0

I am trying to set up an AP with an external RADIUS server using two Linux hosts for each service, hostapd and freeradius, correspondingly. These hosts and the Wi-Fi client host are Raspberry Pi 4 units running Ubuntu 22.04.4 LTS (jammy).

All hosts have an Ethernet connection to the common LAN (10.1.0.0/24):

  • hostA - Wi-Fi AP (10.1.0.22 Ethernet, 192.168.220.1 Wi-Fi)
  • hostB - RADIUS server (10.1.0.12 Ethernet)
  • hostC - Wi-Fi client (10.1.0.50 Ethernet, 192.168.220.101 Wi-Fi)

I have configured the freeradius server on the hostB and able to test it from the Wi-Fi client over the Ethernet LAN:

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.12 0 testSecret1
Sent Access-Request Id 155 from 0.0.0.0:35529 to 10.1.0.12:1812 length 79
    User-Name = "testUser1"
    User-Password = "testPassword1"
    NAS-IP-Address = 10.1.0.50
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "testPassword1"
Received Access-Accept Id 155 from 10.1.0.12:1812 to 10.1.0.50:35529 length 20

Then I bring up the Wi-Fi AP (hostA) configured with the following hostapd.conf content:

    logger_syslog=-1
    logger_syslog_level=0
    ctrl_interface=/var/run/hostapd/
    interface=wlp1s0
    driver=nl80211
    country_code=CA
    ieee80211n=1
    hw_mode=g
    channel=6
    beacon_int=100
    dtim_period=2
    disassoc_low_ack=0
    ssid=testAP
    ieee80211w=0
    auth_algs=1
    wpa=0
    ignore_broadcast_ssid=0
    
    eap_server=0
    
    own_ip_addr=10.1.0.22
    auth_server_addr=10.1.0.12 #hostB
    auth_server_port=1812
    auth_server_shared_secret=testSecret1

The hostapd service is built from the latest code available in the main branch with the only modification below from the defconfig file to disable the integrated RADIUS server:

# Integrated EAP server
CONFIG_EAP=n

I can see that the hostapd service starting properly with RADIUS server configuration reported accordingly:

hostA:/usr/src/hostap/hostapd$ sudo ./hostapd /etc/hostapd/hostapd.conf -i wlp1s0
wlp1s0: interface state UNINITIALIZED->COUNTRY_UPDATE
wlp1s0: RADIUS Authentication server 10.1.0.12:1812
wlp1s0: interface state COUNTRY_UPDATE->ENABLED
wlp1s0: AP-ENABLED

I can successfully connect the Wi-Fi client (hostC) to the Wi-Fi AP (hostA). However, when I try to do the RADIUS test now over a Wi-Fi network (192.168.220.0/24) targeting Wi-Fi AP to process RADIUS requests, I get the failure:

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.22 0 testSecret1
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
    User-Name = "testUser1"
    User-Password = "testPassword1"
    NAS-IP-Address = 10.1.0.50
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
    User-Name = "testUser1"
    User-Password = "testPassword1"
    NAS-IP-Address = 10.1.0.50
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
    User-Name = "testUser1"
    User-Password = "testPassword1"
    NAS-IP-Address = 10.1.0.50
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "testPassword1"
(0) No reply from server for ID 235 socket 3

I captured the traffic on the Wi-Fi interface of the hostA and see that it responds with the ICMP packet saying that Destination unreachable (Port unreachable):

Frame 2: 155 bytes on wire (1240 bits), 155 bytes captured (1240 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr  2, 2024 18:18:11.473305000 PDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1712107091.473305000 seconds
    [Time delta from previous captured frame: 0.000101000 seconds]
    [Time delta from previous displayed frame: 0.000101000 seconds]
    [Time since reference or first frame: 0.000101000 seconds]
    Frame Number: 2
    Frame Length: 155 bytes (1240 bits)
    Capture Length: 155 bytes (1240 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:icmp:ip:udp:radius]
    [Coloring Rule Name: ICMP errors]
    [Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]
Ethernet II, Src: IntelCor_05:02:62 (80:45:dd:05:02:62), Dst: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
    Destination: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
        Address: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: IntelCor_05:02:62 (80:45:dd:05:02:62)
        Address: IntelCor_05:02:62 (80:45:dd:05:02:62)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.220.1, Dst: 192.168.220.101
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 141
    Identification: 0xa48f (42127)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: ICMP (1)
    Header Checksum: 0x9b68 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.220.1
    Destination Address: 192.168.220.101
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 3 (Port unreachable)
    Checksum: 0x3724 [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol Version 4, Src: 192.168.220.101, Dst: 192.168.220.1
        0100 .... = Version: 4
        .... 0101 = Header Length: 20 bytes (5)
        Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
            0000 00.. = Differentiated Services Codepoint: Default (0)
            .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
        Total Length: 113
        Identification: 0xc1e8 (49640)
        Flags: 0x00
            0... .... = Reserved bit: Not set
            .0.. .... = Don't fragment: Not set
            ..0. .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment Offset: 0
        Time to Live: 64
        Protocol: UDP (17)
        Header Checksum: 0x7edb [validation disabled]
        [Header checksum status: Unverified]
        Source Address: 192.168.220.101
        Destination Address: 192.168.220.1
    User Datagram Protocol, Src Port: 40929, Dst Port: 1812
        Source Port: 40929
        Destination Port: 1812
        Length: 93
        Checksum: 0xbfa6 [unverified]
        [Checksum Status: Unverified]
        [Stream index: 0]
        UDP payload (85 bytes)
RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x95 (149)
    Length: 85
    Authenticator: 2cc8f534dfcac17c947a03ced3daf62f
    Attribute Value Pairs
        AVP: t=User-Name(1) l=11 val=testUser1
            Type: 1
            Length: 11
            User-Name: testUser1
        AVP: t=User-Password(2) l=18 val=Encrypted
            Type: 2
            Length: 18
            User-Password (encrypted): 986ed23c9a832e3a98a328697e8fab38
        AVP: t=NAS-IP-Address(4) l=6 val=192.168.220.101
            Type: 4
            Length: 6
            NAS-IP-Address: 192.168.220.101
        AVP: t=NAS-Port(5) l=6 val=0
            Type: 5
            Length: 6
            NAS-Port: 0
        AVP: t=Message-Authenticator(80) l=18 val=b4669b2314a4738a956f683b59b645c4
            Type: 80
            Length: 18
            Message-Authenticator: b4669b2314a4738a956f683b59b645c4
        AVP: t=Framed-Protocol(7) l=6 val=PPP(1)
            Type: 7
            Length: 6
            Framed-Protocol: PPP (1)

What do I miss here?

Improve this question
4
  • Why 10.1.0.22 and not 10.1.0.12 anymore for the 2nd query? Commented Apr 3, 2024 at 4:08
  • @A.B because .22 is an AP and .12 is a RADIUS server. In this case, I aim to test that the AP is forwarding RADIUS requests from the Wi-Fi client to the RADIUS server. At least, this is how I understand it. Otherwise, how should the Wi-Fi client know about the RADIUS server IP address? Commented Apr 3, 2024 at 13:52
  • it should forward by routing? Commented Apr 3, 2024 at 14:13
  • I don't know. I expect that the hostapd service handles it. If I have to configure routing, that would not be different from the system without Wi-Fi or hostapd service. Commented Apr 4, 2024 at 15:24

1 Answer 1

Reset to default
0

Okay, I figured it out. RADIUS infrastructure should be used with WPA2-Enterprise mode. Hence, the working hostapd.conf:

logger_syslog=-1
logger_syslog_level=0
ctrl_interface=/var/run/hostapd/
interface=wlp1s0
driver=nl80211
country_code=CA
ieee80211n=1
hw_mode=g
channel=6
beacon_int=100
dtim_period=2
disassoc_low_ack=0
ssid=testAP
ieee80211w=0
auth_algs=1
wpa=2
wpa_passphrase=testPassword
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP

macaddr_acl=0
ignore_broadcast_ssid=0

ieee8021x=1

eap_server=0

own_ip_addr=10.1.0.22
auth_server_addr=10.1.0.12
auth_server_port=1812
auth_server_shared_secret=testSecret1

radius_retry_primary_interval=120

wmm_enabled=1

wpa_group_rekey=300
wpa_gmk_rekey=86400
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.