AaronMcH Posted December 28, 2018 Share Posted December 28, 2018 I have a couple of WiFi Pineapple Tetra devices running as Wireless Access Points. I'm setting up a 802.1X/Enterprise WiFi Network and am seeing some strange results with the Hostapd Configuration that is being generated on one of the two Pineapples. The config in /etc/config/wireless is the same on both devices: config wifi-device 'radio0' option type 'mac80211' option channel '11' option hwmode '11g' option path 'platform/ar934x_wmac' option htmode 'HT20' option require_mode 'n' config wifi-iface option device 'radio0' option ifname 'wlan0-1' option network 'wan' option mode 'ap' option ssid 'wifi' option encryption 'psk2+ccmp' option key 'key' config wifi-iface option device 'radio0' option ifname 'wlan0-2' option network 'wan' option mode 'ap' option ssid 'wifi_X' option encryption 'wpa2' option auth_server '172.16.0.1' option auth_secret 'key' config wifi-iface option device 'radio0' option ifname 'wlan0-3' option network 'wan' option mode 'ap' option ssid 'wifi_iot' option encryption 'psk2+ccmp' option key 'key' config wifi-device 'radio1' option type 'mac80211' option channel '11' option hwmode '11g' option path 'pci0000:00/0000:00:00.0' option htmode 'HT20' option require_mode 'n' config wifi-iface option device 'radio1' option ifname 'wlan1-1' option network 'lan' option mode 'ap' option ssid 'wifi_guest' option encryption 'psk2+ccmp' option key 'key' The first Pineapple is named wap-01, the second Pineapple is named wap-02. wap-01 is running version 1.0.2 of the WiFi Peinapple software and the generated hostapd config is: cat /var/run/hostapd-phy0.conf driver=nl80211 logger_syslog=127 logger_syslog_level=2 logger_stdout=127 logger_stdout_level=2 hw_mode=g require_ht=1 channel=11 ieee80211n=1 ht_coex=0 ht_capab=[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] interface=wlan0-1 ctrl_interface=/var/run/hostapd ap_isolate=1 disassoc_low_ack=1 preamble=1 wmm_enabled=1 ignore_broadcast_ssid=0 uapsd_advertisement_enabled=1 wpa_passphrase=key auth_algs=1 wpa=2 wpa_pairwise=CCMP ssid=wifi bridge=br-wan wpa_key_mgmt=WPA-PSK okc=0 disable_pmksa_caching=1 bssid=00:13:37:a5:a7:83 bss=wlan0-2 ctrl_interface=/var/run/hostapd ap_isolate=1 disassoc_low_ack=1 preamble=1 wmm_enabled=1 ignore_broadcast_ssid=0 uapsd_advertisement_enabled=1 auth_server_addr=172.16.0.1 auth_server_port=1812 auth_server_shared_secret=key eapol_key_index_workaround=1 ieee8021x=1 auth_algs=1 wpa=2 wpa_pairwise=CCMP ssid=wifi_X bridge=br-wan wpa_key_mgmt=WPA-EAP okc=0 disable_pmksa_caching=1 bssid=02:13:37:a5:a7:83 bss=wlan0-3 ctrl_interface=/var/run/hostapd ap_isolate=1 disassoc_low_ack=1 preamble=1 wmm_enabled=1 ignore_broadcast_ssid=0 uapsd_advertisement_enabled=1 wpa_passphrase=key auth_algs=1 wpa=2 wpa_pairwise=CCMP ssid=wifi_iot bridge=br-wan wpa_key_mgmt=WPA-PSK okc=0 disable_pmksa_caching=1 bssid=06:13:37:a5:a7:83 This config creates the access points and works without issues. The problem is with wap-02, which is running version 2.4.1 of the WiFi Pineapple software and the generated hostapd config is: cat /var/run/hostapd-phy0.conf driver=nl80211 logger_syslog=-1 logger_syslog_level=0 logger_stdout=127 logger_stdout_level=2 hw_mode=g require_ht=1 channel=11 ieee80211n=1 ht_coex=0 ht_capab=[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] interface=wlan0-1 ctrl_interface=/var/run/hostapd ap_isolate=1 disassoc_low_ack=1 preamble=1 wmm_enabled=1 ignore_broadcast_ssid=0 uapsd_advertisement_enabled=1 wpa_passphrase=key auth_algs=3 wpa=2 wpa_pairwise=CCMP ssid=wifi bridge=br-wan wpa_key_mgmt=WPA-PSK okc=0 disable_pmksa_caching=1 bssid=00:13:37:a6:b1:f7 bss=wlan0-2 ctrl_interface=/var/run/hostapd ap_isolate=1 disassoc_low_ack=1 preamble=1 wmm_enabled=1 ignore_broadcast_ssid=0 uapsd_advertisement_enabled=1 auth_server_addr=172.16.0.1 auth_server_port=1812 auth_server_shared_secret=key eapol_key_index_workaround=0 eap_server=1 eap_fast_a_id=101112131415161718191a1b1c1d1e1f eap_fast_a_id_info=hostapd-pineape eap_fast_prov=3 ieee8021x=1 pac_key_lifetime=604800 pac_key_refresh_time=86400 pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f wpa_pairwise=CCMP rsn_pairwise=CCMP eap_user_file=/etc/pineape/hostapd-pineape.eap_user ca_cert=/etc/pineape/certs/ca.pem dh_file=/etc/pineape/certs/dh server_cert=/etc/pineape/certs/server.pem private_key=/etc/pineape/certs/server.key private_key_passwd=pineapplesareyummy auth_algs=3 wpa=2 wpa_pairwise=CCMP ssid=wifi_X bridge=br-wan wpa_key_mgmt=WPA-EAP okc=0 disable_pmksa_caching=1 bssid=02:13:37:a6:b1:f7 bss=wlan0-3 ctrl_interface=/var/run/hostapd ap_isolate=1 disassoc_low_ack=1 preamble=1 wmm_enabled=1 ignore_broadcast_ssid=0 uapsd_advertisement_enabled=1 wpa_passphrase=key auth_algs=3 wpa=2 wpa_pairwise=CCMP ssid=key_iot bridge=br-wan wpa_key_mgmt=WPA-PSK okc=0 disable_pmksa_caching=1 bssid=06:13:37:a6:b1:f7 As you can see the above generated config has more options set for the wifi_X SSID, mainly details about certificates what looks like an alternative place to set usernames and passwords. The problem with this is that on wap-02 hostapd doesn't start properly and so none of the SSIDs on radio0 are available to connect, in the log it is running into issues Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): wlan0-2: RADIUS Authentication server 172.16.0.1:1812 Fri Dec 28 21:14:15 2018 daemon.info hostapd: wlan0-2: RADIUS Authentication server 172.16.0.1:1812 Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): TLSv1: Failed to read '/etc/pineape/certs/ca.pem' Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): TLS: Failed to configure trusted CA certificates Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): Failed to set TLS parameters Fri Dec 28 21:14:15 2018 kern.info kernel: [63258.250000] br-wan: port 3(wlan0-2) entered disabled state Fri Dec 28 21:14:15 2018 kern.info kernel: [63258.250000] device wlan0-2 left promiscuous mode Fri Dec 28 21:14:15 2018 kern.info kernel: [63258.260000] br-wan: port 3(wlan0-2) entered disabled state Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): nl80211: Failed to remove interface wlan0-2 from bridge br-wan: No such device Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): Interface initialization failed The file it is failing on is /etc/pineape/certs/ca.pem, which unsurprisingly doesn't exist, but in reality I don't actually want all of these additional settings since I'm not actually using the PineAP system, and the RADIUS Server I'm using has all of the necessary certificates. So given that wap-01 doesn't have any of this additional configuration and everything works fine, it is obvious that this is the result of some kind of change between version 1.0.2 and version 2.4.1, so how can I prevent these additional PineAP related config options from being injected on wap-02? I've tried stopping and disabling both /etc/init.d/pineapple and /etc/init.d/pineapd, and restarted multiple times, however this has no effect. Any advise on this would be appreciated. Thanks -Aaron Link to comment Share on other sites More sharing options...
Foxtrot Posted December 29, 2018 Share Posted December 29, 2018 The cert that doesn't exist is generated via PineAP when setting up enterprise attacks. The hostapd on the WiFi Pineapple has hard coded changes that will not allow you to use the Pineapple as a traditional 802.1X AP. Link to comment Share on other sites More sharing options...
AaronMcH Posted December 29, 2018 Author Share Posted December 29, 2018 Hi Foxtrot Thanks for the info, I suppose I could try either reinstalling hostapd using opkg or building it from source. Do you have any insight to offer on any of these? Thanks -Aaron Link to comment Share on other sites More sharing options...
Foxtrot Posted December 30, 2018 Share Posted December 30, 2018 You can try installing another version of hostapd, but I wouldn't recommend doing it. The TETRA isn't designed to be an enterprise router, and doing so will break other aspects of the device. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.