Tuesday, November 15, 2016

Multiple SSIDs hostapd on CentOS 7

Here's how I set up hostapd on my CentOS 7/PCEngines APU 2C4.  First, I needed to ensure I had the capabilities.  I'm using the WLE200NL device.

my setup for hostapd :
    [root@hostname home]# yum install iw
Next, I needed to check and ensure the driver would work as an Access Point, so I ran an "iw list" :
    [root@hostname home]# iw list
  Wiphy phy0
  max # scan SSIDs: 4
  max scan IEs length: 2257 bytes
  Coverage class: 0 (up to 0m)
  Device supports RSN-IBSS.
  Device supports AP-side u-APSD.
  Supported Ciphers:
    * WEP40 (00-0f-ac:1)
    * WEP104 (00-0f-ac:5)
    * TKIP (00-0f-ac:2)
    * CCMP (00-0f-ac:4)
    * 00-0f-ac:10
    * GCMP (00-0f-ac:8)
    * 00-0f-ac:9
    * CMAC (00-0f-ac:6)
    * 00-0f-ac:13
    * 00-0f-ac:11
    * 00-0f-ac:12
  Available Antennas: TX 0x3 RX 0x3
  Configured Antennas: TX 0x3 RX 0x3
  Supported interface modes:
    * IBSS
    * managed
    * AP
    * AP/VLAN
    * WDS
    * monitor
    * P2P-client
    * P2P-GO
  Band 1:
    Capabilities: 0x11ce
      HT20/HT40
      SM Power Save disabled
      RX HT40 SGI
      TX STBC
      RX STBC 1-stream
      Max AMSDU length: 3839 bytes
      DSSS/CCK HT40
    Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
    Minimum RX AMPDU time spacing: 8 usec (0x06)
    HT TX/RX MCS rate indexes supported: 0-15
    Bitrates (non-HT):
      * 1.0 Mbps
[...snip...]
      * 54.0 Mbps
    Frequencies:
      * 2412 MHz [1] (30.0 dBm)
[...snip...]
      * 2484 MHz [14] (disabled)
  Band 2:
    Capabilities: 0x11ce
      HT20/HT40
      SM Power Save disabled
      RX HT40 SGI
      TX STBC
      RX STBC 1-stream
      Max AMSDU length: 3839 bytes
      DSSS/CCK HT40
    Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
    Minimum RX AMPDU time spacing: 8 usec (0x06)
    HT TX/RX MCS rate indexes supported: 0-15
    Bitrates (non-HT):
      * 6.0 Mbps
[...snip...]
      * 54.0 Mbps
    Frequencies:
      * 5180 MHz [36] (17.0 dBm)
[...snip...]
      * 5825 MHz [165] (30.0 dBm)
  Supported commands:
[...snip...]
    * start_ap
    * new_station
[...snip...]
    * connect
    * disconnect
  Supported TX frame types:
[...snip...]
    * managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
    * AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
    * AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
[...snip...]
  Supported RX frame types:
[...snip...]
    * managed: 0x40 0xd0
    * AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
    * AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
[...snip...]
  software interface modes (can always be added):
    * AP/VLAN
    * monitor
  valid interface combinations:
    * #{ managed } <= 2048, #{ AP } <= 8, #{ P2P-client, P2P-GO } <= 1,
      total <= 2048, #channels <= 1, STA/AP BI must match
    * #{ WDS } <= 2048,
      total <= 2048, #channels <= 1, STA/AP BI must match
  HT Capability overrides:
[...snip...]
  Device supports AP scan.
[root@hostname home]#
I snipped out some of the repetitive-styled output (marked by the "[...snipped...]" lines), just to shorten the output of the iw command.  I highlighted a couple of the things I thought were relevant in bold.  I needed to grab the source for hostapd :
    [root@hostname home]# wget http://w1.fi/releases/hostapd-2.6.tar.gz
Extract it (tar -xf hostapd-2.6.tar.gz), then configure it (note, no ./configure script) :
    [root@hostname hostapd]# cd hostapd-2.6/hostapd
[root@hostname hostapd]# cp defconfig .config

    [root@hostname hostapd]# make
  CC  main.c
  CC  config_file.c
  CC  ../src/ap/hostapd.c
  CC  ../src/ap/wpa_auth_glue.c
  CC  ../src/ap/drv_callbacks.c
  CC  ../src/ap/ap_drv_ops.c
  CC  ../src/ap/utils.c
  CC  ../src/ap/authsrv.c
  CC  ../src/ap/ieee802_1x.c
  CC  ../src/ap/ap_config.c
  CC  ../src/ap/eap_user_db.c
  CC  ../src/ap/ieee802_11_auth.c
  CC  ../src/ap/sta_info.c
  CC  ../src/ap/wpa_auth.c
  CC  ../src/ap/tkip_countermeasures.c
  CC  ../src/ap/ap_mlme.c
  CC  ../src/ap/wpa_auth_ie.c
  CC  ../src/ap/preauth_auth.c
  CC  ../src/ap/pmksa_cache_auth.c
  CC  ../src/ap/ieee802_11_shared.c
  CC  ../src/ap/beacon.c
  CC  ../src/ap/bss_load.c
  CC  ../src/ap/neighbor_db.c
  CC  ../src/ap/rrm.c
  CC  ../src/drivers/drivers.c
  CC  ../src/utils/eloop.c
  CC  ../src/utils/common.c
  CC  ../src/utils/wpa_debug.c
  CC  ../src/utils/wpabuf.c
  CC  ../src/utils/os_unix.c
  CC  ../src/utils/ip_addr.c
  CC  ../src/common/ieee802_11_common.c
  CC  ../src/common/wpa_common.c
  CC  ../src/common/hw_features_common.c
  CC  ../src/eapol_auth/eapol_auth_sm.c
  CC  ../src/eapol_auth/eapol_auth_dump.c
  CC  ../src/radius/radius.c
  CC  ../src/radius/radius_client.c
  CC  ../src/radius/radius_das.c
  CC  ../src/ap/accounting.c
  CC  ../src/ap/vlan_init.c
  CC  ../src/ap/vlan_ifconfig.c
  CC  ../src/ap/vlan.c
  CC  ../src/common/ctrl_iface_common.c
  CC  ctrl_iface.c
  CC  ../src/ap/ctrl_iface_ap.c
  CC  ../src/ap/iapp.c
  CC  ../src/ap/peerkey_auth.c
  CC  ../src/drivers/driver_hostap.c
../src/drivers/driver_nl80211.c:17:31: fatal error: netlink/genl/genl.h: No such file or directory
 #include <netlink/gen1/genl.h>
                               ^
compilation terminated.
make: *** [../src/drivers/driver_nl80211.o] Error 1
[root@hostname hostapd]#
Argh! I need to install the libnl-devel package!
    [root@hostname hostapd]# yum install libnl-devel.x86_64
Then, re-run "make" :
    [root@hostname hostapd]# make
  CC  ../src/drivers/driver_nl80211.c
  CC  ../src/drivers/driver_nl80211_capa.c
  CC  ../src/drivers/driver_nl80211_event.c
  CC  ../src/drivers/driver_nl80211_monitor.c
  CC  ../src/drivers/driver_nl80211_scan.c
  CC  ../src/drivers/netlink.c
  CC  ../src/drivers/linux_ioctl.c
  CC  ../src/drivers/rfkill.c
  CC  ../src/utils/radiotap.c
  CC  ../src/l2_packet/l2_packet_linux.c
  CC  ../src/eap_server/eap_server_md5.c
  CC  ../src/eap_server/eap_server_tls.c
  CC  ../src/eap_server/eap_server_peap.c
  CC  ../src/eap_common/eap_peap_common.c
  CC  ../src/eap_server/eap_server_ttls.c
  CC  ../src/eap_server/eap_server_mschapv2.c
  CC  ../src/eap_server/eap_server_gtc.c
  CC  eap_register.c
  CC  ../src/eap_server/eap_server.c
  CC  ../src/eap_common/eap_common.c
  CC  ../src/eap_server/eap_server_methods.c
  CC  ../src/eap_server/eap_server_identity.c
  CC  ../src/crypto/ms_funcs.c
  CC  ../src/eap_common/chap.c
  CC  ../src/eap_server/eap_server_tls_common.c
../src/crypto/tls_openssl.c:19:25: fatal error: openssl/ssl.h: No such file or directory
 #include <openssl ssl.h>
                         ^
compilation terminated.
make: *** [../src/crypto/tls_openssl.o] Error 1
[root@hostname hostapd]#
Yet another package I needed to install : 
    [root@hostname hostapd]# yum install openssl-devel
Again, re-run "make" :
    [root@hostname hostapd]# make
  CC  ../src/crypto/tls_openssl.c
  CC  ../src/crypto/tls_openssl_ocsp.c
  CC  ../src/crypto/crypto_openssl.c
  CC  ../src/crypto/aes-omac1.c
  CC  ../src/crypto/sha1-prf.c
  CC  ../src/crypto/sha1-tlsprf.c
  CC  ../src/crypto/sha256-prf.c
  CC  ../src/crypto/sha256-tlsprf.c
  CC  ../src/crypto/sha256-kdf.c
  CC  ../src/crypto/random.c
  CC  ../src/ap/wmm.c
  CC  ../src/ap/ap_list.c
  CC  ../src/ap/ieee802_11.c
  CC  ../src/ap/hw_features.c
  CC  ../src/ap/dfs.c
  CC  ../src/drivers/driver_common.c
  LD  hostapd
  CC  hostapd_cli.c
  CC  ../src/common/wpa_ctrl.c
  CC  ../src/common/cli.c
  CC  ../src/utils/edit_simple.c
  LD  hostapd_cli
[root@hostname hostapd]# make install
install -D hostapd /usr/local/bin//hostapd
install -D hostapd_cli /usr/local/bin//hostapd_cli
[root@hostname hostapd]#
Success! Let's run it :
    [root@hostname hostapd]# hostapd
hostapd v2.6
User space daemon for IEEE 802.11 AP management,
IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
Copyright (c) 2002-2016, Jouni Malinen  and contributors

usage: hostapd [-hdBKtv] [-P ] [-e ] \
         [-g ] [-G ]\
         [-i ]\
         

options:
   -h   show this usage
   -d   show more debug messages (-dd for even more)
   -B   run daemon in the background
   -e   entropy file
   -g   global control interface path
   -G   group for control interfaces
   -P   PID file
   -K   include key data in debug messages
   -i   list of interface names to use
   -S   start all the interfaces synchronously
   -t   include timestamps in some debug messages
   -v   show hostapd version
[root@hostname hostapd]#
Worked well enough to know we're installed, so let's get it configured. First, we need to grab the hardware address : 
    [root@hostname hostapd]# ifconfig wlp1s0
wlp1s0: flags=4098  mtu 1500
        ether 04:f0:21:26:d5:1f  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@hostname hostapd]#
For multiple SSID's, you might need to "change the MAC". You can do this from the command line as :
    [root@hostname hostapd]# ifconfig wlp1s0 hw ether 02:f0:21:26:d5:30
Or, add the new MAC address as "MACADDR=" in the ifcfg-wlp1s0 file for a more permanent home :
    [root@hostname hostapd]# ifconfig wlp1s0
wlp1s0: flags=4098  mtu 1500
        ether 02:f0:21:26:d5:30  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@hostname hostapd]# ifconfig wlp1s0 up
[root@hostname hostapd]#
Check and ensure it took :
    [root@hostname hostapd]# ifconfig wlp1s0
wlp1s0: flags=4099  mtu 1500
        ether 02:f0:21:26:d5:30  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@hostname hostapd]# vi ifcfg-enp4s0
Create our required configuration files :
    [root@hostname hostapd]# mkdir -p /etc/hostapd
[root@hostname etc]# cd /etc/hostapd/
[root@hostname hostapd]# vi hostapd.conf
Here is the content of my hostapd.conf file (shamelessly copied from another source) for the trial run :
    interface=wlp1s0
bridge=br0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=wifiname
hw_mode=g
channel=1
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=1
accept_mac_file=/etc/hostapd/hostapd.accept
deny_mac_file=/etc/hostapd/hostapd.deny
auth_algs=1
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
eapol_key_index_workaround=0
eap_server=0
wpa=2
wpa_passphrase=wifipassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
wpa_group_rekey=600
wpa_gmk_rekey=86400
Let's get a few more files created :
    [root@hostname hostapd]# touch /etc/hostapd/hostapd.deny
[root@hostname hostapd]# touch /etc/hostapd/hostapd.accept
[root@hostname hostapd]#
Note, if you forget the hostapd.deny/hostapd.accept files, it will error out with :
    [root@hostname hostapd]# hostapd /etc/hostapd/hostapd.conf 
Configuration file: /etc/hostapd/hostapd.conf
Line 8: DEPRECATED: 'dump_file' configuration variable is not used anymore
MAC list file '/etc/hostapd/hostapd.accept' not found.
Line 20: Failed to read accept_mac_file '/etc/hostapd/hostapd.accept'
MAC list file '/etc/hostapd/hostapd.deny' not found.
Line 21: Failed to read deny_mac_file '/etc/hostapd/hostapd.deny'
2 errors found in configuration file '/etc/hostapd/hostapd.conf'
Failed to set up interface with /etc/hostapd/hostapd.conf
Failed to initialize interface
[root@hostname hostapd]#
And a successful run :
    [root@hostname hostapd]# hostapd /etc/hostapd/hostapd.conf 
Configuration file: /etc/hostapd/hostapd.conf
Line 8: DEPRECATED: 'dump_file' configuration variable is not used anymore
Using interface wlp1s0 with hwaddr 02:f0:21:26:d5:30 and ssid "wifiname"
random: Only 15/20 bytes of strong random data available from /dev/random
random: Not enough entropy pool available for secure operations
WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects
wlp1s0: interface state UNINITIALIZED->ENABLED
wlp1s0: AP-ENABLED
You should now have a wireless network named "wifiname"! Congrats!  But wait! That's not all!  For a down payment of $49.95, you can also get MULTIPLE networks in separate subnets!  No VLAN necessary!  Here's how to order.
    [root@hostname homedir]# ifconfig wlp1s0|grep ether
        ether 09:f0:21:26:d5:d8  txqueuelen 1000  (Ethernet)
[root@hostname homedir]#
First, you need to ensure the BSSID is defined in your hostapd.conf.  Grab the hardware address out of ifconfig :
    [root@hostname homedir]# ifconfig wlp1s0|grep ether
        ether 04:f0:21:26:d5:1f  txqueuelen 1000  (Ethernet)
[root@hostname homedir]#
Then, change the first octet to 02 (meaning it's locally managed), and the last octet to 30.  For example :
    04:f0:21:26:d5:1f
02:f0:21:26:d5:30
Then, throw that value into your hostapd.conf file under the setting of "bssid=02:f0:21:26:d5:30".  The next step is to define your secondary SSID's using stanzas like :
    bss=wlp1s0_0
ssid=guest
wpa=2
wpa_passphrase=Brawnd0! It's what plants crave.

bss=wlp1s0_1
ssid=nonrouted
wpa=2
wpa_passphrase=securityVan09
accept_mac_file=/etc/hostapd/hostapd.nonrouted.allow
Once you restart hostapd, you will note that you have two new interfaces : wlp1s0_0 and wlp1s0_1. These will correlate to the three wireless networks. One is the main wireless network (wlp1s0), one is the guest network (wlp1s0_0), and one is a non-routable network (wlp1s0_1). The non-routable network is where I put all of my security stuff that I play with - for example, I don't want the chinese test hardware dialing home to papa.

So, how do we give them separate subnets? I spent a few days trying to figure this out, wanting terribly to use the defect-standard scripts on the system (before I really found out that you can't use the /etc/sysconfig/network-scripts/ifcfg-*). The "systemctl restart network.service" refused to work with them. It baffled me for a while, until I got tired of the inability for it to work, and simply created a systemd startup file for hostapd that had a post-configuration (I placed mine into "/etc/systemd/system/hostapd.service") : 
    [Unit]
Description=Wireless AP Daemon
Documentation=http://www.silverhawk.net/search/label/hostapd
Wants=basic.target
After=basic.target
Before=network.target

[Service]
Type=forking
ExecStart=/usr/local/bin/hostapd -B -P /var/run/hostapd.pid /etc/hostapd/hostapd.conf
#ExecStartPre=
ExecStartPost=/bin/sh -c '/usr/sbin/ifconfig wlp1s0 inet 172.16.64.1 netmask 255.255.224.0 up;/usr/sbin/ifconfig wlp1s0_0 inet 172.16.96.1 netmask 255.255.224.0 up;/usr/sbin/ifconfig wlp1s0_1 inet 172.16.224.1 netmask 255.255.224.0 up'
ExecReload=kill -HUP $MAINPID
ExecStop=kill $MAINPID
PIDFile=/var/run/hostapd.pid

[Install]
WantedBy=multi-user.target
I needed to enable the new systemd startup :
    systemctl daemon-reload
systemctl start hostapd
systemctl enable hostapd
A reboot, and I was finally online with two networks!
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)