lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAEFUPH2DxA6c9By1V4_YqRof7n2-SR74zBVEzTx1AWBxqZim=A@mail.gmail.com>
Date: Mon, 21 Apr 2025 22:19:10 -0700
From: SIMON BABY <simonkbaby@...il.com>
To: netdev@...r.kernel.org
Subject: Re: query on hostapd

Hello everyone,

Do we have to enable anything in the bridge interface in Linux for
processing EAPOL packets ? Currently the bridge in my setup cannot
detect EAPOL packets.  However the DSA lan ports are able to detect.
The bridge interface contains the lan port.

Regards
Simon

On Wed, Apr 16, 2025 at 10:42 PM SIMON BABY <simonkbaby@...il.com> wrote:
>
> Hello team,
>
> I have an issue with hostapd on bridge vlan interface (with marvel DSA ports)
>
> I have a linux bridge interface br0.50 (created using bridge vlan
> filtering with br0 as master bridge) with ports lan1, lan2 and lan5
> (DSA enumerated ports)
>
> br0.50 have an IP address 192.168.50.2/24. The DHCP range for the
> clients is 192.168.50.1 to 192.168.50.100.
>
> Radius server is running on IP 10.20.0.1/24 and lan4 is connected to
> the radius server. lan4 is a member of  br0.40 with IP address
> 10.20.0.2/24.
>
> A laptop with client certs is connected to lan3.
>                                                         lan4
> radius server-----------------------------br0.40-----hostapd----lan5----------------------------------------client
> 10.20.0.1                                         10.20.0.2
>       br0.50  192.168.50.2
>
>
> My hostapd configuration is below:
>
>
>
> oot@...a7g5ek-tdy-sd:~# cat /etc/hostapd.conf
>
> ##### hostapd configuration file ##############################################
>
> # Empty lines and lines starting with # are ignored
>
>
>
> # Example configuration file for wired authenticator. See hostapd.conf for
>
> # more details.
>
>
> interface=br0.50
>
> driver=wired
>
> logger_stdout=-1
>
> logger_stdout_level=0
>
> logger_syslog=-1
>
> logger_syslog_level=2
>
>
>
> ieee8021x=1
>
> eap_reauth_period=3600
>
> ap_max_inactivity=86400
>
>
>
> #use_pae_group_addr=1
>
>
>
>
>
> ##### RADIUS configuration ####################################################
>
> # for IEEE 802.1X with external Authentication Server, IEEE 802.11
>
> # authentication with external ACL for MAC addresses, and accounting
>
>
>
> # The own IP address of the access point (used as NAS-IP-Address)
>
> #own_ip_addr=127.0.0.1
>
>
>
> # Optional NAS-Identifier string for RADIUS messages. When used, this should be
>
> # a unique to the NAS within the scope of the RADIUS server. For example, a
>
> # fully qualified domain name can be used here.
>
> #nas_identifier=hostapd.teledyne.com
>
>
>
> # RADIUS authentication server
>
> auth_server_addr=10.20.0.1
>
> auth_server_port=1812
>
> auth_server_shared_secret=test123
>
>
>
>
>
> # Enable CRL verification.
>
> # Note: hostapd does not yet support CRL downloading based on CDP. Thus, a
>
> # valid CRL signed by the CA is required to be included in the ca_cert file.
>
> # This can be done by using PEM format for CA certificate and CRL and
>
> # concatenating these into one file. Whenever CRL changes, hostapd needs to be
>
> # restarted to take the new CRL into use.
>
> # 0 = do not verify CRLs (default)
>
> # 1 = check the CRL of the user certificate
>
> # 2 = check all CRLs in the certificate path
>
> check_crl=1
>
>
> I observed that with the above configuration, radius server is not
> receiving any packets ( interface=br0.50)
> If I change interface=lan5 in the hostapd.conf file, I can see radius
> server is receiving packets from hostapd.
> Do you know anything I need to change to work with the bridge vlan
> interface for hostapd ? My design is to have hostapd listen on
> multiple lan interfaces.
> How do we make sure that before the 802.1x authentication is completed
> DHCP packets are not going through? Is this handled by hostapd or do
> we need to manually change the port status or by iptables manually ?
>
> Looking forward to your help.
>
>
> Regards
> Simon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ