Hostapd

From SOWNWiki
Jump to: navigation, search
hostapd
hostapd
Installed on All Wireless Nodes
Was installed on
Website http://hostap.epitest.fi/hostapd/

Hostapd is a unix Authentication daemon. It supports the 802.1x protocol and is used for restricting access to wlans.

Deployment

Hostapd is running on meraki nodes configured to support 802.1x. These currently include sown-test and the demoroom node.

Configuration

Currently Hostapd is configured to give dynamic wep keys.

interface=ath1
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=0
dump_file=/tmp/hostapd.dump
ssid=[SOWN]-8021x
ieee8021x=1
wep_key_len_broadcast=5
wep_key_len_unicast=5
eapol_key_index_workaround=1
eap_server=0
own_ip_addr=10.13.128.114
nas_identifier=node.sown.org.uk
auth_server_addr=10.13.0.252
auth_server_port=5080
auth_server_shared_secret=********
#acct_server_addr=10.13.0.252
#acct_server_port=5081
#acct_server_shared_secret=********


This will probably be adjusted to give out a stronger encryption mode.


Hostapd needs to come up on boot. This requires an addition of an init script. However just bringing it up will not work gracefully, so it is nescessary to do some sanity checking (it requires vpn tunnel)

#!/bin/sh /etc/rc.common

START=94
STOP=94

boot() {
/sbin/ifconfig ath1 down
/sbin/ifconfig ath0 down
ping -c 1 10.13.0.252 > /var/log/sown_ping.res
FOO=`cat /var/log/sown_ping.res | grep "1 packets received"`
while [ "$FOO" = "" ]
do

        ping -c 1 10.13.0.252 > /var/log/sown_ping.res
        FOO=`cat /var/log/sown_ping.res | grep "1 packets received"`
        sleep 10
done
        /sbin/ifconfig ath1 up
        /sbin/ifconfig ath0 up
        /usr/sbin/hostapd -B /etc/hostapd.conf

}
start() {
ping -c 1 10.13.0.252 > /var/log/sown_ping.res
FOO=`cat /var/log/sown_ping.res | grep "1 packets received"`
if [ "$FOO" = "" ]
then
        /sbin/ifconfig ath1 down
        echo "No route to sown-auth"
else
        /sbin/ifconfig ath1 up
        /usr/sbin/hostapd -B /etc/hostapd.conf
fi
}
stop() {

        killall hostapd
        /sbin/ifconfig ath1 down

}

Also a sanity check to /etc/sown/server_status_check is also added to prevent ath1 from broadcasting when no radius server is accessible.

An addition of

ifconfig ath1 down

to the first if block and

ifconfig ath1 up

to the second fixes this.


Ip allocation

Ath1 will require a further allocation of a ipv4/24 from the 10.13.129.0/17 range and another ipv6/64ip. Further the ipv4 subnet will need adding to the dhcp leases file and the network config file.

/etc/config/wireless

...
config wifi-iface ath1
       option device   wifi0
       option network  lan
       option mode     ap
       option ssid     [SOWN]-8021X
       option encryption       none
...

/etc/config/network

...
config interface ath1
       option ifname ath1
       option proto static
       option ipaddr 10.13.*.254
       option ip6addr 2001:630:d0:f7**::1/64
       option netmask 255.255.255.0
...

/etc/dnsmasq.conf

...
dhcp-range=ath1,10.13.*.1,10.13.*.253,1h
...

Useful Links

http://hostap.epitest.fi/hostapd/ http://www.devicescape.com/docs/uwp/package_guide/pkg_hostapd.php