lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAEFUPH2HVZDxLmhqfmiGnFt15KnhpWwRVswMzmTDxY7-zBub2Q@mail.gmail.com>
Date: Wed, 16 Apr 2025 22:42:21 -0700
From: SIMON BABY <simonkbaby@...il.com>
To: netdev@...r.kernel.org
Subject: query on hostapd

Hello team,

I have an issue with hostapd on bridge vlan interface (with marvel DSA ports)

I have a linux bridge interface br0.50 (created using bridge vlan
filtering with br0 as master bridge) with ports lan1, lan2 and lan5
(DSA enumerated ports)

br0.50 have an IP address 192.168.50.2/24. The DHCP range for the
clients is 192.168.50.1 to 192.168.50.100.

Radius server is running on IP 10.20.0.1/24 and lan4 is connected to
the radius server. lan4 is a member of  br0.40 with IP address
10.20.0.2/24.

A laptop with client certs is connected to lan3.
                                                        lan4
radius server-----------------------------br0.40-----hostapd----lan5----------------------------------------client
10.20.0.1                                         10.20.0.2
      br0.50  192.168.50.2


My hostapd configuration is below:



oot@...a7g5ek-tdy-sd:~# cat /etc/hostapd.conf

##### hostapd configuration file ##############################################

# Empty lines and lines starting with # are ignored



# Example configuration file for wired authenticator. See hostapd.conf for

# more details.


interface=br0.50

driver=wired

logger_stdout=-1

logger_stdout_level=0

logger_syslog=-1

logger_syslog_level=2



ieee8021x=1

eap_reauth_period=3600

ap_max_inactivity=86400



#use_pae_group_addr=1





##### RADIUS configuration ####################################################

# for IEEE 802.1X with external Authentication Server, IEEE 802.11

# authentication with external ACL for MAC addresses, and accounting



# The own IP address of the access point (used as NAS-IP-Address)

#own_ip_addr=127.0.0.1



# Optional NAS-Identifier string for RADIUS messages. When used, this should be

# a unique to the NAS within the scope of the RADIUS server. For example, a

# fully qualified domain name can be used here.

#nas_identifier=hostapd.teledyne.com



# RADIUS authentication server

auth_server_addr=10.20.0.1

auth_server_port=1812

auth_server_shared_secret=test123





# Enable CRL verification.

# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a

# valid CRL signed by the CA is required to be included in the ca_cert file.

# This can be done by using PEM format for CA certificate and CRL and

# concatenating these into one file. Whenever CRL changes, hostapd needs to be

# restarted to take the new CRL into use.

# 0 = do not verify CRLs (default)

# 1 = check the CRL of the user certificate

# 2 = check all CRLs in the certificate path

check_crl=1


I observed that with the above configuration, radius server is not
receiving any packets ( interface=br0.50)
If I change interface=lan5 in the hostapd.conf file, I can see radius
server is receiving packets from hostapd.
Do you know anything I need to change to work with the bridge vlan
interface for hostapd ? My design is to have hostapd listen on
multiple lan interfaces.
How do we make sure that before the 802.1x authentication is completed
DHCP packets are not going through? Is this handled by hostapd or do
we need to manually change the port status or by iptables manually ?

Looking forward to your help.


Regards
Simon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ