X
# bit 2 (4) = RADIUS
# bit 3 (8) = WPA
# bit 4 (16) = driver interface
# bit 5 (32) = IAPP
# bit 6 (64) = MLME
#
# Levels (minimum value for logged events):
#  0 = verbose debugging
#  1 = debugging
#  2 = informational messages
#  3 = notification
#  4 = warning
#
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2

# Debugging: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive
debug=0

# Dump file for state information (on SIGUSR1)
dump_file=/tmp/hostapd.dump

# Interface for separate control program. If this is specified, hostapd
# will create this directory and a UNIX domain socket for listening to requests
# from external programs (CLI/GUI, etc.) for status information and
# configuration. The socket file will be named based on the interface name, so
# multiple hostapd processes/interfaces can be run at the same time if more
# than one interface is used.
# /var/run/hostapd is the recommended directory for sockets and by default,
# hostapd_cli will use it when trying to connect with hostapd.
ctrl_interface=/var/run/hostapd

# Access control for the control interface can be configured by setting the
# directory to allow only members of a group to use sockets. This way, it is
# possible to run hostapd as root (since it needs to change network
# configuration and open raw sockets) and still allow GUI/CLI components to be
# run as non-root users. However, since the control interface can be used to
# change the network configuration, this access needs to be protected in many
# cases. By default, hostapd is configured to use gid 0 (root). If you
# want to allow non-root users to use the contron interface, add a new group
# and change this value to match with that group. Add users that should have
# control interface access to this group.
#
# This variable can be a group name or gid.
#ctrl_interface_group=wheel
ctrl_interface_group=0


##### IEEE 802.11 related configuration #######################################

# SSID to be used in IEEE 802.11 management frames
ssid=barton

# Country code (ISO/IEC 3166-1).  Used to set regulatory domain.
# Modify as needed to indicate country in which device is operating.
# This can limit available channels and transmit power.
# (default: US)
#country_code=US

# Enable IEEE 802.11d. This advertises the country_code and the set of allowed
# channels and transmit power levels based on the regulatory limits. The
# country_code setting must be configured with the correct country for
# IEEE 802.11d functions.
# (default: 0 = disabled)
#ieee80211d=1

# Enable IEEE 802.11h. This enables the TPC and DFS services when operating
# in a regulatory domain which requires them.  Once enabled it will be 
# operational only when working in hw_mode a and in countries where it is
# required. The end user should not be allowed to disable this.
# The country_code setting must be configured with the correct country for
# IEEE 802.11h to function. 
# When IEEE 802.11h is operational, the channel_policy and configured channel 
# settings will be ignored but will behave as though the channel_policy is
# set to "3" (automatic channel selection). When IEEE 802.11h is enabled but
# not operational (for example, if the radio mode is changed from "a" to "b")
# the channel_policy and channel settings take effect again. 
# (default: 1 = enabled)
#ieee80211h=1

# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g,
# Default: IEEE 802.11b
hw_mode=g

# Channel number (IEEE 802.11)
# (default: 0, i.e., not set, used with channel_policy=2)
channel=60

# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535)
beacon_int=100

# DTIM (delivery trafic information message) period (range 1..255):
# number of beacons between DTIMs (1 = every beacon includes DTIM element)
# (default: 2)
dtim_period=2

# Maximum number of stations allowed in station table. New stations will be
# rejected after the station table is full. IEEE 802.11 has a limit of 2007
# different association IDs, so this number should not be larger than that.
# (default: 2007)
max_num_sta=255

# RTS/CTS threshold; 2347 = disabled (default); range 0..2347
# If this field is not included in hostapd.conf, hostapd will not control
# RTS threshold and 'iwconfig wlan# rts <val>' can be used to set it.
rts_threshold=2347

# Fragmentation threshold; 2346 = disabled (default); range 256..2346
# If this field is not included in hostapd.conf, hostapd will not control
# fragmentation threshold and 'iwconfig wlan# frag <val>' can be used to set
# it.
fragm_threshold=2346

# Rate configuration
# Default is to enable all rates supported by the hardware. This configuration
# item allows this list be filtered so that only the listed rates will be left
# in the list. If the list is empty, all rates are used. This list can have
# entries that are not in the list of rates the hardware supports (such entries
# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110.
# If this item is present, at least one rate have to be matching with the rates
# hardware supports.
# default: use the most common supported rate setting for the selected
# hw_mode (i.e., this line can be removed from configuration file in most
# cases)
#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540

# Basic rate set configuration
# List of rates (in 100 kbps) that are included in the basic rate set.
# If this item is not included, usually reasonable default set is used.
#basic_rates=10 20
#basic_rates=10 20 55 110
#basic_rates=60 120 240

# Station MAC address -based authentication
# Please note that this kind of access control requires a driver that uses
# hostapd to take care of management frame processing and as such, this can be
# used with driver=hostap or driver=devicescape, but not with driver=madwifi.
# 0 = accept unless in deny list
# 1 = deny unless in accept list
# 2 = use external RADIUS server (accept/deny lists are searched first)
macaddr_acl=0

# Accept/deny lists are read from separate files (containing list of
# MAC addresses, one per line). Use absolute path name to make sure that the
# files can be read on SIGHUP configuration reloads.
#accept_mac_file=/etc/hostapd.accept
#deny_mac_file=/etc/hostapd.deny

# IEEE 802.11 specifies two authentication algorithms. hostapd can be
# configured to allow both of these or only one. Open system authentication
# should be used with IEEE 802.1X.
# Bit fields of allowed authentication algorithms:
# bit 0 = Open System Authentication
# bit 1 = Shared Key Authentication (requires WEP)
auth_algs=3

# Send empty SSID in beacons and ignore probe request frames that do not
# specify full SSID, i.e., require stations to know SSID.
# default: disabled (0)
# 1 = send empty (length=0) SSID in beacon and ignore probe request for
#     broadcast SSID
# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
#     with some clients that do not support empty SSID) and ignore probe
#     requests for broadcast SSID
#ignore_broadcast_ssid=2

# TX queue parameters (EDCF / bursting)
# default for all these fields: not set, use hardware defaults
# tx_queue_<queue name>_<param>
# queues: data0, data1, data2, data3, after_beacon, beacon
#		(data0 is the highest priority queue)
# parameters:
#   aifs: AIFS (default 2)
#   cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023)
#   cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin
#   burst: maximum length (in milliseconds with precision of up to 0.1 ms) for
#          bursting
#
# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
# These parameters are used by the access point when transmitting frames
# to the clients.
#
# Low priority / AC_BK = background
#tx_queue_data3_aifs=7
#tx_queue_data3_cwmin=15
#tx_queue_data3_cwmax=1023
#tx_queue_data3_burst=0
# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0
#
# Normal priority / AC_BE = best effort
#tx_queue_data2_aifs=3
#tx_queue_data2_cwmin=15
#tx_queue_data2_cwmax=63
#tx_queue_data2_burst=0
# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0
#
# High priority / AC_VI = video
#tx_queue_data1_aifs=1
#tx_queue_data1_cwmin=7
#tx_queue_data1_cwmax=15
#tx_queue_data1_burst=3.0
# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0
#
# Highest priority / AC_VO = voice
#tx_queue_data0_aifs=1
#tx_queue_data0_cwmin=3
#tx_queue_data0_cwmax=7
#tx_queue_data0_burst=1.5
# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3
#
# Special queues; normally not user configurable
#
#tx_queue_after_beacon_aifs=2
#tx_queue_after_beacon_cwmin=15
#tx_queue_after_beacon_cwmax=1023
#tx_queue_after_beacon_burst=0
#
#tx_queue_beacon_aifs=2
#tx_queue_beacon_cwmin=3
#tx_queue_beacon_cwmax=7
#tx_queue_beacon_burst=1.5

# 802.1D Tag to AC mappings
# WMM specifies following mapping of data frames to different ACs. This mapping
# can be configured using Linux QoS/tc and sch_pktpri.o module.
# 802.1D Tag	802.1D Designation	Access Category	WMM Designation
# 1		BK			AC_BK		Background
# 2		-			AC_BK		Background
# 0		BE			AC_BE		Best Effort
# 3		EE			AC_VI		Video
# 4		CL			AC_VI		Video
# 5		VI			AC_VI		Video
# 6		VO			AC_VO		Voice
# 7		NC			AC_VO		Voice
# Data frames with no priority information: AC_BE
# Management frames: AC_VO
# PS-Poll frames: AC_BE

# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
# for 802.11a or 802.11g networks
# These parameters are sent to WMM clients when they associate.
# The parameters will be used by WMM clients for frames transmitted to the
# access point.
#
# note - txop_limit is in units of 32microseconds
# note - acm is admission control mandatory flag. 0 = admission control not
# required, 1 = mandatory
# note - here cwMin and cmMax are in exponent form. the actual cw value used
# will be (2^n)-1 where n is the value given here
#
wme_enabled=1
#
# Low priority / AC_BK = background
wme_ac_bk_cwmin=4
wme_ac_bk_cwmax=10
wme_ac_bk_aifs=7
wme_ac_bk_txop_limit=0
wme_ac_bk_acm=0
# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10
#
# Normal priority / AC_BE = best effort
wme_ac_be_aifs=3
wme_ac_be_cwmin=4
wme_ac_be_cwmax=10
wme_ac_be_txop_limit=0
wme_ac_be_acm=0
# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7
#
# High priority / AC_VI = video
wme_ac_vi_aifs=2
wme_ac_vi_cwmin=3
wme_ac_vi_cwmax=4
wme_ac_vi_txop_limit=94
wme_ac_vi_acm=0
# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188
#
# Highest priority / AC_VO = voice
wme_ac_vo_aifs=2
wme_ac_vo_cwmin=2
wme_ac_vo_cwmax=3
wme_ac_vo_txop_limit=47
wme_ac_vo_acm=0
# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102

# Associate as a station to another AP while still acting as an AP on the same
# channel.
#assoc_ap_addr=00:12:34:56:78:9a

# Static WEP key configuration
#
# The key number to use when transmitting.
# It must be between 0 and 3, and the corresponding key must be set.
# default: not set
#wep_default_key=0
# The WEP keys to use.
# A key may be a quoted string or unquoted hexadecimal digits.
# The key length should be 5, 13, or 16 characters, or 10, 26, or 32
# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or
# 128-bit (152-bit) WEP is used.
# Only the default key must be supplied; the others are optional.
# default: not set
#wep_key0=123456789a
#wep_key1="vwxyz"
#wep_key2=0102030405060708090a0b0c0d
#wep_key3=".2.4.6.8.0.23"

# Station inactivity limit
#
# If a station does not send anything in ap_max_inactivity seconds, an
# empty data frame is sent to it in order to verify whether it is
# still in range. If this frame is not ACKed, the station will be
# disassociated and then deauthenticated. This feature is used to
# clear station table of old entries when the STAs move out of the
# range.
#
# The station can associate again with the AP if it is still in range;
# this inactivity poll is just used as a nicer way of verifying
# inactivity; i.e., client will not report broken connection because
# disassociation frame is not sent immediately without first polling
# the STA with a data frame.
# default: 300 (i.e., 5 minutes)
#ap_max_inactivity=300

# Enable/disable internal bridge for packets between associated stations.
#
# When IEEE 802.11 is used in managed mode, packets are usually send through
# the AP even if they are from a wireless station to another wireless station.
# This functionality requires that the AP has a bridge functionality that sends
# frames back to the same interface if their destination is another associated
# station. In addition, broadcast/multicast frames from wireless stations will
# be sent both to the host system net stack (e.g., to eventually wired network)
# and back to the wireless interface.
#
# The internal bridge is implemented within the wireless kernel module and it
# bypasses kernel filtering (netfilter/iptables/ebtables). If direct
# communication between the stations needs to be prevented, the internal
# bridge can be disabled by setting bridge_packets=0.
#
# Note: If this variable is not included in hostapd.conf, hostapd does not
# change the configuration and iwpriv can be used to set the value with
# 'iwpriv wlan# param 10 0' command. If the variable is in hostapd.conf,
# hostapd will override possible iwpriv configuration whenever configuration
# file is reloaded.
#
# default: do not control from hostapd (80211.o defaults to 1=enabled)
#bridge_packets=1


##### IEEE 802.1X-2004 related configuration ##################################

# Require IEEE 802.1X authorization
#ieee8021x=1

# IEEE 802.1X/EAPOL version
# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
# version 2. However, there are many client implementations that do not handle
# the new version number correctly (they seem to drop the frames completely).
# In order to make hostapd interoperate with these clients, the version number
# can be set to the older version (1) with this configuration value.
#eapol_version=2

# Optional displayable message sent with EAP Request-Identity. The first \0
# in this string will be converted to ASCII-0 (nul). This can be used to
# separate network info (comma separated list of attribute=value pairs); see,
# e.g., draft-adrangi-eap-network-discovery-07.txt.
#eap_message=hello
#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com

# WEP rekeying (disabled if key lengths are not set or are set to 0)
# Key lengths for default/broadcast and individual/unicast keys:
# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
#wep_key_len_broadcast=5
#wep_key_len_unicast=5
# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)
#wep_rekey_period=300

# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
# only broadcast keys are used)
eapol_key_index_workaround=0

# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable
# reauthentication).
#eap_reauth_period=3600

# Use PAE group address (01:80:c2:00:00:03) instead of individual target
# address when sending EAPOL frames with driver=wired. This is the most common
# mechanism used in wired authentication, but it also requires that the port
# is only used by one station.
#use_pae_group_addr=1

##### Integrated EAP server ###################################################

# Optionally, hostapd can be configured to use an integrated EAP server
# to process EAP authentication locally without need for an external RADIUS
# server. This functionality can be used both as a local authentication server
# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.

# Use integrated EAP server instead of external RADIUS authentication
# server. This is also needed if hostapd is configured to act as a RADIUS
# authentication server.

###eap_server=0

# Path for EAP server user database
#eap_user_file=/etc/hostapd.eap_user

# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
#ca_cert=/etc/hostapd.ca.pem

# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
#server_cert=/etc/hostapd.server.pem

# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS
# This may point to the same file as server_cert if both certificate and key
# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be
# used by commenting out server_cert and specifying the PFX file as the
# private_key.
#private_key=/etc/hostapd.server.prv

# Passphrase for private key
#private_key_passwd=secret passphrase

# Enable CRL verification.
# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a
# valid CRL signed by the CA is required to be included in the ca_cert file.
# This can be done by using PEM format for CA certificate and CRL and
# concatenating these into one file. Whenever CRL changes, hostapd needs to be
# restarted to take the new CRL into use.
# 0 = do not verify CRLs (default)
# 1 = check the CRL of the user certificate
# 2 = check all CRLs in the certificate path
#check_crl=1

# Configuration data for EAP-SIM database/authentication gateway interface.
# This is a text string in implementation specific format. The example
# implementation in eap_sim_db.c uses this as the UNIX domain socket name for
# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:"
# prefix.
#eap_sim_db=unix:/tmp/hlr_auc_gw.sock


##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################

# Interface to be used for IAPP broadcast packets
#iapp_interface=eth0


##### RADIUS client configuration #############################################
# for IEEE 802.1X with external Authentication Server, IEEE 802.11
# authentication with external ACL for MAC addresses, and accounting

# The own IP address of the access point (used as NAS-IP-Address)
own_ip_addr=127.0.0.1

# Optional NAS-Identifier string for RADIUS messages. When used, this should be
# a unique to the NAS within the scope of the RADIUS server. For example, a
# fully qualified domain name can be used here.
#nas_identifier=ap.example.com

# RADIUS authentication server
#auth_server_addr=127.0.0.1
#auth_server_port=1812
#auth_server_shared_secret=secret

# RADIUS accounting server
#acct_server_addr=127.0.0.1
#acct_server_port=1813
#acct_server_shared_secret=secret

# Secondary RADIUS servers; to be used if primary one does not reply to
# RADIUS packets. These are optional and there can be more than one secondary
# server listed.
#auth_server_addr=127.0.0.2
#auth_server_port=1812
#auth_server_shared_secret=secret2
#
#acct_server_addr=127.0.0.2
#acct_server_port=1813
#acct_server_shared_secret=secret2

# Retry interval for trying to return to the primary RADIUS server (in
# seconds). RADIUS client code will automatically try to use the next server
# when the current server is not replying to requests. If this interval is set,
# primary server will be retried after configured amount of time even if the
# currently used secondary server is still working.
#radius_retry_primary_interval=600


# Interim accounting update interval
# If this is set (larger than 0) and acct_server is configured, hostapd will
# send interim accounting updates every N seconds. Note: if set, this overrides
# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this
# value should not be configured in hostapd.conf, if RADIUS server is used to
# control the interim interval.
# This value should not be less 600 (10 minutes) and must not be less than
# 60 (1 minute).
#radius_acct_interim_interval=600

# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
# is used for the stations. This information is parsed from following RADIUS
# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
# VLANID as a string). vlan_file option below must be configured if dynamic
# VLANs are used.
# 0 = disabled (default)
# 1 = option; use default interface if RADIUS server does not include VLAN ID
# 2 = required; reject authentication if RADIUS server does not include VLAN ID
#dynamic_vlan=0

# VLAN interface list for dynamic VLAN mode is read from a separate text file.
# This list is used to map VLAN ID from the RADIUS server to a network
# interface. Each station is bound to one interface in the same way as with
# multiple BSSIDs or SSIDs. Each line in this text file is defining a new
# interface and the line must include VLAN ID and interface name separated by
# white space (space or tab).
#vlan_file=/etc/hostapd.vlan

# Interface where 802.1q tagged packets should appear when a RADIUS server is
# used to determine which VLAN a station is on.  hostapd creates a bridge for
# each VLAN.  Then hostapd adds a VLAN interface (associated with the interface
# indicated by 'vlan_tagged_interface') and the appropriate wireless interface
# to the bridge.
#vlan_tagged_interface=eth0


##### RADIUS authentication server configuration ##############################

# hostapd can be used as a RADIUS authentication server for other hosts. This
# requires that the integrated EAP authenticator is also enabled and both
# authentication services are sharing the same configuration.

# File name of the RADIUS clients configuration for the RADIUS server. If this
# commented out, RADIUS server is disabled.
#radius_server_clients=/etc/hostapd.radius_clients

# The UDP port number for the RADIUS authentication server
#radius_server_auth_port=1812

# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API)
#radius_server_ipv6=1


##### WPA/IEEE 802.11i configuration ##########################################

# Enable WPA. Setting this variable configures the AP to require WPA (either
# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
# RADIUS authentication server must be configured, and WPA-EAP must be included
# in wpa_key_mgmt.
# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
# and/or WPA2 (full IEEE 802.11i/RSN):
# bit0 = WPA
# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
#wpa=2
wpa=3

# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
# (8..63 characters) that will be converted to PSK. This conversion uses SSID
# so the PSK changes when ASCII passphrase is used and the SSID is changed.
# wpa_psk (dot11RSNAConfigPSKValue)
# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

#wpa_passphrase=abrakadabra

# Optionally, WPA PSKs can be read from a separate text file (containing list
# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.
# Use absolute path name to make sure that the files can be read on SIGHUP
# configuration reloads.
#wpa_psk_file=/etc/hostapd.wpa_psk
wpa_psk_file=/etc/hostapd.accept

# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
# entries are separated with a space.
# (dot11RSNAConfigAuthenticationSuitesTable)
#wpa_key_mgmt=WPA-PSK WPA-EAP
wpa_key_mgmt=WPA-PSK 

# Set of accepted cipher suites (encryption algorithms) for pairwise keys
# (unicast packets). This is a space separated list of algorithms:
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
# Group cipher suite (encryption algorithm for broadcast and multicast frames)
# is automatically selected based on this configuration. If only CCMP is
# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
# TKIP will be used as the group cipher.
# (dot11RSNAConfigPairwiseCiphersTable)
#wpa_pairwise=TKIP CCMP
wpa_pairwise=CCMP

# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
# seconds. (dot11RSNAConfigGroupRekeyTime)
wpa_group_rekey=600

# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
# (dot11RSNAConfigGroupRekeyStrict)
#wpa_strict_rekey=1

# Time interval for rekeying GMK (master key used internally to generate GTKs
# (in seconds).
#wpa_gmk_rekey=86400
wpa_gmk_rekey=900

# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
# authentication and key handshake before actually associating with a new AP.
# (dot11RSNAPreauthenticationEnabled)
#rsn_preauth=1
#
# Space separated list of interfaces from which pre-authentication frames are
# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
# interface that are used for connections to other APs. This could include
# wired interfaces and WDS links. The normal wireless data interface towards
# associated stations (e.g., wlan0) should not be added, since
# pre-authentication is only used with APs other than the currently associated
# one.
#rsn_preauth_interfaces=eth0

# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is
# allowed. This is only used with RSN/WPA2.
# 0 = disabled (default)
# 1 = enabled
#peerkey=1
#peerkey=1

# ieee80211w: Whether management frame protection is enabled
# 0 = disabled (default)
# 1 = optional
# 2 = required
#ieee80211w=0
#ieee80211w=1

##### Passive scanning ########################################################
# Scan different channels every N seconds. 0 = disable passive scanning.
#passive_scan_interval=60
passive_scan_interval=60

# Listen N usecs on each channel when doing passive scanning.
# This value plus the time needed for changing channels should be less than
# 32 milliseconds (i.e. 32000 usec) to avoid interruptions to normal
# operations. Time needed for channel changing varies based on the used wlan
# hardware.
# default: disabled (0)
#passive_scan_listen=10000
passive_scan_listen=10000

# Passive scanning mode:
# 0 = scan all supported modes (802.11a/b/g/Turbo) (default)
# 1 = scan only the mode that is currently used for normal operations
#passive_scan_mode=1
passive_scan_mode=1

# Maximum number of entries kept in AP table (either for passive scanning or
# for detecting Overlapping Legacy BSS Condition). The oldest entry will be
# removed when adding a new entry that would make the list grow over this
# limit. Note! Wi-Fi certification for IEEE 802.11g requires that OLBC is
# enabled, so this field should not be set to 0 when using IEEE 802.11g.
# default: 255
#ap_table_max_size=255

# Number of seconds of no frames received after which entries may be deleted
# from the AP table. Since passive scanning is not usually performed frequently
# this should not be set to very small value. In addition, there is no
# guarantee that every scan cycle will receive beacon frames from the
# neighboring APs.
# default: 60
#ap_table_expiration_time=3600

# Multiple BSSID support
#
# Above configuration is using the default interface (wlan#, or multi-SSID VLAN
# interfaces). Other BSSIDs can be added by using separator 'bss' with
# default interface name to be allocated for the data packets of the new BSS.
#
# hostapd will generate BSSID mask based on the BSSIDs that are
# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is
# not the case, the MAC address of the radio must be changed before starting
# hostapd (ifconfig wlan0 hw ether <MAC addr>).
#
# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is
# specified using the 'bssid' parameter.
# If an explicit BSSID is specified, it must be chosen such that it:
# - results in a valid MASK that covers it and the dev_addr
# - is not the same as the MAC address of the radio
# - is not the same as any other explicitly specified BSSID
#
# Please note that hostapd uses some of the values configured for the first BSS
# as the defaults for the following BSSes. However, it is recommended that all
# BSSes include explicit configuration of all relevant configuration items.
#
#bss=wlan0_0
#ssid=test2
# most of the above items can be used here (apart from radio interface specific
# items, like channel)

#bss=wlan0_1
#bssid=00:13:10:95:fe:0b

Аватара пользователя
InventoR
ст. лейтенант
Сообщения: 1344
Зарегистрирован: 2006-12-10 19:43:25
Контактная информация:

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение InventoR » 2008-12-20 21:26:58

а как добиться логирования от демона hostapd, может если его на дебаг поставить и глядеть что происходит.
ну вот и сказочке конец, кто слушал, тот молодец.

pimlab
прапорщик
Сообщения: 475
Зарегистрирован: 2007-10-09 11:31:03

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение pimlab » 2008-12-20 21:43:17

InventoR писал(а):а как добиться логирования от демона hostapd, может если его на дебаг поставить и глядеть что происходит.
стандартно через syslogd.conf-
точно ...... попробую увеличить его подробность и посмотрю

Аватара пользователя
InventoR
ст. лейтенант
Сообщения: 1344
Зарегистрирован: 2006-12-10 19:43:25
Контактная информация:

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение InventoR » 2008-12-20 21:57:50

странно, пробывал, но толку нету.
ладно. чуть позже колупну еще.
ну вот и сказочке конец, кто слушал, тот молодец.

pimlab
прапорщик
Сообщения: 475
Зарегистрирован: 2007-10-09 11:31:03

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение pimlab » 2008-12-20 22:10:36

InventoR писал(а):странно, пробывал, но толку нету.
ладно. чуть позже колупну еще.

Код: Выделить всё

# $FreeBSD: src/etc/syslog.conf,v 1.28 2005/03/12 12:31:16 glebius Exp $
#
#	Spaces ARE valid field separators in this file. However,
#	other *nix-like systems still insist on using tabs as field
#	separators. If you are sharing this file between systems, you
#	may want to use only tabs as field separators here.
#	Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit		/dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err	/var/log/messages
security.*					/var/log/security
*.err;kern.warning;auth.notice;mail.crit        /var/log/info.log
auth.info;authpriv.info				/var/log/auth.log
mail.info					/var/log/maillog
lpr.info					/var/log/lpd-errs
ftp.info					/var/log/xferlog
cron.*						/var/log/cron
*.=debug					/var/log/debug.log
*.emerg						*
local2.*                                        /var/log/smartd.log
local3.debug                                    /var/log/dhcpd.log 
#local4.*                                        /var/log/access.log
daemon.info;news.*; 		    		/var/log/info.log
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info					/var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*						/var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*						@loghost
# uncomment these if you're running inn
# news.crit					/var/log/news/news.crit
# news.err					/var/log/news/news.err
# news.notice					/var/log/news/news.notice
!startslip
*.*						/var/log/slip.log
!ppp
*.*						/var/log/ppp.log
!hostapd
*.*                                             /var/log/hostapd.log
!monitord
*.*						/var/log/monitord.log

snorlov
подполковник
Сообщения: 3616
Зарегистрирован: 2008-09-04 11:51:25
Откуда: Санкт-Петербург

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение snorlov » 2008-12-22 10:38:43

Чтобы в лог он писал надо смотреть hostapd.conf

# 0 = verbose debugging
# 1 = debugging
# 2 = informational messages
# 3 = notification
# 4 = warning
#

logger_syslog_level=2
logger_stdout_level=2

# Debugging: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive
debug=0

только не помню куда он писал, толи в hostapd.log, то ли в debug.log

Аватара пользователя
zingel
beastie
Сообщения: 6204
Зарегистрирован: 2007-10-30 3:56:49
Откуда: Moscow
Контактная информация:

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение zingel » 2008-12-22 10:41:50

откройте для себя mac port-binding
Z301171463546 - можно пожертвовать мне денег

Аватара пользователя
InventoR
ст. лейтенант
Сообщения: 1344
Зарегистрирован: 2006-12-10 19:43:25
Контактная информация:

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение InventoR » 2008-12-25 11:41:10

в общем почти разобрался, все как бы нормально.
Но! есть одна проблема, задам её здесь чисто теоретически.
Все запущено, перезагружаем роутер, дальше:
стартует hostapd, все замечательно, моя 2100AP подключенна в качестве клинта к роутеру, и..
а пинга нету, если зайти в ап, перецепить её на другую точку, а потом снова вернуть подключение к роутеру, ping появляется,
где-то все равно что-то кроется, но теперь смогу дальше колупать уже только после нового года.
свалил домой.
ну вот и сказочке конец, кто слушал, тот молодец.

Аватара пользователя
hizel
дядя поня
Сообщения: 9031
Зарегистрирован: 2007-06-29 10:05:02
Откуда: Выборг

Re: MAC-based authentication with hostapd on FreeBSD

Непрочитанное сообщение hizel » 2008-12-25 11:50:32

2100AP в режиме клиента может работать с mac-адресами которые за ней по разному
смотрим параметр matstate
этот параметр по умолчанию в разных прошивках по разному выставлен
В дурацкие игры он не играет. Он просто жуткий, чу-чу, паровозик, и зовут его Блейн. Блейн --- это Боль.