1 (edited by yamahabob 2015-09-05 21:51:59)

Topic: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

I'm running a TL-WR1043ND with Chaos Calmer and Open vSwitch 2.3.0 and using OpenFlow. For some reason when I have WPA2 enabled on the wireless interface (wlan0), I cannot finish an EAPOL handshake. If I disable wireless protection, I can connect and everything goes properly through the controller.

As another interesting feature, if I remove wlan0 from OVS, perform a connection using WPA2 and then add wlan0 to OVS, I can continue using the wireless connection for some amount of time, maybe a max of 5-8 minutes. After that time, a EAPOL key/Group message goes out, it fails (even though I'm responding properly) and then it goes into trying to complete the 4 packet handshake again, which fails and I lose connection.

I'm using hostapd v2.4-devel and I also have tried using wpad to call hostapd directly. I don't know if this is a lower-level network configuration issue where perhaps a handshake packet isn't getting to the hostapt process. It could be that my VLAN/OVS/interface configuration (which is very odd) could be throwing things off but the fact that no authentication works well gives me hope.

Any help is appreciated.

Here's the config that fails:

driver=nl80211
logger_syslog=127
logger_syslog_level=0
logger_stdout=127
logger_stdout_level=0
country_code=US
ieee80211d=1
hw_mode=g
channel=6

ieee80211n=1
ht_capab=[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]

interface=wlan0
ctrl_interface=/var/run/hostapd
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
wpa_passphrase=my_password
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=homewireless
bridge=br-lan
okc=0
disable_pmksa_caching=1
bssid=00:11:22:33:44:55

And the one that works with no authentication all the time:

driver=nl80211
logger_syslog=127
logger_syslog_level=0
logger_stdout=127
logger_stdout_level=0
country_code=US
ieee80211d=1
hw_mode=g
channel=6

ieee80211n=1
ht_capab=[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]

interface=wlan0
ctrl_interface=/var/run/hostapd
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
auth_algs=1
wpa=0
ssid=homewireless
bridge=br-lan
bssid=00:11:22:33:44:55

Re: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

After more research into the problem, I think I've uncovered a little more.

With Open vSwitch, you need to remove wlan0 from br-lan and add it to OVS's bridge, but hostapd expects wlan0 to be on br-lan (it checks /sys/class/net/wlan0/brport/bridge to make sure the directory exists (it doesn't if you move it to OVS). Therefore, I must start hostapd *before* moving wlan0 to OVS. While this is a hacky way of doing things, it works with authentication is not involved.

When authentication is enabled, the STA sees the nonce broadcasted (EAPOL 1/4) and responds but the router does not see the response. I might think that my hack of moving wlan0 to OVS might have broken a UNIX socket or something but the hostapd process sees the association request, which is why it works without authentication as mentioned in the first post, but it is apparently not getting the EAPOL message.

I have the hostapd source code and will delve through that if necessary. Could it be a difference in hostapd seeing 802.11 protocol packets versus EAPOL packets?

wlan0: AP-ENABLED
wlan0: STA CLIENT_MAC IEEE 802.11: authentication OK (open system)
wlan0: STA CLIENT_MAC MLME: MLME-AUTHENTICATE.indication(CLIENT_MAC, OPEN_SYSTEM)
wlan0: STA CLIENT_MAC MLME: MLME-DELETEKEYS.request(CLIENT_MAC)
wlan0: STA CLIENT_MAC IEEE 802.11: authenticated
wlan0: STA CLIENT_MAC IEEE 802.11: association OK (aid 1)
wlan0: STA CLIENT_MAC IEEE 802.11: associated (aid 1)
wlan0: STA CLIENT_MAC MLME: MLME-ASSOCIATE.indication(CLIENT_MAC)
wlan0: STA CLIENT_MAC MLME: MLME-DELETEKEYS.request(CLIENT_MAC)
wlan0: STA CLIENT_MAC WPA: event 1 notification
wlan0: STA CLIENT_MAC WPA: start authentication
wlan0: STA CLIENT_MAC IEEE 802.1X: unauthorizing port
wlan0: STA CLIENT_MAC WPA: sending 1/4 msg of 4-Way Handshake
wlan0: STA CLIENT_MAC WPA: EAPOL-Key timeout
wlan0: STA CLIENT_MAC WPA: sending 1/4 msg of 4-Way Handshake
wlan0: STA CLIENT_MAC WPA: EAPOL-Key timeout
wlan0: STA CLIENT_MAC WPA: sending 1/4 msg of 4-Way Handshake
wlan0: STA CLIENT_MAC WPA: EAPOL-Key timeout
wlan0: STA CLIENT_MAC WPA: sending 1/4 msg of 4-Way Handshake
wlan0: STA CLIENT_MAC WPA: EAPOL-Key timeout
wlan0: STA CLIENT_MAC WPA: PTKSTART: Retry limit 4 reached
wlan0: STA CLIENT_MAC WPA: event 3 notification
WPA: wpa_sm_step() called recursively
...

Re: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

For anyone else encountering this issue, the solution is a patch to hostapd. The problem stems from hostapd expecting to only have wireless interfaces on the internal linux bridge. By moving the bridge to an OVS bridge, hostapd fails to see authentication packets. The patch causes hostapd to check/add interfaces to OVS before starting and removes them when it goes down.

https://github.com/hschaa/hostapd/commi … 3fddf8R153

Re: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

Hi yamahbob,

currently, I am concoutering the following issue.

I have added "wlan0" to OVS bridge (i.e. "br0" ) of my OpenWrt.
When WPA2 is not enabled, the "wlan0" shows up in "ovs-ofctl show br0", everyhting looks fine.
However, when I enable WPA2 for "wlan0", I get authentication error. To fix this problem, I have gone to Luci interface to detach "wlan0" from "br0" network and attach it to "lan" network ==> SAVE&APPLY.  Then, I need to detach "wlan0" from "lan" network and attach "wlan0" to "br0" network ==> SAVE&APPLY. Thus, authentication problem is fixed. But, another problem rises: now, I can not see "wlan0" in "ovs-ofctl show br0".

How can I have both features at the same time (having wlan0 attached to OVS bridge of br0 and having WPA2 enabled)?

Frankly, I didn't understand your discussion above on "hostapd" and the usage of patch you referred to?

I'd really appreciate if you could help.

Re: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

hhgh wrote:

Hi yamahbob,

currently, I am concoutering the following issue.

I have added "wlan0" to OVS bridge (i.e. "br0" ) of my OpenWrt.
When WPA2 is not enabled, the "wlan0" shows up in "ovs-ofctl show br0", everyhting looks fine.
However, when I enable WPA2 for "wlan0", I get authentication error. To fix this problem, I have gone to Luci interface to detach "wlan0" from "br0" network and attach it to "lan" network ==> SAVE&APPLY.  Then, I need to detach "wlan0" from "lan" network and attach "wlan0" to "br0" network ==> SAVE&APPLY. Thus, authentication problem is fixed. But, another problem rises: now, I can not see "wlan0" in "ovs-ofctl show br0".

How can I have both features at the same time (having wlan0 attached to OVS bridge of br0 and having WPA2 enabled)?

Frankly, I didn't understand your discussion above on "hostapd" and the usage of patch you referred to?

I'd really appreciate if you could help.

There is a patch to the hostapd source code listed above. I compiled my firmware from source and applied the patch (linked above) to the hostapd source file src/drivers/linux_ioctl.c. Once you do this, adding wireless interfaces to the OVS bridge will allow WPA2 authentication to work. AFAIK, if you are not doing things from source, it's going to be a little difficult.

Re: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

Many thanks yamahbob.

Let me see if I can compile the firmaware from source and your patch above.
Hope there wouldn't be any tricks involved in the process of compilation wink

Re: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

Hi,

  I am using TPLink Archer C7 V2, with image https://downloads.openwrt.org/chaos_cal … actory.bin . Stuck with wifi encryption issue. Applied hostpad patch and copied only wpad to /usr/sbin/ and rebooted the router. I'm Still facing the encryption issue.

  Procedure followed is
1. opkg update
2. opkg install ip-full
3. opkg install openvswitch
4. Remove wifi-interfaces from default linux bridge using br-ctl commands
5. brctl delif br0 wlan0
6. brctl delif br0 wlan1
7. brctl delif br0 eth1
8. ifconfig br0 down
9. brctl delbr br0
10. ovs-vsctl add-br ovs-br
11. ovs-vsctl add-port ovs-br eth1
12. ovs-vsctl add-port ovs-br wlan0
13. ovs-vsctl add-port ovs-br wlan1
14. ovs-vsctl set-controller ovs-br tcp:X.X.X.X:6633
15. ovs-vsctl set bridge ovs-br protocols=openflow13

  EAPOL handshake is failing at message 2 out of 4 stage.

  My Configuration change in /etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fb77:dfb3:98ac::/48'

config interface 'lan'
    option ifname 'ovs-br'
    option force_link '1'
#    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
#    option ip6assign '60'
    option ipaddr '192.168.111.1'

config interface 'wan'
    option ifname 'eth0'
    option proto 'dhcp'

config interface 'wan6'
    option ifname 'eth0'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 2 3 4 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '1 6'


cat /etc/config/wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '36'
    option hwmode '11a'
    option path 'pci0000:01/0000:01:00.0'
    option htmode 'VHT80'

config wifi-iface
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option ssid '2OpenWrt1'
    option encryption 'none'
    option disabled '1'

config wifi-device 'radio1'
    option type 'mac80211'
    option channel '11'
    option hwmode '11g'
    option path 'platform/qca955x_wmac'
    option htmode 'HT20'
    option txpower '24'
    option country 'US'

config wifi-iface
    option device 'radio1'
    option network 'lan'
    option mode 'ap'
    option ssid '2OpenWrt2'
    option encryption 'psk2'
    option key '12345678'

Later removed wlan0 from ovs-br

root@OpenWrt:~# ovs-vsctl show
9347cc2d-cdb5-440d-aa0e-c4c8dfa616ac
    Bridge ovs-br
        Controller "tcp:x.x.x.x:6633"
            is_connected: true
        Port ovs-br
            Interface ovs-br
                type: internal
        Port "wlan1"
            Interface "wlan1"
        Port "eth1"
            Interface "eth1"

root@OpenWrt:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 60:e3:17:56:5e:6f brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master ovs-system state UP mode DEFAULT group default qlen 1000
    link/ether 60:e2:37:58:5e:6e brd ff:ff:ff:ff:ff:ff
4: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN mode DEFAULT group default
    link/gre 0.0.0.0 brd 0.0.0.0
5: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
8: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default
    link/ether 46:a7:07:ba:1e:38 brd ff:ff:ff:ff:ff:ff
9: ovs-br: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/ether 60:e3:27:55:5d:6d brd ff:ff:ff:ff:ff:ff
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovs-system state UP mode DEFAULT group default qlen 1000
    link/ether 65:e3:27:55:5d:6d brd ff:ff:ff:ff:ff:ff


root@OpenWrt:~# ovs-ofctl show ovs-br -O OpenFlow13
OFPT_FEATURES_REPLY (OF1.3) (xid=0x2): dpid:000060e327585e6d
n_tables:254, n_buffers:256
capabilities: FLOW_STATS TABLE_STATS PORT_STATS GROUP_STATS QUEUE_STATS
OFPST_PORT_DESC reply (OF1.3) (xid=0x3):
1(wlan1): addr:65:e3:27:55:5d:6d
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
2(eth1): addr:60:e2:37:58:5e:6e
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
LOCAL(ovs-br): addr:60:e3:27:55:5d:6d
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
OFPT_GET_CONFIG_REPLY (OF1.3) (xid=0x5): frags=normal miss_send_len=0


Any help is highly regarded.

Re: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

Note about the hostapd patch. In order to patch to work you need to add "bridge=br0" parameter to the hostapd configuration file.

9

Re: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

Instead adding "bridge=br0" parameter to the hostapd configuration file, adding

option bridge 'br0'

under wifi-iface section in /etc/config/wireless allows multiple bridge interfaces used by multiple WiFi interface.

10 (edited by challenger 2017-12-12 04:31:24)

Re: WPA2 (EAPOL handshake) connectivity with Open vSwitch-hostapd [SOLVED]

Hi yamahabob,

There is a patch to the hostapd source code listed above. I compiled my firmware from source and applied the patch (linked above) to the hostapd source file src/drivers/linux_ioctl.c. Once you do this, adding wireless interfaces to the OVS bridge will allow WPA2 authentication to work. AFAIK, if you are not doing things from source, it's going to be a little difficult

I am very excited to find your solution to this problem. But as a freshman to OpenWrt, I don't know how to use the patch (linux_ioctl.c) linked above with the OpenWrt source.Fortunately, I can compile OpenWrt, just don't know how to use this patch. Can you give me some specific procedure?

Any help is appreciated !