# Hostapd madwifi Problem => Building AP

## MaTz

Hi i'm tring to build my own AP.

i have an Atheros Card 

```

0000:00:13.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01)

```

First To test it, i have configured my AP with NO ENCRYPTION and it works fine.

```

iwconfig ath0 mode master

iwconfig ath0 essid EpiaLinux

iwpriv ath0 mode 0

brctl addbr br0

brctl addif br0 ath0

brctl addif br0 eth1

ifconfig ath0 0.0.0.0

ifconfig eth1 0.0.0.0

ifconfig br0 192.168.1.130

```

When i try to connect it from linux or windows (client) i haven't any problem it works!!!

Now i want to make my AP more secure (WPA Enc), so i have build hostapd with this .config

```

# Driver interface for Host AP driver

CONFIG_DRIVER_HOSTAP=y

# Driver interface for wired authenticator

#CONFIG_DRIVER_WIRED=y

# Driver interface for madwifi driver

CONFIG_DRIVER_MADWIFI=y

CFLAGS += -I /home/madwifi-ng 

# change to reflect local setup; directory for madwifi src

# Driver interface for Prism54 driver

#CONFIG_DRIVER_PRISM54=y

# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)

#CONFIG_DRIVER_BSD=y

#CFLAGS += -I/usr/local/include

#LIBS += -L/usr/local/lib

# IEEE 802.11F/IAPP

CONFIG_IAPP=y

# WPA2/IEEE 802.11i RSN pre-authentication

CONFIG_RSN_PREAUTH=y

# Integrated EAP server

CONFIG_EAP=y

# EAP-MD5 for the integrated EAP server

CONFIG_EAP_MD5=y

# EAP-TLS for the integrated EAP server

CONFIG_EAP_TLS=y

# EAP-MSCHAPv2 for the integrated EAP server

CONFIG_EAP_MSCHAPV2=y

# EAP-PEAP for the integrated EAP server

CONFIG_EAP_PEAP=y

# EAP-GTC for the integrated EAP server

CONFIG_EAP_GTC=y

# EAP-TTLS for the integrated EAP server

CONFIG_EAP_TTLS=y

# EAP-SIM for the integrated EAP server

#CONFIG_EAP_SIM=y

# EAP-PAX for the integrated EAP server

#CONFIG_EAP_PAX=y

# EAP-PSK for the integrated EAP server

#CONFIG_EAP_PSK=y

# PKCS#12 (PFX) support (used to read private key and certificate file from

# a file that usually has extension .p12 or .pfx)

CONFIG_PKCS12=y

# RADIUS authentication server. This provides access to the integrated EAP

# server from external hosts using RADIUS.

#CONFIG_RADIUS_SERVER=y

# Build IPv6 support for RADIUS operations

CONFIG_IPV6=y

```

i have build it, next i configured it: hostap.conf

```

##### hostapd configuration file ##############################################

# Empty lines and lines starting with # are ignored

# AP netdevice name (without 'ap' prefix, i.e., wlan0 uses wlan0ap for

# management frames)

interface=ath0

# Driver interface type (hostap/wired/madwifi/prism54; default: hostap)

driver=madwifi

# hostapd event logger configuration

#

# Two output method: syslog and stdout (only usable if not forking to

# background).

#

# Module bitfield (ORed bitfield of modules that will be logged; -1 = all

# modules):

# bit 0 (1) = IEEE 802.11

# bit 1 (2) = IEEE 802.1X

# bit 2 (4) = RADIUS

# bit 3 (8) = WPA

# bit 4 (16) = driver interface

# bit 5 (32) = IAPP

#

# Levels (minimum value for logged events):

#  0 = verbose debugging

#  1 = debugging

#  2 = informational messages

#  3 = notification

#  4 = warning

#

logger_syslog=8

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

# Debugging: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive

debug=0

# Dump file for state information (on SIGUSR1)

dump_file=/tmp/hostapd.dump

# Interface for separate control program. If this is specified, wpa_supplicant

# will create this directory and a UNIX domain socket for listening to requests

# from external programs (CLI/GUI, etc.) for status information and

# configuration. The socket file will be named based on the interface name, so

# multiple hostapd processes/interfaces can be run at the same time if more

# than one interface is used.

# /var/run/hostapd is the recommended directory for sockets and by default,

# hostapd_cli will use it when trying to connect with hostapd.

ctrl_interface=/var/run/hostapd

# Access control for the control interface can be configured by setting the

# directory to allow only members of a group to use sockets. This way, it is

# possible to run wpa_supplicant as root (since it needs to change network

# configuration and open raw sockets) and still allow GUI/CLI components to be

# run as non-root users. However, since the control interface can be used to

# change the network configuration, this access needs to be protected in many

# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you

# want to allow non-root users to use the contron interface, add a new group

# and change this value to match with that group. Add users that should have

# control interface access to this group.

#

# This variable can be a group name or gid.

ctrl_interface_group=wheel

#ctrl_interface_group=0

##### IEEE 802.11 related configuration #######################################

# SSID to be used in IEEE 802.11 management frames

ssid=gunhead

# Station MAC address -based authentication

# 0 = accept unless in deny list

# 1 = deny unless in accept list

# 2 = use external RADIUS server (accept/deny lists are searched first)

macaddr_acl=0

# Accept/deny lists are read from separate files (containing list of

# MAC addresses, one per line). Use absolute path name to make sure that the

# files can be read on SIGHUP configuration reloads.

#accept_mac_file=/etc/hostapd/hostapd.accept

deny_mac_file=/etc/hostapd/hostapd.deny

# IEEE 802.11 specifies two authentication algorithms. hostapd can be

# configured to allow both of these or only one. Open system authentication

# should be used with IEEE 802.1X.

# Bit fields of allowed authentication algorithms:

# bit 0 = Open System Authentication

# bit 1 = Shared Key Authentication (requires WEP)

auth_algs=1

# Associate as a station to another AP while still acting as an AP on the same

# channel.

#assoc_ap_addr=00:12:34:56:78:9a

##### IEEE 802.1X (and IEEE 802.1aa/D4) related configuration #################

# Require IEEE 802.1X authorization

ieee8021x=0

# Use integrated EAP authenticator instead of external RADIUS authentication

# server

eap_authenticator=0

# Path for EAP authenticator user database

#eap_user_file=/etc/hostapd.eap_user

# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

#ca_cert=/etc/hostapd.ca.pem

# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

#server_cert=/etc/hostapd.server.pem

# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS

# This may point to the same file as server_cert if both certificate and key

# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be

# used by commenting out server_cert and specifying the PFX file as the

# private_key.

#private_key=/etc/hostapd.server.prv

# Passphrase for private key

#private_key_passwd=secret passphrase

# Configuration data for EAP-SIM database/authentication gateway interface.

# This is a text string in implementation specific format. The example

# implementation in eap_sim_db.c uses this as the file name for the GSM

# authentication triplets.

#eap_sim_db=/etc/hostapd.sim_db

# Optional displayable message sent with EAP Request-Identity

#eap_message=hello

# WEP rekeying (disabled if key lengths are not set or are set to 0)

# Key lengths for default/broadcast and individual/unicast keys:

# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)

# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)

#wep_key_len_broadcast=5

#wep_key_len_unicast=5

# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)

#wep_rekey_period=300

# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if

# only broadcast keys are used)

eapol_key_index_workaround=128

# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable

# reauthentication).

#eap_reauth_period=3600

##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################

# Interface to be used for IAPP broadcast packets

#iapp_interface=eth0

##### RADIUS configuration ####################################################

# for IEEE 802.1X with external Authentication Server, IEEE 802.11

# authentication with external ACL for MAC addresses, and accounting

# The own IP address of the access point (used as NAS-IP-Address)

#own_ip_addr=127.0.0.1

# Optional NAS-Identifier string for RADIUS messages. When used, this should be

# a unique to the NAS within the scope of the RADIUS server. For example, a

# fully qualified domain name can be used here.

#nas_identifier=ap.example.com

# RADIUS authentication server

#auth_server_addr=127.0.0.1

#auth_server_port=1812

#auth_server_shared_secret=secret

# RADIUS accounting server

#acct_server_addr=127.0.0.1

#acct_server_port=1813

#acct_server_shared_secret=secret

# Secondary RADIUS servers; to be used if primary one does not reply to

# RADIUS packets. These are optional and there can be more than one secondary

# server listed.

#auth_server_addr=127.0.0.2

#auth_server_port=1812

#auth_server_shared_secret=secret2

#

#acct_server_addr=127.0.0.2

#acct_server_port=1813

#acct_server_shared_secret=secret2

# Retry interval for trying to return to the primary RADIUS server (in

# seconds). RADIUS client code will automatically try to use the next server

# when the current server is not replying to requests. If this interval is set,

# primary server will be retried after configured amount of time even if the

# currently used secondary server is still working.

#radius_retry_primary_interval=600

# Interim accounting update interval

# If this is set (larger than 0) and acct_server is configured, hostapd will

# send interim accounting updates every N seconds. Note: if set, this overrides

# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this

# value should not be configured in hostapd.conf, if RADIUS server is used to

# control the interim interval.

# This value should not be less 600 (10 minutes) and must not be less than

# 60 (1 minute).

#radius_acct_interim_interval=600

# hostapd can be used as a RADIUS authentication server for other hosts. This

# requires that the integrated EAP authenticator is also enabled and both

# authentication services are sharing the same configuration.

# File name of the RADIUS clients configuration for the RADIUS server. If this

# commented out, RADIUS server is disabled.

#radius_server_clients=/etc/hostapd.radius_clients

# The UDP port number for the RADIUS authentication server

#radius_server_auth_port=1812

##### WPA/IEEE 802.11i configuration ##########################################

# Enable WPA. Setting this variable configures the AP to require WPA (either

# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either

# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.

# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),

# RADIUS authentication server must be configured, and WPA-EAP must be included

# in wpa_key_mgmt.

# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)

# and/or WPA2 (full IEEE 802.11i/RSN):

# bit0 = WPA

# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)

wpa=1

# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit

# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase

# (8..63 characters) that will be converted to PSK. This conversion uses SSID

# so the PSK changes when ASCII passphrase is used and the SSID is changed.

# wpa_psk (dot11RSNAConfigPSKValue)

# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)

#wpa_psk=

wpa_passphrase=secret_passphrase

# Optionally, WPA PSKs can be read from a separate text file (containing list

# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.

# Use absolute path name to make sure that the files can be read on SIGHUP

# configuration reloads.

#wpa_psk_file=/etc/hostapd.wpa_psk

# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The

# entries are separated with a space.

# (dot11RSNAConfigAuthenticationSuitesTable)

wpa_key_mgmt=WPA-PSK

# Set of accepted cipher suites (encryption algorithms) for pairwise keys

# (unicast packets). This is a space separated list of algorithms:

# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]

# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]

# Group cipher suite (encryption algorithm for broadcast and multicast frames)

# is automatically selected based on this configuration. If only CCMP is

# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,

# TKIP will be used as the group cipher.

# (dot11RSNAConfigPairwiseCiphersTable)

wpa_pairwise=TKIP

# Time interval for rekeying GTK (broadcast/multicast encryption keys) in

# seconds. (dot11RSNAConfigGroupRekeyTime)

wpa_group_rekey=180

# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.

# (dot11RSNAConfigGroupRekeyStrict)

wpa_strict_rekey=0

# Time interval for rekeying GMK (master key used internally to generate GTKs

# (in seconds).

wpa_gmk_rekey=1800

# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up

# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN

# authentication and key handshake before actually associating with a new AP.

# (dot11RSNAPreauthenticationEnabled)

#rsn_preauth=1

#

# Space separated list of interfaces from which pre-authentication frames are

# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all

# interface that are used for connections to other APs. This could include

# wired interfaces and WDS links. The normal wireless data interface towards

# associated stations (e.g., wlan0) should not be added, since

# pre-authentication is only used with APs other than the currently associated

# one.

#rsn_preauth_interfaces=eth0

```

then i started it:

```

 ./hostapd -B /root/hostup 

Configuration file: /root/hostup

Using interface ath0 with hwaddr 00:90:96:9b:e8:e6 and ssid 'gunhead'

Flushing old station entries

Deauthenticate all stations

```

next i tried from a windows client to connect, windows ask the password i inserted it and it reply "Connected" but when i try to ping 192.168.1.130 (AP ip)and it doesn't ping.

what can i do? Plz Help me  :Sad: 

----------

## daeghrefn

I checked out your latest forum post, and one thing I see is that you have eth0 and ath0 configured in a bridge.  To the best of my knowledge, bridging a wireless and wired connection in linux is not yet supported.  Personally, I use routing, and ShoreWall (iptables) does that for me.  However, according to your post, it sounds like you have bridging working.  Unfortunately, I can't help you with that part.  I will break it down for you, and give advice as best I can:

1.  Get the madwifi drivers working.

2.  Get hostapd working.

3.  Get DHCP working for your wireless subnet (which should be a different subnet than your wired subnet)

4.  Get WPA/WEP working.

5.  Get routing working (IPTables) -OR- get your bridge working.

This thread is very good for getting the madwifi driver working with wpa_supplicant.  Before they removed the 200509xx-r1 driver from portage, I had it working with that version, but then they upgraded to the november snapshot and removed the september version for whatever reason.

Now personally, I use the ShoreWall frontend to my IPtables configuration.  I have the wireless interface set in one zone, and the wired interface set in a separate zone, which allows me to specifically control traffic back and forth between the two.  They are in separate subnets (192.168.1.0 for wired, 192.168.2.0 for wireless), and I have a single DHCP server set up to serve both subnets (it knows which address to give based on the interface).  Now in reality, I have a dhcp relay agent on the router, and the actual DHCP server is on the wired segment.  It is easier, however, to run the DHCP server on the same machine as the wireless and wired interfaces.

Driver version info:

```
[ebuild   R   ] net-wireless/madwifi-driver-0.1_pre20051208  0 kB [1]

[ebuild   R   ] net-wireless/madwifi-tools-0.1_pre20051208  0 kB [1]

[ebuild   R   ] net-wireless/wpa_supplicant-0.4.7-r1  -gsm -qt +readline +ssl 0 kB [1]

[ebuild   R   ] net-wireless/hostapd-0.4.7  -ipv6 -logwatch +madwifi +ssl 0 kB
```

As you can see, my madwifi-driver, madwifi-tools and wpa_supplicant are all portage overlays from the above how-to.  I am running hostapd 0.4.7, which when I last emerge synced (about 1.5 weeks ago) was still under the ~x86 branch.

Here are some links to my config files (posting them will make this too long):

/etc/wpa_supplicant.conf

/etc/hostapd/hostapd.conf

/etc/conf.d/hostapd

Shorewall configs

/etc/shorewall/policy

/etc/shorewall/rules

/etc/shorewall/zones

Also looking in your configuration, you need to modify the ESSID in your /etc/hostapd/hostapd.conf file from the example you used (gunhead) to what you actually want to use.  Also in my configuration file, I have the option:

```
# In case of madwifi driver, an additional configuration parameter, bridge,

# must be used to notify hostapd if the interface is included in a bridge. This

# parameter is not used with Host AP driver.

#bridge=br0

```

You might want to give that a try, but again, I have no experience with bridging a wireless interface.

I also recommend that you use the init scripts to start and stop hostapd unless it is crashing.  This will make your life easier.  I would also use /etc/conf.d/net to set up your ath0 interface.  Again, being able to restart your interface is easier in my opinion, if you have to make a minor interface configuration change.  It also tests the "live" configuration for after a reboot, for example.

```
# /etc/init.d/hostapd start

# /etc/init.d/hostapd stop

# /etc/init.d/hostapd restart
```

I hope this all helps.  If you have any questions, let me know.

----------

## MaTz

I really need wpasupplicant?

have you tried to connect from a windows client?

Argh i have the same configuration but it doesn't work!

Argh!!!

 :Evil or Very Mad: 

mmm ... i need particular kernel module?

Thanks!!!

----------

## daeghrefn

My clients are Windows XP.  Actually, my only clients are windows, because my wireless card in my laptop requires ndiswrapper, and either the version of ndiswrapper or the driver I have is not compatible with wpa_supplicant... grrr... but htat's another story.

Yes, you must emerge wpa_supplicant in order to get any sort of wpa working.  Check out my wpa_supplicant.conf file, it's pretty easy to configure.  And hostapd.conf is easy as pie to configure as well.

You don't require any special kernel modifications for WPA, I don't think.  You do require them for iptables, bridging and that other happy special stuff.  Make sure you follow that guide though, because you have to add MADWIFI support to wpa_supplicant 0.4.7 in order for it to work correctly.

EDIT:  I stand corrected on the bridging thing.  AFAIK, a while back bridging didn't support a wireless to wired bridge.  Apparently now it does.  Here's the wiki entry: here

----------

## MaTz

ok,

Now i have reinstalled Gentoo from stage 1.

i have installed 

[ebuild   R   ] net-wireless/madwifi-driver-0.1_pre20051208  0 kB [1]

[ebuild   R   ] net-wireless/madwifi-tools-0.1_pre20051208  0 kB [1]

[ebuild   R   ] net-wireless/wpa_supplicant-0.4.7-r1  -gsm -qt +readline +ssl 0 kB [1]

[ebuild   R   ] net-wireless/hostapd-0.4.7  -ipv6 -logwatch +madwifi +ssl 0 kB

can you post your /etc/conf.d/net     :Very Happy: 

Thanks

----------

## MaTz

Ok, it works(without bridge).

Now i must find more info about bridge and hostapd.

Thanks!!!!

----------

## daeghrefn

Here's the relevant part of my /etc/conf.d/net config file:

```
preup() {

   if [ "${IFACE}" == "ath0" ]; then

      /sbin/wlanconfig ath0 create wlandev wifi0 wlanmode ap > /dev/null

      return $?

   fi

   if mii-tool ${IFACE} 2> /dev/null | grep -q 'no link'; then

      ewarn "No link on ${IFACE}, aborting configuration"

      return 1

   fi

   return 0

}

predown() {

   if [ "${IFACE}" == "ath0" ]; then

      killall wpa_supplicant

      /sbin/wlanconfig ath0 destroy

   fi

   return 0

}

ifconfig_ath0=( "10.17.2.225/24 brd 10.17.2.255" )

essid_ath0="Dravidia"

mode_ath0="Master"

channel_ath0="6"
```

That's it.  Don't need to define wpa here because it's defined in the hostapd.conf and wpa_supplicant.conf files.  We would define it here if we were a client connecting to an encrypted access point.

Good luck.

----------

## MaTz

Last question  :Smile: 

if you try to connect and you insert a wrong password (key) what happens?

in my case, if a windows client connect with a wrong password it keep connection (windows say Connected) but when i try to ping / connect ssh ecc doesn't work.

Next i take a look into hostapd log and i see that every two appears: 

ath0: STA *:*:*:*:*: associated

ath0: STA *:*:*:*:*: deassociated

----------

## daeghrefn

Yeah, that's what I usually see in my logs when the encryption doesn't sync.  I would say that's standard.

----------

## guni

@daeghrefn

Can u put your config files back online plz?

----------

## daeghrefn

I never took them down.  Let me know if my webserver is acting up.  It's working locally.

----------

## guni

Its working again. Thnx...

----------

## guni

I have this problem after using the config files.

```

Jan 15 17:44:12 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deassociated

Jan 15 17:44:12 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: associated

Jan 15 17:44:15 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deauthenticated due to local deauth request

Jan 15 17:44:15 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deassociated

Jan 15 17:44:17 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: associated

Jan 15 17:44:20 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deauthenticated due to local deauth request

Jan 15 17:44:20 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deassociated

Jan 15 17:44:21 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: associated

Jan 15 17:44:24 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deauthenticated due to local deauth request

Jan 15 17:44:24 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deassociated

Jan 15 17:44:24 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: associated

Jan 15 17:44:27 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deauthenticated due to local deauth request

Jan 15 17:44:27 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deassociated

Jan 15 17:44:29 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: associated

Jan 15 17:44:32 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deauthenticated due to local deauth request

Jan 15 17:44:32 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deassociated

Jan 15 17:44:33 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: associated

Jan 15 17:44:36 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deauthenticated due to local deauth request

Jan 15 17:44:36 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deassociated

Jan 15 17:44:36 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: associated

```

Anyone else with the same problem?

----------

## guni

 *guni wrote:*   

> I have this problem after using the config files.
> 
> ```
> 
> Jan 15 17:44:12 Zemprode hostapd: ath0: STA 00:04:23:94:72:ac IEEE 802.11: deassociated
> ...

 

Seems to be a client problem. Intel proset drivers don't work with hostapd in my setup. I hope to find a solution soon.

Under gentoo every thing works great.

----------

