AP with external RADIUS server

Everything about WLan and hostap
Post Reply
azzido

AP with external RADIUS server

Post by azzido » March 1st, 2010, 4:50 am

Has anyone been able to setup IPFire to use external RADIUS server for wireless client authentication?

I have modified /etc/hostapd.conf, but when i run /etc/modprobe.d/madwifi restart AP does not start. I don't see any errors and there is no log file for hostapd so I am not sure if my hostapd.conf is not correct or if there is something else that I am missing. Does anyone have any ideas how I can troubleshoot this? Thanks in advance.

User avatar
Maniacikarus
Core Developer
Core Developer
Posts: 6210
Joined: February 24th, 2006, 10:35 am
Location: Nürnberg
Contact:

Re: AP with external RADIUS server

Post by Maniacikarus » March 1st, 2010, 6:54 am

you need to do

/etc/init.d/hostapd restart

to restart the ap
Image

azzido

Re: AP with external RADIUS server

Post by azzido » March 1st, 2010, 12:56 pm

Yes, that's what I did: /etc/init.d/hostapd restart

Not sure why I typed /etc/modprobe.d/madwifi restart :)

azzido

Re: AP with external RADIUS server

Post by azzido » March 2nd, 2010, 6:39 am

Got it up and running. Here is my hostapd.conf. Maybe some one will find it useful

Code: Select all

##### hostapd configuration file ##############################################

interface=blue0

# Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd);
driver=nl80211

#  0 = verbose debugging
#  1 = debugging
#  2 = informational messages
#  3 = notification
#  4 = warning
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=4

# Dump file for state information (on SIGUSR1)
dump_file=/tmp/hostapd.dump

ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

##### IEEE 802.11 related configuration #######################################

ssid=<<SPECIFY SSID>>

# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g,
hw_mode=g

# Channel number (IEEE 802.11)
# (default: 0, i.e., not set)
# Please note that some drivers (e.g., madwifi) do not use this value from
# hostapd and the channel will need to be configuration separately with iwconfig.
channel=01

# IEEE 802.11 specifies two authentication algorithms. hostapd can be
# configured to allow both of these or only one. Open system authentication
# should be used with IEEE 802.1X.
# Bit fields of allowed authentication algorithms:
# bit 0 = Open System Authentication
# bit 1 = Shared Key Authentication (requires WEP)
auth_algs=1

# Send empty SSID in beacons and ignore probe request frames that do not
# specify full SSID, i.e., require stations to know SSID.
# default: disabled (0)
# 1 = send empty (length=0) SSID in beacon and ignore probe request for
#     broadcast SSID
# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
#     with some clients that do not support empty SSID) and ignore probe
#     requests for broadcast SSID
#ignore_broadcast_ssid=0

# Station MAC address -based authentication
# Please note that this kind of access control requires a driver that uses
# hostapd to take care of management frame processing and as such, this can be
# used with driver=hostap or driver=nl80211, but not with driver=madwifi.
# 0 = accept unless in deny list
# 1 = deny unless in accept list
# 2 = use external RADIUS server (accept/deny lists are searched first)
macaddr_acl=0

# Accept/deny lists are read from separate files (containing list of
# MAC addresses, one per line). Use absolute path name to make sure that the
# files can be read on SIGHUP configuration reloads.
#accept_mac_file=/etc/hostapd.accept
#deny_mac_file=/etc/hostapd.deny

ap_max_inactivity=600

##### IEEE 802.1X-2004 related configuration ##################################

# Require IEEE 802.1X authorization
ieee8021x=1

# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
# only broadcast keys are used)
eapol_key_index_workaround=1

# Use integrated EAP server
eap_server=0

##### RADIUS client configuration #############################################

# The own IP address of the access point (used as NAS-IP-Address)
# NOTE: blue or green (where external RADIUS server is) work fine
own_ip_addr=<<SPECIFY IP>>
nas_identifier=<<SPECIFY NAS ID>>

# RADIUS authentication server
auth_server_addr=<<SPECIFY RADIUS IP>>
auth_server_port=<<SPECIFY PORT>>
auth_server_shared_secret=<<SPECIFY SHARED SECRET FROM RADIUS CONFIG>>

##### WPA/IEEE 802.11i configuration ##########################################

# Enable WPA
# bit0 = WPA
# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
wpa=2

# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
# added to enable SHA256-based stronger algorithms.
# (dot11RSNAConfigAuthenticationSuitesTable)
wpa_key_mgmt=WPA-EAP

# Set of accepted cipher suites (encryption algorithms) for pairwise keys
# (unicast packets). This is a space separated list of algorithms:
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
# Group cipher suite (encryption algorithm for broadcast and multicast frames)
# is automatically selected based on this configuration. If only CCMP is
# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
# TKIP will be used as the group cipher.
# (dot11RSNAConfigPairwiseCiphersTable)
# Pairwise cipher for WPA (v1) (default: TKIP)
wpa_pairwise=CCMP
# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
rsn_pairwise=CCMP


User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: AP with external RADIUS server

Post by H&M » December 6th, 2014, 8:59 pm

Hi & big thank you for showing us how to use accept/deny MAC lists for WiFi.

One problem though: how do you prevent rewriting your hostapd.conf file?

Every time I use the GUI, the CGI script erase the lines I've added:

Code: Select all

# Station MAC address -based authentication
# Please note that this kind of access control requires a driver that uses
# hostapd to take care of management frame processing and as such, this can be
# used with driver=hostap or driver=nl80211, but not with driver=madwifi.
# 0 = accept unless in deny list
# 1 = deny unless in accept list
# 2 = use external RADIUS server (accept/deny lists are searched first)
macaddr_acl=1

# Accept/deny lists are read from separate files (containing list of
# MAC addresses, one per line). Use absolute path name to make sure that the
# files can be read on SIGHUP configuration reloads.
accept_mac_file=/etc/hostapd.accept
deny_mac_file=/etc/hostapd.deny


I need these lines in order to restrict access to my WiFi AP!

Thank you, vielen danke!
Have a nice day / Bonne journée / Haben Sie einen guten Tag
H&M
Image
Image

Bashmack
Posts: 4
Joined: December 20th, 2015, 9:36 pm

AP with external RADIUS server

Post by Bashmack » January 9th, 2016, 7:42 pm

Hi there
I have an finished API to comunicate with my accounting company.
How do i best run this? As an own plugin?

I wont be taking any CC etc, just regular invoices.
Guess to change the files included in the install is not the way to go?

I need to access all the orderinfo and customerinfo.

Thanks in advance,
Johan
Sweden

Post Reply