Integrated Congnitive Man-agement System-Hostapd
2014 YU-ANTL Seminal
Hyun dong HwangAdvanced Networking Technology Lab. (YU-ANTL)
Dept. of Information & Comm. Eng, Graduate School, Yeungnam University, KOREA
(Tel : +82-53-810-3940; Fax : +82-53-810-4742http://antl.yu.ac.kr/; E-mail : [email protected])
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang2
Outline Integrated Cognitive Management System Hostapd & Wpa_Supplicant 802.11r Fast transition Current procedure Hostapd configuration Reference
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang3
Integrated Cognitive Management Sys-tem
Integrated Cognitive Management System Topology
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang4
Hostapd & Wpa_Supplicant Hostapd
hostapd is a user space daemon for access point and authenti-cation servers. It implements IEEE 802.11 access point man-agement,
IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server.
The current version supports Linux (Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211).
hostapd is designed to be a "daemon" program that runs in the background and acts as the backend component controlling au-thentication.
hostapd supports separate frontend programs and an example text-based frontend, hostapd_cli, is included with hostapd.
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang5
Hostapd & Wpa_Supplicant Hostapd features
WPA-PSK (WIFI protected Access) WPA with EAP (with integrated EAP server or an external RA-
DIUS backend authentication server) ("WPA-Enterprise") key management for CCMP, TKIP, WEP104, WEP40 WPA and full IEEE 802.11i/RSN/WPA2 RSN: PMKSA caching, pre-authentication IEEE 802.11r IEEE 802.11w RADIUS accounting RADIUS authentication server with EAP Wi-Fi Protected Setup (WPS)
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang6
Hostapd & Wpa_Supplicant Wpa_supplicant
wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN).
Supplicant is the IEEE 802.1X/WPA component that is used in the client stations.
It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/associa-tion of the wlan driver.
wpa_supplicant is designed to be a "daemon" program that runs in the background and acts as the backend component control-ling the wireless connection.
wpa_supplicant supports separate frontend programs and a text-based frontend (wpa_cli) and a GUI (wpa_gui) are included with wpa_supplicant.
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang7
Hostapd & Wpa_Supplicant Wpa_supplicant features
WPA-PSK ("WPA-Personal") WPA with EAP (e.g., with RADIUS authentication server) ("WPA-
Enterprise") key management for CCMP, TKIP, WEP104, WEP40 WPA and full IEEE 802.11i/RSN/WPA2 RSN: PMKSA caching, pre-authentication IEEE 802.11r IEEE 802.11w Wi-Fi Protected Setup (WPS)
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang8
Current procedure Current Problem
If do not using Bridge port, Wpa_cli command ft_ds(run the Fast BSS Transition) is not transport to target AP
If using Bridge port, network DNS server not working
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang9
802.11r Fast transition 802.11 Key Hierarchy
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang10
802.11r Fast transition 802.11r Action Frame
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang11
802.11r Fast trasition 802.11r FT Request Frame
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang12
802.11r Fast trasition 802.11r FT Respone Frame
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang13
802.11r Fast transition FT Confirm frame
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang14
802.11r Fast transition FT ACK frame
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang15
Over-the-DS FT Protocol authentication in an RSN
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang16
Over-the-DS FT Protocol authentication in an RSN
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang17
Current procedure Test Topology
STA1 : WPA_Supplicant STA2 : WPA_Supplicant
AP1 : Hostapd AP2 : Hostapd
Bridge portEthernet
STA
Wpa_supplicant Wpa_cli
AP
Hostapd Hostapd_cli
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang18
Current topology Network dirver : ath9k(NL80211)
Ethernet Ethernet
bridgeUbuntu 12.04 LTSKernel : 2.6.38-8-generic
Hostapd 2.0LAN CARD : TP-LINK TL WDN4800
Ubuntu 12.04 LTSKernel : 2.6.38-8-genericHostapd 2.0LAN CARD : TP-LINK TL WDN4800
Ubuntu 12.04 LTSKernel : 2.6.38-8-generic
Wpa_supplicant 2.0LAN CARD : TP-LINK TL WDN4800
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang19
Hostapd 2.0 Ubuntu 12.04 일때 필수 설치 라이브러리
libnl-1, libnl-2, libnl-1-dev, libnl-2-dev, bridge-utils, iw, openssl(libssl-dev)
Compat wireless module(for ath9k driver) 은 더 이상 지원 안함
Ubuntu 11.04 일때는 Compat wireless module 을 이용한 ath9k 설치가 필요 하지만 Hostapd 2.0 의 openssl 1.0.1f 를 지원하지 안고 드라이버에 인증서가 설치가 안됨 .
Hostapd 2.0 이상의 버전에서는 openssl 1.01f 이상의 버전 지원이 필수
Iptable 을 통한 포트 포워딩
dhcp3-server 를 설치하여 동적 네트워크 IP 를 할당 및 후에 RSN 구성
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang20
Hostapd configuration /etc/network/interface
auto loiface lo inet loopbackauto eth0iface eth0 inet staticaddress 165.229.185.233netmask 255.255.255.0gateway 165.229.185.1auto wlan0iface wlan0 inet staticaddress 10.10.0.1netmask 255.255.255.0
No Bridge
auto loiface lo inet loopbackauto eth0iface eth0 inet staticauto br0iface br0 inet staticaddress 165.229.185.233netmask 255.255.255.0gateway 165.229.185.1bridge_ports eth0bridge_fd 9bridge_hello 2bridge_maxage 12bridge_stp offauto wlan0iface wlan0 inet staticaddress 10.10.0.1netmask 255.255.255.0
Using Bridge
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang21
Hostapd configuration /etc/dhcp/dhcpd.conf : DHCP server 설정
ddns-update-style none;ignore client-updates;authoritative;option local-wpad code 252 = text;subnet 10.0.0.0 netmask 255.255.255.0 {range 10.0.0.2 10.0.0.16;option domain-name-servers 8.8.4.4, 208.67.222.222;option routers 10.0.0.1;}
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang22
Hostapd configuration /etc/default/isc-dhcp-server : DHCP server init script
# Defaults for dhcp initscript# sourced by /etc/init.d/dhcp# installed at /etc/default/isc-dhcp-server by the maintainer scripts## This is a POSIX shell fragment## On what interfaces should the DHCP server (dhcpd) serve DHCP requests?# Separate multiple interfaces with spaces, e.g. "eth0 eth1".INTERFACES="wlan0"
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang23
Hostapd configuration 실행 Script 파일
ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0sleep 2if [ "$(ps -e | grep dhcpd)" == "" ]; thendhcpd wlan0 &fi##########Enable NATiptables --flushiptables --table nat --flushiptables --delete-chainiptables --table nat --delete-chainiptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADEiptables --append FORWARD --in-interface wlan0 -j ACCEPTsysctl -w net.ipv4.ip_forward=1./hostapd -dd ./hostapd.confkillall dhcpd
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang24
Hostapd configuration Hostapd.conf
interface=wlan0driver=nl80211#bridge=br0ctrl_interface=/var/run/hostapdctrl_interface=0hw_mode=gchannel=5auth_algs=1ieee80211n=1ssid=yuantlwpa=2wpa_key_mgmt=FT-PSKwpa_pairwise=CCMP TKIPrsn_pairwise=CCMP TKIPwpa_passphrase=12345678wpa_group_rekey=3600#iapp_interface=eth0own_ip_addr=165.229.185.233rsn_preauth=1rsn_preauth_interfaces=eth0okc=1nas_identifier=nas2.kir.numobility_domain=a1b2r0_key_lifetime=10000r1_key_holder=000102030406reassociation_deadline=1000pmk_r1_push=1r0kh=64:66:b3:0b:c0:94 nas.kir.nu 000102030405060708090a0b0c0d0e0fr0kh=64:70:02:07:ad:c4 nas2.kir.nu 0f0e0d0c0b0a09080706050403020100r1kh=64:66:b3:0b:c0:94 00:01:02:03:04:05 0f0e0d0c0b0a09080706050403020100r1kh=64:70:02:07:ad:c4 00:01:02:03:04:06 000102030405060708090a0b0c0d0e0f
Advanced Networking Tech. Lab.Yeungnam University (YU-ANTL)
YU-ANTL Lab SeminalHyun dong Hwang25
Reference[1] 김진욱 , 김영탁 , “IEEE 802.11 환경에서 Network Initiated Roaming 기반의 로드밸런싱을 이용한 인지형 무선 LAN 관리 시스 템” , JCCI, 2013.[2] IEEE Standard 802.11-2007, “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specification,” June 2007. [3] Devin Akin, David Coleman, “Robust Security Network(RSN) Fast BSS Transition(FT)” white paper, Setember 2008[4] http://hostap.epitest.fi/wpa_supplicant/devel/[5] http://wireless.kernel.org/en/users/Documentation/hostapd