Modify

Opened 11 years ago

Last modified 4 years ago

#1687 reopened defect

802.1X authentication using wpa_supplicant not working with wired driver

Reported by: pucca Owned by: developers
Priority: high Milestone: 0.9/rc6
Component: packages Version:
Keywords: Cc:

Description

The summary pretty much says it all. Running White Russian 0.9 and wpa_supplicant 0.4.7, there's no way to use 802.1X authentication on the WAN port. Take a look at http://forum.openwrt.org/viewtopic.php?id=10366 for further information regarding the problem. (Incidentally, I also came across /ticket/84.html, but the upgrading seem to have done little to fix the problem.

Attachments (1)

Bob Foster1.gif (1001 bytes) - added by slavon8 2 years ago.
our

Download all attachments as: .zip

Change History (16)

comment:1 Changed 11 years ago by florian

  • Resolution set to wontfix
  • Status changed from new to closed

I would recommend trying kamikaze and brcm-2.4. Try with kamikaze and re-open if needed.

comment:2 Changed 11 years ago by pucca

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Tried with kamikaze and brcm-2.4, and the problem still persists. If output from wpa_supplicant etc. is needed, please let me know.

comment:3 Changed 11 years ago by anonymous

comment:4 Changed 11 years ago by anonymous

It seems kamikaze handles multicast packets wrong. See also other posts on this forum.

comment:5 Changed 11 years ago by masikh

It seems to robo driver doesn't handle multicast packets correct. This can verified. Try connecting via 802.1x to a network. (There doesn't have to be an AP active for this test!) If you monitor the outgoing traffic, you'll notice the eapol packet never gets transmitted.

try: tcpdump -i eth0.x proto ether 0x888e

Zero packets gets dumped, thus the packet never leaves the robo driver. This implies the robo driver incorrectly handles multicast traffic (the first packets of 802.1x authentication are multicast packets) thus the authentication fails.

Ciao,

Robert.

comment:6 Changed 11 years ago by anonymous

I think the problem is here:

/kamikaze_7.06/package/switch/src/switch-robo.c

This whole file (actualy files offcourse) is really weird btw. The half of its content is about making integers and structures bla bla bla but never used! Which comes to me as a piece of source that has been taken and modified but badly! You can check for you selve and you should! This whole robo driver code is messy and it's a God wonder that is works at all! BUT let this not be mistaken!, I am really glad you guys did it in the first place. Unfortunaly it still doesn't work with wpa_supplicant. This is not the error of wpa_supplicant but merely the faulty implementation of vlans. This piece of code (in my understanding) is resposible for the handeling of level 2 traffic (aka vlan, 802.1x, etc...). Unfortunally this code (still in my understanding) is only capible of handeling vlan traffic. Any other traffic (like multicast needed for eapol auth...) is processed faulty!

This is the function I am talking about :->

static int handle_enable_vlan_write(void *driver, char *buf, int nr) {

int disable = ((buf[0] != '1') ? 1 : 0);

robo_write16(ROBO_VLAN_PAGE, ROBO_VLAN_CTRL0, disable ? 0 :

(1 << 7) /* 802.1Q VLAN */ | (3 << 5) /* mac check and hash */);

robo_write16(ROBO_VLAN_PAGE, ROBO_VLAN_CTRL1, disable ? 0 :

(1 << 1) | (1 << 2) | (1 << 3) /* RSV multicast */);

robo_write16(ROBO_VLAN_PAGE, ROBO_VLAN_CTRL4, disable ? 0 :

(1 << 6) /* drop invalid VID frames */);

robo_write16(ROBO_VLAN_PAGE, ROBO_VLAN_CTRL5, disable ? 0 :

(1 << 3) /* drop miss V table frames */);

return 0;

}

Also, very important btw, this code is the center piece of the whole robo switch driver. That's the thing that wheels all the network ports and stuff. (Anyway, that my opinion!)

Ciao,

Robert.

comment:7 Changed 11 years ago by nbd

  • Resolution set to wontfix
  • Status changed from reopened to closed

I think you are mistaken. switch-robo.c does not handle traffic at all. It configures the VLAN feature of the switch, but nothing else. Thus it is not responsible for doing 802.1x or anything like this.
Additionally White Russian 0.9 is no longer supported. If you want to write an enhancement, it should be written for trunk.
The wired driver of wpa_supplicant definitely does not know how to deal with the vlan switch, so don't expect those things to work together just like that.

Closing this ticket, open a new one if you have a patch for trunk.

comment:8 Changed 11 years ago by anonymous

  • Resolution wontfix deleted
  • Status changed from closed to reopened

I am sorry to say but I have testen wpa_supplicant through a vlan on a regular linux box and it works. Thus it rules wpa_supplicant out as a suspect for not being able to handle vlans. But I dare say Yes you art right posing the statement that robo.c is not solely responsible for all network trafic. (gjee what a sentence) But that's besides the point I was postulating! My point was and still is that vlan traffic and 802.1x traffic are both layer 2. Robo.c is responsible (obvious) for layer 2 traffic. Now where do I see the handeling of layer 2 traffic apart from vlans? There is none!

Thus I hold my case and say robo.c is faulty! (sorry my programming scales are to minor to solve this case although I do understand the c files of robo.c and all.)

comment:9 Changed 11 years ago by nbd

  • Resolution set to wontfix
  • Status changed from reopened to closed

switch-robo.c does not handle any traffic. at. all. Not on layer 3, not on layer 2 and certainly not on layer 1.
The hardware that is being configured by switch-robo.c handles traffic, yes. But switch-robo.c itself only tweaks a few registers. So if you have vlan trouble, it's probably the hardware switch getting in the way. Try to find some datasheets if you want to fix this.

My statement about the obsolescence of whiterussian stands. Please don't reopen this ticket. Make a new one if you have a patch that can reconfigure the switch for proper 802.1x auth in svn trunk...

comment:10 follow-up: Changed 9 years ago by ondal71@…

hi. i have resolved this problem.

robo switch has special operation mode reserved MULTICAST ADDRESS for example 0180c2000000 ~ 0180c200000f that client use for authentication.

if you have et utility, try to commend.
========================================
et -a eth0 robowr 0x00 0x0b 7 set managed mode | forword mode
et -a eth0 robowr 0x02 0x00 0x80
managed port is MII
et -a eth0 msglevel 4
=========================================

you will see EAPOL packet..
...

comment:11 in reply to: ↑ 10 ; follow-up: Changed 8 years ago by mike

This still seems to be an issue with White Russian 0.9 (latest).

Ondal171, can you explain more on how to resolve this problem? (E.g., what is the 'et' utility?)

Replying to ondal71@…:

hi. i have resolved this problem.

robo switch has special operation mode reserved MULTICAST ADDRESS for example 0180c2000000 ~ 0180c200000f that client use for authentication.

if you have et utility, try to commend.
========================================
et -a eth0 robowr 0x00 0x0b 7 set managed mode | forword mode
et -a eth0 robowr 0x02 0x00 0x80
managed port is MII
et -a eth0 msglevel 4
=========================================

you will see EAPOL packet..
...

comment:12 in reply to: ↑ 11 Changed 8 years ago by linchen <linchen987@…>

Replying to mike:

This still seems to be an issue with White Russian 0.9 (latest).

Ondal171, can you explain more on how to resolve this problem? (E.g., what is the 'et' utility?)

Replying to ondal71@…:

hi. i have resolved this problem.

robo switch has special operation mode reserved MULTICAST ADDRESS for example 0180c2000000 ~ 0180c200000f that client use for authentication.

if you have et utility, try to commend.
========================================
et -a eth0 robowr 0x00 0x0b 7 set managed mode | forword mode
et -a eth0 robowr 0x02 0x00 0x80
managed port is MII
et -a eth0 msglevel 4
=========================================

you will see EAPOL packet..
...

et utility is the Broadcom Ethernet utility in CFE
I have et utility in my 520GU CFE,but only these args:

OPTIONS

-i=* Specifies the interface
up Activate the specified interface
down Deactivate the specified interface
loop Sets the loopback mode (0,1)
dump Dump driver information
msglevel Sets the driver message level
promisc Sets promiscuous mode

no "-a"

comment:13 follow-up: Changed 5 years ago by hubik.tomas@…

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Hello, I have read a couple of threads and bug reports regarding this bug and I am afraid I am still facing this issue. Does anyone know, how to fix it or some workaround? I have router ASUS WL-600g with Backfire 10.03.1 and wpa_supplicant v2.0-devel and connecting to the wired network secured with PEAP and MSCHAP v2. My router has 4 RJ-45 ports which I divided into 2 VLANs - eth1.0 as LAN and eth1.1 as WAN.
My wpa_supplicant.conf looks like this:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=0
fast_reauth=1

network={
        key_mgmt=IEEE8021X
        eap=PEAP
        anonymous_identity="anonymous"
        ca_cert="/etc/ssl/certs/cacert.pem"
        identity="**********"
        password="***********"
        phase2="auth=MSCHAPV2"
}

I am starting it with this command:

wpa_supplicant -ieth1.1 -c/etc/wpa_supplicant2.conf -Dwired -K -dd

And this is the result:

wpa_supplicant v2.0-devel
random: Trying to read entropy from /dev/random
Initializing interface 'eth1.1' conf '/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='0'
eapol_version=1
ap_scan=0
fast_reauth=1
Line: 7 - start of a new network block
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 00 00 00 19 00 00 00 00 00 00 00 00
anonymous_identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous
ca_cert - hexdump_ascii(len=25):
     2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 63   /etc/ssl/certs/c
     61 63 65 72 74 2e 70 65 6d                        acert.pem
identity - hexdump_ascii(len=8):
     ** ** ** ** ** ** ** **                           **********
password - hexdump_ascii(len=16):
     ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **   ***************
phase2 - hexdump_ascii(len=13):
     61 75 74 68 3d 4d 53 43 48 41 50 56 32            auth=MSCHAPV2
Priority group 0
   id=0 ssid=''
wpa_driver_wired_init: Added multicast membership with packet socket
eth1.1: Own MAC address: 00:23:8b:05:2f:78
eth1.1: RSN: flushing PMKID list in the driver
eth1.1: Setting scan request: 0 sec 100000 usec
WPS: Set UUID for interface eth1.1
WPS: UUID based on MAC address - hexdump(len=16): 2a 2f 0d 29 a6 26 55 df 87 a7 8d 18 6b dc db b4
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: Supplicant port status: Unauthorized
EAPOL: Supplicant port status: Unauthorized
ctrl_interface_group=0
eth1.1: Added interface eth1.1
random: Got 18/20 bytes from /dev/random
EAPOL: External notification - EAP success=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - EAP fail=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portControl=Auto
EAPOL: Supplicant port status: Unauthorized
eth1.1: Already associated with a configured network - generating associated event
eth1.1: Event 0 received on interface eth1.1
eth1.1: Association info event
eth1.1: State: DISCONNECTED -> ASSOCIATED
eth1.1: Associated to a new BSS: BSSID=01:80:c2:00:00:03
Add randomness: count=1 entropy=0
eth1.1: No keys have been configured - skip key clearing
eth1.1: Select network based on association information
eth1.1: Network configuration found for the current AP
eth1.1: WPA: clearing AP WPA IE
eth1.1: WPA: clearing AP RSN IE
eth1.1: WPA: clearing own WPA/RSN IE
EAPOL: External notification - EAP success=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - EAP fail=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portControl=Auto
EAPOL: Supplicant port status: Unauthorized
eth1.1: Associated with 01:80:c2:00:00:03
eth1.1: WPA: Association event - clear replay counter
eth1.1: WPA: Clear old PTK
EAPOL: External notification - portEnabled=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portValid=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
eth1.1: Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 01 01 00 00

Everything stops on the TX EAPOL and I do not receive any RX EAPOL.

Can anyone help? I am sorry if this is not related to this bud, but only some error in my config files.

comment:14 in reply to: ↑ 13 Changed 4 years ago by anonymous

Did this work at all? I'm having similar trouble with bcm47xx build. There seems to be some problem with sending the EAPOL packets over the wire.

Replying to hubik.tomas@…:

Hello, I have read a couple of threads and bug reports regarding this bug and I am afraid I am still facing this issue. Does anyone know, how to fix it or some workaround? I have router ASUS WL-600g with Backfire 10.03.1 and wpa_supplicant v2.0-devel and connecting to the wired network secured with PEAP and MSCHAP v2. My router has 4 RJ-45 ports which I divided into 2 VLANs - eth1.0 as LAN and eth1.1 as WAN.
My wpa_supplicant.conf looks like this:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=0
fast_reauth=1

network={
        key_mgmt=IEEE8021X
        eap=PEAP
        anonymous_identity="anonymous"
        ca_cert="/etc/ssl/certs/cacert.pem"
        identity="**********"
        password="***********"
        phase2="auth=MSCHAPV2"
}

I am starting it with this command:

wpa_supplicant -ieth1.1 -c/etc/wpa_supplicant2.conf -Dwired -K -dd

And this is the result:

wpa_supplicant v2.0-devel
random: Trying to read entropy from /dev/random
Initializing interface 'eth1.1' conf '/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='0'
eapol_version=1
ap_scan=0
fast_reauth=1
Line: 7 - start of a new network block
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 00 00 00 19 00 00 00 00 00 00 00 00
anonymous_identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous
ca_cert - hexdump_ascii(len=25):
     2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 63   /etc/ssl/certs/c
     61 63 65 72 74 2e 70 65 6d                        acert.pem
identity - hexdump_ascii(len=8):
     ** ** ** ** ** ** ** **                           **********
password - hexdump_ascii(len=16):
     ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **   ***************
phase2 - hexdump_ascii(len=13):
     61 75 74 68 3d 4d 53 43 48 41 50 56 32            auth=MSCHAPV2
Priority group 0
   id=0 ssid=''
wpa_driver_wired_init: Added multicast membership with packet socket
eth1.1: Own MAC address: 00:23:8b:05:2f:78
eth1.1: RSN: flushing PMKID list in the driver
eth1.1: Setting scan request: 0 sec 100000 usec
WPS: Set UUID for interface eth1.1
WPS: UUID based on MAC address - hexdump(len=16): 2a 2f 0d 29 a6 26 55 df 87 a7 8d 18 6b dc db b4
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: Supplicant port status: Unauthorized
EAPOL: Supplicant port status: Unauthorized
ctrl_interface_group=0
eth1.1: Added interface eth1.1
random: Got 18/20 bytes from /dev/random
EAPOL: External notification - EAP success=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - EAP fail=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portControl=Auto
EAPOL: Supplicant port status: Unauthorized
eth1.1: Already associated with a configured network - generating associated event
eth1.1: Event 0 received on interface eth1.1
eth1.1: Association info event
eth1.1: State: DISCONNECTED -> ASSOCIATED
eth1.1: Associated to a new BSS: BSSID=01:80:c2:00:00:03
Add randomness: count=1 entropy=0
eth1.1: No keys have been configured - skip key clearing
eth1.1: Select network based on association information
eth1.1: Network configuration found for the current AP
eth1.1: WPA: clearing AP WPA IE
eth1.1: WPA: clearing AP RSN IE
eth1.1: WPA: clearing own WPA/RSN IE
EAPOL: External notification - EAP success=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - EAP fail=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portControl=Auto
EAPOL: Supplicant port status: Unauthorized
eth1.1: Associated with 01:80:c2:00:00:03
eth1.1: WPA: Association event - clear replay counter
eth1.1: WPA: Clear old PTK
EAPOL: External notification - portEnabled=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portValid=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
eth1.1: Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 01 01 00 00

Everything stops on the TX EAPOL and I do not receive any RX EAPOL.

Can anyone help? I am sorry if this is not related to this bud, but only some error in my config files.

comment:15 Changed 4 years ago by anonymous

try -Droboswitch

Changed 2 years ago by slavon8

Add Comment

Modify Ticket

Action
as reopened .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.