Hostapd Config being altered for 802.1X/Enterprise WiFi

[AaronMcH]

I have a couple of WiFi Pineapple Tetra devices running as Wireless Access Points.  I'm setting up a 802.1X/Enterprise WiFi Network and am seeing some strange results with the Hostapd Configuration that is being generated on one of the two Pineapples.

The config in /etc/config/wireless is the same on both devices:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ar934x_wmac'
        option htmode 'HT20'
        option require_mode 'n'

config wifi-iface
        option device 'radio0'
        option ifname 'wlan0-1'
        option network 'wan'
        option mode 'ap'
        option ssid 'wifi'
        option encryption 'psk2+ccmp'
        option key 'key'

config wifi-iface
        option device 'radio0'
        option ifname 'wlan0-2'
        option network 'wan'
        option mode 'ap'
        option ssid 'wifi_X'
        option encryption 'wpa2'
        option auth_server '172.16.0.1'
        option auth_secret 'key'

config wifi-iface
        option device 'radio0'
        option ifname 'wlan0-3'
        option network 'wan'
        option mode 'ap'
        option ssid 'wifi_iot'
        option encryption 'psk2+ccmp'
        option key 'key'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'HT20'
        option require_mode 'n'

config wifi-iface
        option device 'radio1'
        option ifname 'wlan1-1'
        option network 'lan'
        option mode 'ap'
        option ssid 'wifi_guest'
        option encryption 'psk2+ccmp'
        option key 'key'

The first Pineapple is named wap-01, the second Pineapple is named wap-02.

wap-01 is running version 1.0.2 of the WiFi Peinapple software and the generated hostapd config is:

cat /var/run/hostapd-phy0.conf
driver=nl80211
logger_syslog=127
logger_syslog_level=2
logger_stdout=127
logger_stdout_level=2
hw_mode=g
require_ht=1
channel=11

ieee80211n=1
ht_coex=0
ht_capab=[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]

interface=wlan0-1
ctrl_interface=/var/run/hostapd
ap_isolate=1
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
wpa_passphrase=key
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=wifi
bridge=br-wan
wpa_key_mgmt=WPA-PSK
okc=0
disable_pmksa_caching=1
bssid=00:13:37:a5:a7:83


bss=wlan0-2
ctrl_interface=/var/run/hostapd
ap_isolate=1
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
auth_server_addr=172.16.0.1
auth_server_port=1812
auth_server_shared_secret=key
eapol_key_index_workaround=1
ieee8021x=1
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=wifi_X
bridge=br-wan
wpa_key_mgmt=WPA-EAP
okc=0
disable_pmksa_caching=1
bssid=02:13:37:a5:a7:83


bss=wlan0-3
ctrl_interface=/var/run/hostapd
ap_isolate=1
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
wpa_passphrase=key
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=wifi_iot
bridge=br-wan
wpa_key_mgmt=WPA-PSK
okc=0
disable_pmksa_caching=1
bssid=06:13:37:a5:a7:83

This config creates the access points and works without issues.

The problem is with wap-02, which is running version 2.4.1 of the WiFi Pineapple software and the generated hostapd config is:

cat /var/run/hostapd-phy0.conf
driver=nl80211
logger_syslog=-1
logger_syslog_level=0
logger_stdout=127
logger_stdout_level=2
hw_mode=g
require_ht=1
channel=11

ieee80211n=1
ht_coex=0
ht_capab=[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]

interface=wlan0-1
ctrl_interface=/var/run/hostapd
ap_isolate=1
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
wpa_passphrase=key
auth_algs=3
wpa=2
wpa_pairwise=CCMP
ssid=wifi
bridge=br-wan
wpa_key_mgmt=WPA-PSK
okc=0
disable_pmksa_caching=1
bssid=00:13:37:a6:b1:f7


bss=wlan0-2
ctrl_interface=/var/run/hostapd
ap_isolate=1
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
auth_server_addr=172.16.0.1
auth_server_port=1812
auth_server_shared_secret=key
eapol_key_index_workaround=0
eap_server=1
eap_fast_a_id=101112131415161718191a1b1c1d1e1f
eap_fast_a_id_info=hostapd-pineape
eap_fast_prov=3
ieee8021x=1
pac_key_lifetime=604800
pac_key_refresh_time=86400
pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
wpa_pairwise=CCMP
rsn_pairwise=CCMP
eap_user_file=/etc/pineape/hostapd-pineape.eap_user
ca_cert=/etc/pineape/certs/ca.pem
dh_file=/etc/pineape/certs/dh
server_cert=/etc/pineape/certs/server.pem
private_key=/etc/pineape/certs/server.key
private_key_passwd=pineapplesareyummy
auth_algs=3
wpa=2
wpa_pairwise=CCMP
ssid=wifi_X
bridge=br-wan
wpa_key_mgmt=WPA-EAP
okc=0
disable_pmksa_caching=1
bssid=02:13:37:a6:b1:f7


bss=wlan0-3
ctrl_interface=/var/run/hostapd
ap_isolate=1
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
wpa_passphrase=key
auth_algs=3
wpa=2
wpa_pairwise=CCMP
ssid=key_iot
bridge=br-wan
wpa_key_mgmt=WPA-PSK
okc=0
disable_pmksa_caching=1
bssid=06:13:37:a6:b1:f7

As you can see the above generated config has more options set for the wifi_X SSID, mainly details about certificates what looks like an alternative place to set usernames and passwords.

The problem with this is that on wap-02 hostapd doesn't start properly and so none of the SSIDs on radio0 are available to connect, in the log it is running into issues

Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): wlan0-2: RADIUS Authentication server 172.16.0.1:1812
Fri Dec 28 21:14:15 2018 daemon.info hostapd: wlan0-2: RADIUS Authentication server 172.16.0.1:1812
Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): TLSv1: Failed to read '/etc/pineape/certs/ca.pem'
Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): TLS: Failed to configure trusted CA certificates
Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): Failed to set TLS parameters
Fri Dec 28 21:14:15 2018 kern.info kernel: [63258.250000] br-wan: port 3(wlan0-2) entered disabled state
Fri Dec 28 21:14:15 2018 kern.info kernel: [63258.250000] device wlan0-2 left promiscuous mode
Fri Dec 28 21:14:15 2018 kern.info kernel: [63258.260000] br-wan: port 3(wlan0-2) entered disabled state
Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): nl80211: Failed to remove interface wlan0-2 from bridge br-wan: No such device
Fri Dec 28 21:14:15 2018 daemon.notice netifd: radio0 (22651): Interface initialization failed

The file it is failing on is /etc/pineape/certs/ca.pem, which unsurprisingly doesn't exist, but in reality I don't actually want all of these additional settings since I'm not actually using the PineAP system, and the RADIUS Server I'm using has all of the necessary certificates.

So given that wap-01 doesn't have any of this additional configuration and everything works fine, it is obvious that this is the result of some kind of change between version 1.0.2 and version 2.4.1, so how can I prevent these additional PineAP related config options from being injected on wap-02?

I've tried stopping and disabling both /etc/init.d/pineapple and /etc/init.d/pineapd, and restarted multiple times, however this has no effect.

Any advise on this would be appreciated.

Thanks
-Aaron

[Foxtrot]

The cert that doesn't exist is generated via PineAP when setting up enterprise attacks. The hostapd on the WiFi Pineapple has hard coded changes that will not allow you to use the Pineapple as a traditional 802.1X AP. 

[AaronMcH]

Hi Foxtrot

Thanks for the info, I suppose I could try either reinstalling hostapd using opkg or building it from source.

Do you have any insight to offer on any of these?

Thanks

-Aaron

[Foxtrot]

You can try installing another version of hostapd, but I wouldn't recommend doing it. The TETRA isn't designed to be an enterprise router, and doing so will break other aspects of the device.