diff mbox series

WPA-EAP/802.1x AP mode without NL80211_CMD_SET_STATION driver support

Message ID 20200511103750.wec4vxetnm3tjlh3@pali
State Not Applicable
Headers show
Series WPA-EAP/802.1x AP mode without NL80211_CMD_SET_STATION driver support | expand

Commit Message

Pali Rohár May 11, 2020, 10:37 a.m. UTC 
Hello Jouni!

When hostapd is compiled without CONFIG_NO_VLAN option then
WPA-EAP/802.1x AP mode is not working with wifi card which does not
support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.

NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.

Here is hostapd log from Turris MOX router when is configured in WPA-EAP
AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
which does not implement NL80211_CMD_SET_STATION command when card is in
AP mode.

May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification

EAP authentication from radius server is successful, wpa_supplicant on
client side also see successful authentication, but link is not
established.

That failed error code 524 is internal Linux kernel number for ENOTSUPP
(double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.

Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
file.

ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
unsupported hostapd driver returns zero and for supported hostapd driver
calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
Which for card with unsupported NL80211_CMD_SET_STATION command returns
error code -524.

When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
always returns zero.

I applied following change to hostapd sources:


It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
to zero, which is propagated back to the ieee802_1x_receive_auth()
function.

And with this change WPA-EAP/802.1x AP mode started working. Here is
hostapd log:

May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec

Jouni, I think this is bug in hostapd's 802.1X code. Function
ieee802_1x_receive_auth() skips whole processing of 802.1X path when
receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
function fails.

The most suspicious part for me is why hostapd_drv_set_sta_vlan()
function returns zero when hostapd driver does not support
set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
driver does not support this functionality. And also why this code path
is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
option.

Do you have any suggestions how to make AP working in WPA-EAP/802.1x
mode for cards without NL80211_CMD_SET_STATION command? I would like to
avoid having custom hostapd patch (like one above) and have ability to
use upstream unpatched hostapd daemon.

[1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h

Comments

Pali Rohár June 2, 2020, 8:49 a.m. UTC | #1 
Jouni or Johannes, when you have a time, could you please look at this
issue below?

I would like to enable WPA-EAP mode on mwifiex_sdio wifi card but due to
hostapd issue described bellow it is not possible right now.

On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
> Hello Jouni!
> 
> When hostapd is compiled without CONFIG_NO_VLAN option then
> WPA-EAP/802.1x AP mode is not working with wifi card which does not
> support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
> 
> NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
> configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
> 
> Here is hostapd log from Turris MOX router when is configured in WPA-EAP
> AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
> which does not implement NL80211_CMD_SET_STATION command when card is in
> AP mode.
> 
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
> 
> EAP authentication from radius server is successful, wpa_supplicant on
> client side also see successful authentication, but link is not
> established.
> 
> That failed error code 524 is internal Linux kernel number for ENOTSUPP
> (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
> 
> Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
> from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
> file.
> 
> ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
> unsupported hostapd driver returns zero and for supported hostapd driver
> calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
> Which for card with unsupported NL80211_CMD_SET_STATION command returns
> error code -524.
> 
> When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
> always returns zero.
> 
> I applied following change to hostapd sources:
> 
> diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
> index 93f1f0c20..9059162a8 100644
> --- a/src/ap/sta_info.c
> +++ b/src/ap/sta_info.c
> @@ -1092,6 +1092,10 @@ skip_counting:
>  		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
>  			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
>  			       "entry to vlan_id=%d", sta->vlan_id);
> +		/* Ignore error when driver does not support setting vlan
> +		 * and we were not requested to set non-zero vlan id */
> +		if (ret == -ENOTSUP && sta->vlan_id == 0)
> +			ret = 0;
>  	}
>  
>  	/* During 1x reauth, if the vlan id changes, then remove the old id. */
> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> index d48f8cb76..0906508d4 100644
> --- a/src/drivers/driver_nl80211.c
> +++ b/src/drivers/driver_nl80211.c
> @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
>  
>  	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
>  	if (ret < 0) {
> +		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
> +			ret = -ENOTSUP;
>  		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
>  			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
>  			   MAC2STR(addr), ifname, vlan_id, ret,
> 
> It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
> to zero, which is propagated back to the ieee802_1x_receive_auth()
> function.
> 
> And with this change WPA-EAP/802.1x AP mode started working. Here is
> hostapd log:
> 
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
> May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> 
> Jouni, I think this is bug in hostapd's 802.1X code. Function
> ieee802_1x_receive_auth() skips whole processing of 802.1X path when
> receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
> function fails.
> 
> The most suspicious part for me is why hostapd_drv_set_sta_vlan()
> function returns zero when hostapd driver does not support
> set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
> driver does not support this functionality. And also why this code path
> is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
> option.
> 
> Do you have any suggestions how to make AP working in WPA-EAP/802.1x
> mode for cards without NL80211_CMD_SET_STATION command? I would like to
> avoid having custom hostapd patch (like one above) and have ability to
> use upstream unpatched hostapd daemon.
> 
> [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
Pali Rohár June 15, 2020, 10:56 a.m. UTC | #2 
On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
> Hello Jouni!
> 
> When hostapd is compiled without CONFIG_NO_VLAN option then
> WPA-EAP/802.1x AP mode is not working with wifi card which does not
> support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
> 
> NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
> configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
> 
> Here is hostapd log from Turris MOX router when is configured in WPA-EAP
> AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
> which does not implement NL80211_CMD_SET_STATION command when card is in
> AP mode.
> 
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
> 
> EAP authentication from radius server is successful, wpa_supplicant on
> client side also see successful authentication, but link is not
> established.
> 
> That failed error code 524 is internal Linux kernel number for ENOTSUPP
> (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
> 
> Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
> from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
> file.
> 
> ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
> unsupported hostapd driver returns zero and for supported hostapd driver
> calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
> Which for card with unsupported NL80211_CMD_SET_STATION command returns
> error code -524.
> 
> When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
> always returns zero.
> 
> I applied following change to hostapd sources:
> 
> diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
> index 93f1f0c20..9059162a8 100644
> --- a/src/ap/sta_info.c
> +++ b/src/ap/sta_info.c
> @@ -1092,6 +1092,10 @@ skip_counting:
>  		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
>  			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
>  			       "entry to vlan_id=%d", sta->vlan_id);
> +		/* Ignore error when driver does not support setting vlan
> +		 * and we were not requested to set non-zero vlan id */
> +		if (ret == -ENOTSUP && sta->vlan_id == 0)
> +			ret = 0;
>  	}
>  
>  	/* During 1x reauth, if the vlan id changes, then remove the old id. */
> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> index d48f8cb76..0906508d4 100644
> --- a/src/drivers/driver_nl80211.c
> +++ b/src/drivers/driver_nl80211.c
> @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
>  
>  	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
>  	if (ret < 0) {
> +		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
> +			ret = -ENOTSUP;
>  		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
>  			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
>  			   MAC2STR(addr), ifname, vlan_id, ret,
> 
> It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
> to zero, which is propagated back to the ieee802_1x_receive_auth()
> function.
> 
> And with this change WPA-EAP/802.1x AP mode started working. Here is
> hostapd log:
> 
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
> May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> 
> Jouni, I think this is bug in hostapd's 802.1X code. Function
> ieee802_1x_receive_auth() skips whole processing of 802.1X path when
> receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
> function fails.
> 
> The most suspicious part for me is why hostapd_drv_set_sta_vlan()
> function returns zero when hostapd driver does not support
> set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
> driver does not support this functionality. And also why this code path
> is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
> option.

Also, it is not clear to me, why is hostapd trying to use VLANs even
when they were not enabled in config file. Also suspicious is why is
hostapd trying to use VLANs as that kernel driver does not announce
support for AP/VLAN mode (announces only AP mode).

iw phy phy0 info says:

        valid interface combinations:
                 * #{ managed, AP, P2P-client, P2P-GO } <= 3,
                   total <= 3, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz }

> Do you have any suggestions how to make AP working in WPA-EAP/802.1x
> mode for cards without NL80211_CMD_SET_STATION command? I would like to
> avoid having custom hostapd patch (like one above) and have ability to
> use upstream unpatched hostapd daemon.
> 
> [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
Pali Rohár Oct. 7, 2020, 8:30 a.m. UTC | #3 
Hello! I would like to remind this issue.

On Tuesday 02 June 2020 10:49:17 Pali Rohár wrote:
> Jouni or Johannes, when you have a time, could you please look at this
> issue below?
> 
> I would like to enable WPA-EAP mode on mwifiex_sdio wifi card but due to
> hostapd issue described bellow it is not possible right now.
> 
> On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
> > Hello Jouni!
> > 
> > When hostapd is compiled without CONFIG_NO_VLAN option then
> > WPA-EAP/802.1x AP mode is not working with wifi card which does not
> > support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
> > 
> > NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
> > configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
> > 
> > Here is hostapd log from Turris MOX router when is configured in WPA-EAP
> > AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
> > which does not implement NL80211_CMD_SET_STATION command when card is in
> > AP mode.
> > 
> > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> > May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
> > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> > May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> > May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
> > May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
> > 
> > EAP authentication from radius server is successful, wpa_supplicant on
> > client side also see successful authentication, but link is not
> > established.
> > 
> > That failed error code 524 is internal Linux kernel number for ENOTSUPP
> > (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
> > 
> > Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
> > from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
> > file.
> > 
> > ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
> > unsupported hostapd driver returns zero and for supported hostapd driver
> > calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
> > Which for card with unsupported NL80211_CMD_SET_STATION command returns
> > error code -524.
> > 
> > When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
> > always returns zero.
> > 
> > I applied following change to hostapd sources:
> > 
> > diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
> > index 93f1f0c20..9059162a8 100644
> > --- a/src/ap/sta_info.c
> > +++ b/src/ap/sta_info.c
> > @@ -1092,6 +1092,10 @@ skip_counting:
> >  		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
> >  			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
> >  			       "entry to vlan_id=%d", sta->vlan_id);
> > +		/* Ignore error when driver does not support setting vlan
> > +		 * and we were not requested to set non-zero vlan id */
> > +		if (ret == -ENOTSUP && sta->vlan_id == 0)
> > +			ret = 0;
> >  	}
> >  
> >  	/* During 1x reauth, if the vlan id changes, then remove the old id. */
> > diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> > index d48f8cb76..0906508d4 100644
> > --- a/src/drivers/driver_nl80211.c
> > +++ b/src/drivers/driver_nl80211.c
> > @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
> >  
> >  	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
> >  	if (ret < 0) {
> > +		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
> > +			ret = -ENOTSUP;
> >  		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
> >  			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
> >  			   MAC2STR(addr), ifname, vlan_id, ret,
> > 
> > It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
> > to zero, which is propagated back to the ieee802_1x_receive_auth()
> > function.
> > 
> > And with this change WPA-EAP/802.1x AP mode started working. Here is
> > hostapd log:
> > 
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> > May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> > May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
> > May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
> > May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
> > May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
> > May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
> > May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
> > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> > 
> > Jouni, I think this is bug in hostapd's 802.1X code. Function
> > ieee802_1x_receive_auth() skips whole processing of 802.1X path when
> > receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
> > function fails.
> > 
> > The most suspicious part for me is why hostapd_drv_set_sta_vlan()
> > function returns zero when hostapd driver does not support
> > set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
> > driver does not support this functionality. And also why this code path
> > is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
> > option.
> > 
> > Do you have any suggestions how to make AP working in WPA-EAP/802.1x
> > mode for cards without NL80211_CMD_SET_STATION command? I would like to
> > avoid having custom hostapd patch (like one above) and have ability to
> > use upstream unpatched hostapd daemon.
> > 
> > [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
Arend van Spriel Oct. 9, 2020, 7:28 a.m. UTC | #4 
On 10/7/2020 10:30 AM, Pali Rohár wrote:
> Hello! I would like to remind this issue.

Hi Pali,

Why not follow the regular contribution process and submit a patch?

Regards,
Arend

> On Tuesday 02 June 2020 10:49:17 Pali Rohár wrote:
>> Jouni or Johannes, when you have a time, could you please look at this
>> issue below?
>>
>> I would like to enable WPA-EAP mode on mwifiex_sdio wifi card but due to
>> hostapd issue described bellow it is not possible right now.
>>
>> On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
>>> Hello Jouni!
>>>
>>> When hostapd is compiled without CONFIG_NO_VLAN option then
>>> WPA-EAP/802.1x AP mode is not working with wifi card which does not
>>> support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
>>>
>>> NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
>>> configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
>>>
>>> Here is hostapd log from Turris MOX router when is configured in WPA-EAP
>>> AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
>>> which does not implement NL80211_CMD_SET_STATION command when card is in
>>> AP mode.
>>>
>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
>>> May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>> May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
>>> May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>> May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
>>> May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
>>> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
>>>
>>> EAP authentication from radius server is successful, wpa_supplicant on
>>> client side also see successful authentication, but link is not
>>> established.
>>>
>>> That failed error code 524 is internal Linux kernel number for ENOTSUPP
>>> (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
>>>
>>> Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
>>> from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
>>> file.
>>>
>>> ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
>>> unsupported hostapd driver returns zero and for supported hostapd driver
>>> calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
>>> Which for card with unsupported NL80211_CMD_SET_STATION command returns
>>> error code -524.
>>>
>>> When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
>>> always returns zero.
>>>
>>> I applied following change to hostapd sources:
>>>
>>> diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
>>> index 93f1f0c20..9059162a8 100644
>>> --- a/src/ap/sta_info.c
>>> +++ b/src/ap/sta_info.c
>>> @@ -1092,6 +1092,10 @@ skip_counting:
>>>   		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
>>>   			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
>>>   			       "entry to vlan_id=%d", sta->vlan_id);
>>> +		/* Ignore error when driver does not support setting vlan
>>> +		 * and we were not requested to set non-zero vlan id */
>>> +		if (ret == -ENOTSUP && sta->vlan_id == 0)
>>> +			ret = 0;
>>>   	}
>>>   
>>>   	/* During 1x reauth, if the vlan id changes, then remove the old id. */
>>> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
>>> index d48f8cb76..0906508d4 100644
>>> --- a/src/drivers/driver_nl80211.c
>>> +++ b/src/drivers/driver_nl80211.c
>>> @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
>>>   
>>>   	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
>>>   	if (ret < 0) {
>>> +		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
>>> +			ret = -ENOTSUP;
>>>   		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
>>>   			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
>>>   			   MAC2STR(addr), ifname, vlan_id, ret,
>>>
>>> It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
>>> to zero, which is propagated back to the ieee802_1x_receive_auth()
>>> function.
>>>
>>> And with this change WPA-EAP/802.1x AP mode started working. Here is
>>> hostapd log:
>>>
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
>>> May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
>>> May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
>>> May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>>>
>>> Jouni, I think this is bug in hostapd's 802.1X code. Function
>>> ieee802_1x_receive_auth() skips whole processing of 802.1X path when
>>> receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
>>> function fails.
>>>
>>> The most suspicious part for me is why hostapd_drv_set_sta_vlan()
>>> function returns zero when hostapd driver does not support
>>> set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
>>> driver does not support this functionality. And also why this code path
>>> is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
>>> option.
>>>
>>> Do you have any suggestions how to make AP working in WPA-EAP/802.1x
>>> mode for cards without NL80211_CMD_SET_STATION command? I would like to
>>> avoid having custom hostapd patch (like one above) and have ability to
>>> use upstream unpatched hostapd daemon.
>>>
>>> [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
> 
> _______________________________________________
> Hostap mailing list
> Hostap@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap
>
Pali Rohár Oct. 9, 2020, 8:03 a.m. UTC | #5 
On Friday 09 October 2020 09:28:59 Arend Van Spriel wrote:
> On 10/7/2020 10:30 AM, Pali Rohár wrote:
> > Hello! I would like to remind this issue.
> 
> Hi Pali,
> 
> Why not follow the regular contribution process and submit a patch?

Hello Arend! Because I have sent another patch months ago which was
still not processed yet (therefore I do not know if regular contribution
process is working) and more important, I do not know how to fix this
issue, so I have nothing to send yet. If you look at the issue, you
could see it is more complicated and I just provided two changes which
allowed me to identify main problems.

> Regards,
> Arend
> 
> > On Tuesday 02 June 2020 10:49:17 Pali Rohár wrote:
> > > Jouni or Johannes, when you have a time, could you please look at this
> > > issue below?
> > > 
> > > I would like to enable WPA-EAP mode on mwifiex_sdio wifi card but due to
> > > hostapd issue described bellow it is not possible right now.
> > > 
> > > On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
> > > > Hello Jouni!
> > > > 
> > > > When hostapd is compiled without CONFIG_NO_VLAN option then
> > > > WPA-EAP/802.1x AP mode is not working with wifi card which does not
> > > > support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
> > > > 
> > > > NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
> > > > configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
> > > > 
> > > > Here is hostapd log from Turris MOX router when is configured in WPA-EAP
> > > > AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
> > > > which does not implement NL80211_CMD_SET_STATION command when card is in
> > > > AP mode.
> > > > 
> > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> > > > May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
> > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > > > May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> > > > May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > > > May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> > > > May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > > > May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
> > > > May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
> > > > 
> > > > EAP authentication from radius server is successful, wpa_supplicant on
> > > > client side also see successful authentication, but link is not
> > > > established.
> > > > 
> > > > That failed error code 524 is internal Linux kernel number for ENOTSUPP
> > > > (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
> > > > 
> > > > Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
> > > > from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
> > > > file.
> > > > 
> > > > ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
> > > > unsupported hostapd driver returns zero and for supported hostapd driver
> > > > calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
> > > > Which for card with unsupported NL80211_CMD_SET_STATION command returns
> > > > error code -524.
> > > > 
> > > > When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
> > > > always returns zero.
> > > > 
> > > > I applied following change to hostapd sources:
> > > > 
> > > > diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
> > > > index 93f1f0c20..9059162a8 100644
> > > > --- a/src/ap/sta_info.c
> > > > +++ b/src/ap/sta_info.c
> > > > @@ -1092,6 +1092,10 @@ skip_counting:
> > > >   		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
> > > >   			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
> > > >   			       "entry to vlan_id=%d", sta->vlan_id);
> > > > +		/* Ignore error when driver does not support setting vlan
> > > > +		 * and we were not requested to set non-zero vlan id */
> > > > +		if (ret == -ENOTSUP && sta->vlan_id == 0)
> > > > +			ret = 0;
> > > >   	}
> > > >   	/* During 1x reauth, if the vlan id changes, then remove the old id. */
> > > > diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> > > > index d48f8cb76..0906508d4 100644
> > > > --- a/src/drivers/driver_nl80211.c
> > > > +++ b/src/drivers/driver_nl80211.c
> > > > @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
> > > >   	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
> > > >   	if (ret < 0) {
> > > > +		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
> > > > +			ret = -ENOTSUP;
> > > >   		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
> > > >   			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
> > > >   			   MAC2STR(addr), ifname, vlan_id, ret,
> > > > 
> > > > It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
> > > > to zero, which is propagated back to the ieee802_1x_receive_auth()
> > > > function.
> > > > 
> > > > And with this change WPA-EAP/802.1x AP mode started working. Here is
> > > > hostapd log:
> > > > 
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> > > > May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> > > > May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
> > > > May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
> > > > May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
> > > > May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
> > > > May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
> > > > May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
> > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> > > > 
> > > > Jouni, I think this is bug in hostapd's 802.1X code. Function
> > > > ieee802_1x_receive_auth() skips whole processing of 802.1X path when
> > > > receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
> > > > function fails.
> > > > 
> > > > The most suspicious part for me is why hostapd_drv_set_sta_vlan()
> > > > function returns zero when hostapd driver does not support
> > > > set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
> > > > driver does not support this functionality. And also why this code path
> > > > is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
> > > > option.
> > > > 
> > > > Do you have any suggestions how to make AP working in WPA-EAP/802.1x
> > > > mode for cards without NL80211_CMD_SET_STATION command? I would like to
> > > > avoid having custom hostapd patch (like one above) and have ability to
> > > > use upstream unpatched hostapd daemon.
> > > > 
> > > > [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
> > 
> > _______________________________________________
> > Hostap mailing list
> > Hostap@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/hostap
> >
Arend van Spriel Oct. 9, 2020, 8:53 a.m. UTC | #6 
On 10/9/2020 10:03 AM, Pali Rohár wrote:
> On Friday 09 October 2020 09:28:59 Arend Van Spriel wrote:
>> On 10/7/2020 10:30 AM, Pali Rohár wrote:
>>> Hello! I would like to remind this issue.
>>
>> Hi Pali,
>>
>> Why not follow the regular contribution process and submit a patch?
> 
> Hello Arend! Because I have sent another patch months ago which was
> still not processed yet (therefore I do not know if regular contribution
> process is working) and more important, I do not know how to fix this
> issue, so I have nothing to send yet. If you look at the issue, you
> could see it is more complicated and I just provided two changes which
> allowed me to identify main problems.

Fair enough. I stopped reading after the first few paragraphs, but I 
looked at the driver. The NL80211_CMD_SET_STATION ends up calling the 
.change_station() cfg80211 driver callback. The mwifiex driver does 
implement it [1], but states that is only works for TDLS.

Personally, I have not played much with VLANs. For non-vlan the AP uses 
NL80211_CMD_SET_STATION to authorize the associated station to send 
regular data traffic. Bottom line is that your wifi card or at least the 
mwifiex driver does not seem to support both scenarios, ie. authorize 
station and vlan. Also don't see anything obvious in the drivers 
firmware API (fw.h). At least not upstream.

Regards,
Arend

[1] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/wireless/marvell/mwifiex/cfg80211.c#n4145

>> Regards,
>> Arend
>>
>>> On Tuesday 02 June 2020 10:49:17 Pali Rohár wrote:
>>>> Jouni or Johannes, when you have a time, could you please look at this
>>>> issue below?
>>>>
>>>> I would like to enable WPA-EAP mode on mwifiex_sdio wifi card but due to
>>>> hostapd issue described bellow it is not possible right now.
>>>>
>>>> On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
>>>>> Hello Jouni!
>>>>>
>>>>> When hostapd is compiled without CONFIG_NO_VLAN option then
>>>>> WPA-EAP/802.1x AP mode is not working with wifi card which does not
>>>>> support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
>>>>>
>>>>> NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
>>>>> configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
>>>>>
>>>>> Here is hostapd log from Turris MOX router when is configured in WPA-EAP
>>>>> AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
>>>>> which does not implement NL80211_CMD_SET_STATION command when card is in
>>>>> AP mode.
>>>>>
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
>>>>> May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
>>>>> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>>>> May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
>>>>> May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>>>> May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
>>>>> May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>>>> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
>>>>> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
>>>>>
>>>>> EAP authentication from radius server is successful, wpa_supplicant on
>>>>> client side also see successful authentication, but link is not
>>>>> established.
>>>>>
>>>>> That failed error code 524 is internal Linux kernel number for ENOTSUPP
>>>>> (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
>>>>>
>>>>> Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
>>>>> from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
>>>>> file.
>>>>>
>>>>> ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
>>>>> unsupported hostapd driver returns zero and for supported hostapd driver
>>>>> calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
>>>>> Which for card with unsupported NL80211_CMD_SET_STATION command returns
>>>>> error code -524.
>>>>>
>>>>> When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
>>>>> always returns zero.
>>>>>
>>>>> I applied following change to hostapd sources:
>>>>>
>>>>> diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
>>>>> index 93f1f0c20..9059162a8 100644
>>>>> --- a/src/ap/sta_info.c
>>>>> +++ b/src/ap/sta_info.c
>>>>> @@ -1092,6 +1092,10 @@ skip_counting:
>>>>>    		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
>>>>>    			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
>>>>>    			       "entry to vlan_id=%d", sta->vlan_id);
>>>>> +		/* Ignore error when driver does not support setting vlan
>>>>> +		 * and we were not requested to set non-zero vlan id */
>>>>> +		if (ret == -ENOTSUP && sta->vlan_id == 0)
>>>>> +			ret = 0;
>>>>>    	}
>>>>>    	/* During 1x reauth, if the vlan id changes, then remove the old id. */
>>>>> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
>>>>> index d48f8cb76..0906508d4 100644
>>>>> --- a/src/drivers/driver_nl80211.c
>>>>> +++ b/src/drivers/driver_nl80211.c
>>>>> @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
>>>>>    	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
>>>>>    	if (ret < 0) {
>>>>> +		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
>>>>> +			ret = -ENOTSUP;
>>>>>    		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
>>>>>    			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
>>>>>    			   MAC2STR(addr), ifname, vlan_id, ret,
>>>>>
>>>>> It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
>>>>> to zero, which is propagated back to the ieee802_1x_receive_auth()
>>>>> function.
>>>>>
>>>>> And with this change WPA-EAP/802.1x AP mode started working. Here is
>>>>> hostapd log:
>>>>>
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
>>>>> May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
>>>>> May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
>>>>> May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
>>>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
>>>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
>>>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
>>>>> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
>>>>> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
>>>>>
>>>>> Jouni, I think this is bug in hostapd's 802.1X code. Function
>>>>> ieee802_1x_receive_auth() skips whole processing of 802.1X path when
>>>>> receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
>>>>> function fails.
>>>>>
>>>>> The most suspicious part for me is why hostapd_drv_set_sta_vlan()
>>>>> function returns zero when hostapd driver does not support
>>>>> set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
>>>>> driver does not support this functionality. And also why this code path
>>>>> is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
>>>>> option.
>>>>>
>>>>> Do you have any suggestions how to make AP working in WPA-EAP/802.1x
>>>>> mode for cards without NL80211_CMD_SET_STATION command? I would like to
>>>>> avoid having custom hostapd patch (like one above) and have ability to
>>>>> use upstream unpatched hostapd daemon.
>>>>>
>>>>> [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
>>>
>>> _______________________________________________
>>> Hostap mailing list
>>> Hostap@lists.infradead.org
>>> http://lists.infradead.org/mailman/listinfo/hostap
>>>
> 
>
Pali Rohár Oct. 9, 2020, 9:04 a.m. UTC | #7 
On Friday 09 October 2020 10:53:21 Arend Van Spriel wrote:
> On 10/9/2020 10:03 AM, Pali Rohár wrote:
> > On Friday 09 October 2020 09:28:59 Arend Van Spriel wrote:
> > > On 10/7/2020 10:30 AM, Pali Rohár wrote:
> > > > Hello! I would like to remind this issue.
> > > 
> > > Hi Pali,
> > > 
> > > Why not follow the regular contribution process and submit a patch?
> > 
> > Hello Arend! Because I have sent another patch months ago which was
> > still not processed yet (therefore I do not know if regular contribution
> > process is working) and more important, I do not know how to fix this
> > issue, so I have nothing to send yet. If you look at the issue, you
> > could see it is more complicated and I just provided two changes which
> > allowed me to identify main problems.
> 
> Fair enough. I stopped reading after the first few paragraphs, but I looked
> at the driver. The NL80211_CMD_SET_STATION ends up calling the
> .change_station() cfg80211 driver callback. The mwifiex driver does
> implement it [1], but states that is only works for TDLS.

Exactly in AP mode, NL80211_CMD_SET_STATION is not supported by mwifiex.

> Personally, I have not played much with VLANs. For non-vlan the AP uses
> NL80211_CMD_SET_STATION to authorize the associated station to send regular
> data traffic. Bottom line is that your wifi card or at least the mwifiex
> driver does not seem to support both scenarios, ie. authorize station and
> vlan. Also don't see anything obvious in the drivers firmware API (fw.h). At
> least not upstream.

The issue is that I have not enabled vlans in hostapd config file (as
I'm not going to use it; plus they are unsupported by mwifiex) and
hostapd is even that trying to use them and then obviously fails.
Details are below.

> Regards,
> Arend
> 
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/wireless/marvell/mwifiex/cfg80211.c#n4145
> 
> > > Regards,
> > > Arend
> > > 
> > > > On Tuesday 02 June 2020 10:49:17 Pali Rohár wrote:
> > > > > Jouni or Johannes, when you have a time, could you please look at this
> > > > > issue below?
> > > > > 
> > > > > I would like to enable WPA-EAP mode on mwifiex_sdio wifi card but due to
> > > > > hostapd issue described bellow it is not possible right now.
> > > > > 
> > > > > On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
> > > > > > Hello Jouni!
> > > > > > 
> > > > > > When hostapd is compiled without CONFIG_NO_VLAN option then
> > > > > > WPA-EAP/802.1x AP mode is not working with wifi card which does not
> > > > > > support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
> > > > > > 
> > > > > > NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
> > > > > > configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
> > > > > > 
> > > > > > Here is hostapd log from Turris MOX router when is configured in WPA-EAP
> > > > > > AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
> > > > > > which does not implement NL80211_CMD_SET_STATION command when card is in
> > > > > > AP mode.
> > > > > > 
> > > > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> > > > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> > > > > > May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
> > > > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> > > > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> > > > > > May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > > > > > May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> > > > > > May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > > > > > May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> > > > > > May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > > > > > May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
> > > > > > May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
> > > > > > 
> > > > > > EAP authentication from radius server is successful, wpa_supplicant on
> > > > > > client side also see successful authentication, but link is not
> > > > > > established.
> > > > > > 
> > > > > > That failed error code 524 is internal Linux kernel number for ENOTSUPP
> > > > > > (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
> > > > > > 
> > > > > > Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
> > > > > > from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
> > > > > > file.
> > > > > > 
> > > > > > ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
> > > > > > unsupported hostapd driver returns zero and for supported hostapd driver
> > > > > > calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
> > > > > > Which for card with unsupported NL80211_CMD_SET_STATION command returns
> > > > > > error code -524.
> > > > > > 
> > > > > > When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
> > > > > > always returns zero.
> > > > > > 
> > > > > > I applied following change to hostapd sources:
> > > > > > 
> > > > > > diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
> > > > > > index 93f1f0c20..9059162a8 100644
> > > > > > --- a/src/ap/sta_info.c
> > > > > > +++ b/src/ap/sta_info.c
> > > > > > @@ -1092,6 +1092,10 @@ skip_counting:
> > > > > >    		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
> > > > > >    			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
> > > > > >    			       "entry to vlan_id=%d", sta->vlan_id);
> > > > > > +		/* Ignore error when driver does not support setting vlan
> > > > > > +		 * and we were not requested to set non-zero vlan id */
> > > > > > +		if (ret == -ENOTSUP && sta->vlan_id == 0)
> > > > > > +			ret = 0;
> > > > > >    	}
> > > > > >    	/* During 1x reauth, if the vlan id changes, then remove the old id. */
> > > > > > diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> > > > > > index d48f8cb76..0906508d4 100644
> > > > > > --- a/src/drivers/driver_nl80211.c
> > > > > > +++ b/src/drivers/driver_nl80211.c
> > > > > > @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
> > > > > >    	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
> > > > > >    	if (ret < 0) {
> > > > > > +		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
> > > > > > +			ret = -ENOTSUP;
> > > > > >    		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
> > > > > >    			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
> > > > > >    			   MAC2STR(addr), ifname, vlan_id, ret,
> > > > > > 
> > > > > > It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
> > > > > > to zero, which is propagated back to the ieee802_1x_receive_auth()
> > > > > > function.
> > > > > > 
> > > > > > And with this change WPA-EAP/802.1x AP mode started working. Here is
> > > > > > hostapd log:
> > > > > > 
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> > > > > > May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> > > > > > May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
> > > > > > May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
> > > > > > May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
> > > > > > May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
> > > > > > May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
> > > > > > May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
> > > > > > May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> > > > > > 
> > > > > > Jouni, I think this is bug in hostapd's 802.1X code. Function
> > > > > > ieee802_1x_receive_auth() skips whole processing of 802.1X path when
> > > > > > receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
> > > > > > function fails.
> > > > > > 
> > > > > > The most suspicious part for me is why hostapd_drv_set_sta_vlan()
> > > > > > function returns zero when hostapd driver does not support
> > > > > > set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
> > > > > > driver does not support this functionality. And also why this code path
> > > > > > is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
> > > > > > option.
> > > > > > 
> > > > > > Do you have any suggestions how to make AP working in WPA-EAP/802.1x
> > > > > > mode for cards without NL80211_CMD_SET_STATION command? I would like to
> > > > > > avoid having custom hostapd patch (like one above) and have ability to
> > > > > > use upstream unpatched hostapd daemon.
> > > > > > 
> > > > > > [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
> > > > 
> > > > _______________________________________________
> > > > Hostap mailing list
> > > > Hostap@lists.infradead.org
> > > > http://lists.infradead.org/mailman/listinfo/hostap
> > > > 
> > 
> >
Pali Rohár June 13, 2022, 12:42 p.m. UTC | #8 
PING?

On Monday 11 May 2020 12:37:50 Pali Rohár wrote:
> Hello Jouni!
> 
> When hostapd is compiled without CONFIG_NO_VLAN option then
> WPA-EAP/802.1x AP mode is not working with wifi card which does not
> support NL80211_CMD_SET_STATION command and uses nl80211 hostapd driver.
> 
> NL80211_CMD_SET_STATION command is used by nl80211 hostapd driver to
> configure NL80211_ATTR_STA_VLAN, see i802_set_sta_vlan() function.
> 
> Here is hostapd log from Turris MOX router when is configured in WPA-EAP
> AP mode. It has SDIO wifi card managed by kernel driver mwifiex_sdio
> which does not implement NL80211_CMD_SET_STATION command when card is in
> AP mode.
> 
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> May 11 09:31:28 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -524 (No error information)
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> May 11 09:31:28 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:31 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> May 11 09:31:31 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:37 turris hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT2 c4:d9:87:6c:38:01
> May 11 09:31:37 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: disassociated
> May 11 09:31:47 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: event 2 notification
> 
> EAP authentication from radius server is successful, wpa_supplicant on
> client side also see successful authentication, but link is not
> established.
> 
> That failed error code 524 is internal Linux kernel number for ENOTSUPP
> (double PP), see [1]. Userspace uses ENOTSUP (single P) code 95.
> 
> Error printed in hostapd log is triggered by ap_sta_bind_vlan() call
> from ieee802_1x_receive_auth() function located in src/ap/ieee802_1x.c
> file.
> 
> ap_sta_bind_vlan() calls hostapd_drv_set_sta_vlan() which for
> unsupported hostapd driver returns zero and for supported hostapd driver
> calls appropriate kernel interface, i.e. hostapd_drv_set_sta_vlan().
> Which for card with unsupported NL80211_CMD_SET_STATION command returns
> error code -524.
> 
> When hostapd is compiled with CONFIG_NO_VLAN then ap_sta_bind_vlan()
> always returns zero.
> 
> I applied following change to hostapd sources:
> 
> diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
> index 93f1f0c20..9059162a8 100644
> --- a/src/ap/sta_info.c
> +++ b/src/ap/sta_info.c
> @@ -1092,6 +1092,10 @@ skip_counting:
>  		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
>  			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
>  			       "entry to vlan_id=%d", sta->vlan_id);
> +		/* Ignore error when driver does not support setting vlan
> +		 * and we were not requested to set non-zero vlan id */
> +		if (ret == -ENOTSUP && sta->vlan_id == 0)
> +			ret = 0;
>  	}
>  
>  	/* During 1x reauth, if the vlan id changes, then remove the old id. */
> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
> index d48f8cb76..0906508d4 100644
> --- a/src/drivers/driver_nl80211.c
> +++ b/src/drivers/driver_nl80211.c
> @@ -6848,6 +6848,8 @@ static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
>  
>  	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
>  	if (ret < 0) {
> +		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
> +			ret = -ENOTSUP;
>  		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
>  			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
>  			   MAC2STR(addr), ifname, vlan_id, ret,
> 
> It changes error code from ENOTSUP (single P) and ENOTSUPP (double PP)
> to zero, which is propagated back to the ieee802_1x_receive_auth()
> function.
> 
> And with this change WPA-EAP/802.1x AP mode started working. Here is
> hostapd log:
> 
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: binding station to interface 'wlan1'
> May 11 09:28:20 turris hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=c4:d9:87:6c:38:01 ifname=wlan1 vlan_id=0) failed: -95 (Not supported)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.11: could not bind the STA entry to vlan_id=0
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: old identity 'anonymous' updated with User-Name from Access-Accept 'anonymous'
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: decapsulated EAP packet (code=3 id=27 len=4) from RADIUS server: EAP Success
> May 11 09:28:20 turris hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 c4:d9:87:6c:38:01
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: Sending EAP Packet (identifier 27)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 1/4 msg of 4-Way Handshake
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (2/4 Pairwise)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: sending 3/4 msg of 4-Way Handshake
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: received EAPOL-Key frame (4/4 Pairwise)
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 WPA: pairwise key handshake completed (RSN)
> May 11 09:28:20 turris hostapd: wlan1: AP-STA-CONNECTED c4:d9:87:6c:38:01
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authorizing port
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: starting accounting session 0C7AC96B17442FD4
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Sending RADIUS message to accounting server
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 IEEE 802.1X: authenticated - EAP type: 21 (TTLS)
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received 20 bytes from RADIUS server
> May 11 09:28:20 turris hostapd: wlan1: RADIUS Received RADIUS message
> May 11 09:28:20 turris hostapd: wlan1: STA c4:d9:87:6c:38:01 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
> 
> Jouni, I think this is bug in hostapd's 802.1X code. Function
> ieee802_1x_receive_auth() skips whole processing of 802.1X path when
> receives RADIUS_CODE_ACCESS_ACCEPT response and ap_sta_bind_vlan()
> function fails.
> 
> The most suspicious part for me is why hostapd_drv_set_sta_vlan()
> function returns zero when hostapd driver does not support
> set_sta_vlan() function, but returns -ENOTSUP (or -ENOTSUPP) when kernel
> driver does not support this functionality. And also why this code path
> is ignored when hostapd is configured with CONFIG_NO_VLAN compile time
> option.
> 
> Do you have any suggestions how to make AP working in WPA-EAP/802.1x
> mode for cards without NL80211_CMD_SET_STATION command? I would like to
> avoid having custom hostapd patch (like one above) and have ability to
> use upstream unpatched hostapd daemon.
> 
> [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/errno.h
diff mbox series

Patch

diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
index 93f1f0c20..9059162a8 100644
--- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c
@@ -1092,6 +1092,10 @@  skip_counting:
 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
 			       HOSTAPD_LEVEL_DEBUG, "could not bind the STA "
 			       "entry to vlan_id=%d", sta->vlan_id);
+		/* Ignore error when driver does not support setting vlan
+		 * and we were not requested to set non-zero vlan id */
+		if (ret == -ENOTSUP && sta->vlan_id == 0)
+			ret = 0;
 	}
 
 	/* During 1x reauth, if the vlan id changes, then remove the old id. */
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index d48f8cb76..0906508d4 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -6848,6 +6848,8 @@  static int i802_set_sta_vlan(struct i802_bss *bss, const u8 *addr,
 
 	ret = send_and_recv_msgs(drv, msg, NULL, NULL);
 	if (ret < 0) {
+		if (ret == -524) /* 524 - Linux internal ENOTSUPP (double PP) */
+			ret = -ENOTSUP;
 		wpa_printf(MSG_ERROR, "nl80211: NL80211_ATTR_STA_VLAN (addr="
 			   MACSTR " ifname=%s vlan_id=%d) failed: %d (%s)",
 			   MAC2STR(addr), ifname, vlan_id, ret,