# any success with madwifi + hostapd?

## jathey

Can anyone help me get madwifi and hostapd working happily together?

I'm trying to get my D-Link G520 PCI card working with HostAPD.  I used to use a Prism2 card using the HostAP drivers, but I want to move up to 802.11g.  I got the latest madwifi driver from CVS, and I altered the hostapd-0.3.7.ebuild to point to the headers from madwifi's CVS instead of the headers from the outdated tarball.

The ath_pci module loads fine and creates an ath0 network interface.  My /etc/hostapd/hostapd.conf file has the line "driver=madwifi" now.  I turned on some of the debugging, so I get these messages when I start the hostapd service:

```
# /etc/init.d/hostapd start

* Starting HostAPD...

Configuration file: /etc/hostapd/hostapd.conf

madwifi_set_iface_flags: dev_up=0

Using interface ath0 with hwaddr 00:0f:3d:ae:c3:51 and ssid 'mypoint'

madwifi_set_ieee8021x: enabled=1

madwifi_configure_wpa: group key cipher=1

madwifi_configure_wpa: pairwise key ciphers=0x2

madwifi_configure_wpa: key management algorithms=0x2

madwifi_configure_wpa: rsn capabilities=0x0

madwifi_configure_wpa: enable WPA= 0x1

madwifi_set_iface_flags: dev_up=1

madwifi_set_privacy: enabled=1

WPA: group state machine entering state GTK_INIT

GMK - hexdump(len=32): (bunch of hex)

GTK - hexdump(len=32): (bunch of hex)

WPA: group state machine entering state SETKEYSDONE

madwifi_set_key: alg=TKIP addr=00:00:00:00:00:00 key_idx=1

Flushing old station entries

Deauthenticate all stations                                               [ ok ]
```

At this point, nobody can connect to my access point.  I have to do the following steps to get any connection:

```
# iwpriv ath0 mode 3

# iwconfig ath0 mode master

# iwconfig ath0 rate 54M
```

With this, my laptop repeatedly tries and fails to associate with my gentoo box.  Similarly, my /var/log/messages fills up with repetitions of the following:

```
Mar  8 23:37:01 hosty hostapd: ath0: STA 00:0f:b5:22:49:7e IEEE 802.1X: unauthorizing port

Mar  8 23:37:01 hosty hostapd: ath0: STA 00:0f:b5:22:49:7e WPA: sending 1/4 msg of 4-Way Handshake

Mar  8 23:37:02 hosty hostapd: ath0: STA 00:0f:b5:22:49:7e WPA: EAPOL-Key timeout
```

For anyone who's curious, here's what lspci returns:

```
0000:00:0d.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abgNIC (rev 01)

        Subsystem: D-Link System Inc DWL-G520 Wireless PCI Adapter rev. B

        Flags: bus master, medium devsel, latency 168, IRQ 5

        Memory at df000000 (32-bit, non-prefetchable)

        Capabilities: [44] Power Management version 2
```

[/code]

Anyone have any clues, or a similar setup?  I miss my wireless, but I really don't want to go back to 802.11b speeds!

Thanks,

James  Athey

----------

## Simius

Hello!

I just got WPA-PSK working with my Gentoo box as the AP (D-link DWL-G520, madwifi-driver-0.1-rc20050224 and hostapd-0.3.7) and a notebook with Windows 2000 and a D-link DWL-650 as the test client.

First I got almost the same problem as you, after setting up hostapd for WPA-PSK. Now, there is a big catch here - you can never know if the AP or the client is wrong...

The key to get it working was to patch the hostapd sources to use EAPOL version 1 instead of 2 - I found this hint on the hostapd mailing list, in conjunction with Mac clients which have difficulties with EAPOL 2. Now, I thought maybe the win2000 client has difficulties with it too, and - lo and behold - it really had.

This is done by changing "#define EAPOL_VERSION 2" to "#define EAPOL_VERSION 1" in ieee802_1x.h.

Here is a patch file:

```

--- old/ieee802_1x.h    2004-12-05 07:05:43.000000000 +0100

+++ new/ieee802_1x.h    2005-03-13 17:05:13.140193609 +0100

@@ -10,7 +10,7 @@ struct ieee802_1x_hdr {

        /* followed by length octets of data */

 } __attribute__ ((packed));

-#define EAPOL_VERSION 2

+#define EAPOL_VERSION 1

 enum { IEEE802_1X_TYPE_EAP_PACKET = 0,

        IEEE802_1X_TYPE_EAPOL_START = 1,

```

Now, I also applied the "Dmadwifi-hostapd-groupkey.patch" patch to my madwifi driver before finding the above solution, and it didn't make things right. BUT maybe it did have a part in the final outcome of a working WPA-PSK authorization. I don't know if it's necessary, I didn't have the nerves to recompile and try madwifi without it. Somebody else try it.  :Wink: 

Here's this patch:

```

Index: net80211/ieee80211_output.c

===================================================================

RCS file: /cvsroot/madwifi/madwifi/net80211/ieee80211_output.c,v

retrieving revision 1.8

diff -u -p -r1.8 ieee80211_output.c

--- net80211/ieee80211_output.c   31 Jan 2005 16:46:30 -0000   1.8

+++ net80211/ieee80211_output.c   7 Feb 2005 18:41:52 -0000

@@ -200,32 +200,37 @@ ieee80211_skbhdr_adjust(struct ieee80211

    return skb;

 }

 

+#define KEY_UNDEFINED(k)        ((k).wk_cipher == &ieee80211_cipher_none)

 /*

- * Return the transmit key to use in sending a frame to

- * the specified destination. Multicast traffic always

- * uses the group key.  Otherwise if a unicast key is

- * set we use that.  When no unicast key is set we fall

- * back to the default transmit key.

- */ 

+ * Return the transmit key to use in sending a unicast frame.

+ * If a unicast key is set we use that.  When no unicast key is set

+ * we fall back to the default transmit key.

+ */

 static inline struct ieee80211_key *

-ieee80211_crypto_getkey(struct ieee80211com *ic,

-   const u_int8_t mac[IEEE80211_ADDR_LEN], struct ieee80211_node *ni)

+ieee80211_crypto_getucastkey(struct ieee80211com *ic, struct ieee80211_node *ni)

 {

-#define   KEY_UNDEFINED(k)   ((k).wk_cipher == &ieee80211_cipher_none)

-   if (IEEE80211_IS_MULTICAST(mac) || KEY_UNDEFINED(ni->ni_ucastkey)) {

-      if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE ||

-          KEY_UNDEFINED(ic->ic_nw_keys[ic->ic_def_txkey])) {

-         IEEE80211_DPRINTF(ic, IEEE80211_MSG_OUTPUT,

-             ("%s: no transmit key, def_txkey %u\n",

-             __func__, ic->ic_def_txkey));

-         /* XXX statistic */

-         return NULL;

-      }

-      return &ic->ic_nw_keys[ic->ic_def_txkey];

-   } else {

-      return &ni->ni_ucastkey;

-   }

-#undef KEY_UNDEFINED

+        if (KEY_UNDEFINED(ni->ni_ucastkey)) {

+                if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE ||

+                    KEY_UNDEFINED(ic->ic_nw_keys[ic->ic_def_txkey]))

+                        return NULL;

+                return &ic->ic_nw_keys[ic->ic_def_txkey];

+        } else {

+                return &ni->ni_ucastkey;

+        }

+}

+

+/*

+ * Return the transmit key to use in sending a multicast frame.

+ * Multicast traffic always uses the group key which is installed as

+ * the default tx key.

+ */

+static inline struct ieee80211_key *

+ieee80211_crypto_getmcastkey(struct ieee80211com *ic, struct ieee80211_node *ni)

+{

+        if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE ||

+            KEY_UNDEFINED(ic->ic_nw_keys[ic->ic_def_txkey]))

+                return NULL;

+        return &ic->ic_nw_keys[ic->ic_def_txkey];

 }

 

 /*

@@ -274,21 +279,33 @@ ieee80211_encap(struct ieee80211com *ic,

       }

    }

 

-   /*

-    * Insure space for additional headers.  First

-    * identify transmit key to use in calculating any

-    * buffer adjustments required.  This is also used

-    * below to do privacy encapsulation work.

-    *

-    * Note key may be NULL if we fall back to the default

-    * transmit key and that is not set.  In that case the

-    * buffer may not be expanded as needed by the cipher

-    * routines, but they will/should discard it.

-    */

-   if (ic->ic_flags & IEEE80211_F_PRIVACY)

-      key = ieee80211_crypto_getkey(ic, eh.ether_dhost, ni);

-   else

-      key = NULL;

+        /*

+         * Insure space for additional headers.  First identify

+         * transmit key to use in calculating any buffer adjustments

+         * required.  This is also used below to do privacy

+         * encapsulation work.  Then calculate the 802.11 header

+         * size and any padding required by the driver.

+         *

+         * Note key may be NULL if we fall back to the default

+         * transmit key and that is not set.  In that case the

+         * buffer may not be expanded as needed by the cipher

+         * routines, but they will/should discard it.

+         */

+        if (ic->ic_flags & IEEE80211_F_PRIVACY) {

+                if (ic->ic_opmode == IEEE80211_M_STA ||

+                    !IEEE80211_IS_MULTICAST(eh.ether_dhost))

+                        key = ieee80211_crypto_getucastkey(ic, ni);

+                else

+                        key = ieee80211_crypto_getmcastkey(ic, ni);

+                if (key == NULL && eh.ether_type != htons(ETHERTYPE_PAE)) {

+                        IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,

+                            ("[%s] no default transmit key (%s) deftxkey %u\n",

+              __func__,

+              ether_sprintf(eh.ether_dhost), ic->ic_def_txkey));

+                        ic->ic_stats.is_tx_nodefkey++;

+                }

+        } else

+                key = NULL;

    skb = ieee80211_skbhdr_adjust(ic, key, skb);

    if (skb == NULL) {

       /* NB: ieee80211_skbhdr_adjust handles msgs+statistics */

@@ -333,24 +350,27 @@ ieee80211_encap(struct ieee80211com *ic,

    case IEEE80211_M_MONITOR:

       goto bad;

    }

-   if (eh.ether_type != __constant_htons(ETHERTYPE_PAE) ||

-       (key != NULL && (ic->ic_flags & IEEE80211_F_WPA))) {

-      /*

-       * IEEE 802.1X: send EAPOL frames always in the clear.

-       * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set.

-       */

-      if (key != NULL) {

-         wh->i_fc[1] |= IEEE80211_FC1_WEP;

-         /* XXX do fragmentation */

-         if (!ieee80211_crypto_enmic(ic, key, skb)) {

-            IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,

-                ("[%s] enmic failed, discard frame\n",

-                ether_sprintf(eh.ether_dhost)));

-            /* XXX statistic */

-            goto bad;

-         }

-      }

-   }

+

+        if (key != NULL) {

+                /*

+                 * IEEE 802.1X: send EAPOL frames always in the clear.

+                 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set.

+                 */

+                if (eh.ether_type != __constant_htons(ETHERTYPE_PAE) ||

+                    ((ic->ic_flags & IEEE80211_F_WPA) &&

+                     !KEY_UNDEFINED(ni->ni_ucastkey))) {

+                        wh->i_fc[1] |= IEEE80211_FC1_WEP;

+                        /* XXX do fragmentation */

+                        if (!ieee80211_crypto_enmic(ic, key, skb)) {

+                                IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,

+                                    ("[%s] enmic failed, discard frame\n",

+                                    ether_sprintf(eh.ether_dhost)));

+                                /* XXX statistic */

+                                goto bad;

+                        }

+                }

+        }

+

    if (eh.ether_type != __constant_htons(ETHERTYPE_PAE)) {

       /*

        * Reset the inactivity timer only for non-PAE traffic

```

And finally, to help the poor souls wandering the sparsely documented wasteland of madwifi and hostapd AP configuration, my config files:

/etc/conf.d/wireless

```

# ath0 gunhead

# channel 5

essid_ath0="gunhead"

mode_ath0="master"

channel_ath0="5"

iwpriv_ath0="mode 3"

# gunhead 192.168.16.0

config_gunhead=( "192.168.16.1 netmask 255.255.255.0 broadcast 192.168.16.255" )

```

/etc/hostapd/hostapd.conf

```

##### hostapd configuration file ##############################################

# Empty lines and lines starting with # are ignored

# AP netdevice name (without 'ap' prefix, i.e., wlan0 uses wlan0ap for

# management frames)

interface=ath0

# Driver interface type (hostap/wired/madwifi/prism54; default: hostap)

driver=madwifi

# hostapd event logger configuration

#

# Two output method: syslog and stdout (only usable if not forking to

# background).

#

# Module bitfield (ORed bitfield of modules that will be logged; -1 = all

# modules):

# bit 0 (1) = IEEE 802.11

# bit 1 (2) = IEEE 802.1X

# bit 2 (4) = RADIUS

# bit 3 (8) = WPA

# bit 4 (16) = driver interface

# bit 5 (32) = IAPP

#

# Levels (minimum value for logged events):

#  0 = verbose debugging

#  1 = debugging

#  2 = informational messages

#  3 = notification

#  4 = warning

#

logger_syslog=8

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

# Debugging: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive

debug=0

# Dump file for state information (on SIGUSR1)

dump_file=/tmp/hostapd.dump

# Interface for separate control program. If this is specified, wpa_supplicant

# will create this directory and a UNIX domain socket for listening to requests

# from external programs (CLI/GUI, etc.) for status information and

# configuration. The socket file will be named based on the interface name, so

# multiple hostapd processes/interfaces can be run at the same time if more

# than one interface is used.

# /var/run/hostapd is the recommended directory for sockets and by default,

# hostapd_cli will use it when trying to connect with hostapd.

ctrl_interface=/var/run/hostapd

# Access control for the control interface can be configured by setting the

# directory to allow only members of a group to use sockets. This way, it is

# possible to run wpa_supplicant as root (since it needs to change network

# configuration and open raw sockets) and still allow GUI/CLI components to be

# run as non-root users. However, since the control interface can be used to

# change the network configuration, this access needs to be protected in many

# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you

# want to allow non-root users to use the contron interface, add a new group

# and change this value to match with that group. Add users that should have

# control interface access to this group.

#

# This variable can be a group name or gid.

ctrl_interface_group=wheel

#ctrl_interface_group=0

##### IEEE 802.11 related configuration #######################################

# SSID to be used in IEEE 802.11 management frames

ssid=gunhead

# Station MAC address -based authentication

# 0 = accept unless in deny list

# 1 = deny unless in accept list

# 2 = use external RADIUS server (accept/deny lists are searched first)

macaddr_acl=0

# Accept/deny lists are read from separate files (containing list of

# MAC addresses, one per line). Use absolute path name to make sure that the

# files can be read on SIGHUP configuration reloads.

#accept_mac_file=/etc/hostapd/hostapd.accept

deny_mac_file=/etc/hostapd/hostapd.deny

# IEEE 802.11 specifies two authentication algorithms. hostapd can be

# configured to allow both of these or only one. Open system authentication

# should be used with IEEE 802.1X.

# Bit fields of allowed authentication algorithms:

# bit 0 = Open System Authentication

# bit 1 = Shared Key Authentication (requires WEP)

auth_algs=1

# Associate as a station to another AP while still acting as an AP on the same

# channel.

#assoc_ap_addr=00:12:34:56:78:9a

##### IEEE 802.1X (and IEEE 802.1aa/D4) related configuration #################

# Require IEEE 802.1X authorization

ieee8021x=0

# Use integrated EAP authenticator instead of external RADIUS authentication

# server

eap_authenticator=0

# Path for EAP authenticator user database

#eap_user_file=/etc/hostapd.eap_user

# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

#ca_cert=/etc/hostapd.ca.pem

# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

#server_cert=/etc/hostapd.server.pem

# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS

# This may point to the same file as server_cert if both certificate and key

# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be

# used by commenting out server_cert and specifying the PFX file as the

# private_key.

#private_key=/etc/hostapd.server.prv

# Passphrase for private key

#private_key_passwd=secret passphrase

# Configuration data for EAP-SIM database/authentication gateway interface.

# This is a text string in implementation specific format. The example

# implementation in eap_sim_db.c uses this as the file name for the GSM

# authentication triplets.

#eap_sim_db=/etc/hostapd.sim_db

# Optional displayable message sent with EAP Request-Identity

#eap_message=hello

# WEP rekeying (disabled if key lengths are not set or are set to 0)

# Key lengths for default/broadcast and individual/unicast keys:

# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)

# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)

#wep_key_len_broadcast=5

#wep_key_len_unicast=5

# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)

#wep_rekey_period=300

# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if

# only broadcast keys are used)

eapol_key_index_workaround=128

# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable

# reauthentication).

#eap_reauth_period=3600

##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################

# Interface to be used for IAPP broadcast packets

#iapp_interface=eth0

##### RADIUS configuration ####################################################

# for IEEE 802.1X with external Authentication Server, IEEE 802.11

# authentication with external ACL for MAC addresses, and accounting

# The own IP address of the access point (used as NAS-IP-Address)

#own_ip_addr=127.0.0.1

# Optional NAS-Identifier string for RADIUS messages. When used, this should be

# a unique to the NAS within the scope of the RADIUS server. For example, a

# fully qualified domain name can be used here.

#nas_identifier=ap.example.com

# RADIUS authentication server

#auth_server_addr=127.0.0.1

#auth_server_port=1812

#auth_server_shared_secret=secret

# RADIUS accounting server

#acct_server_addr=127.0.0.1

#acct_server_port=1813

#acct_server_shared_secret=secret

# Secondary RADIUS servers; to be used if primary one does not reply to

# RADIUS packets. These are optional and there can be more than one secondary

# server listed.

#auth_server_addr=127.0.0.2

#auth_server_port=1812

#auth_server_shared_secret=secret2

#

#acct_server_addr=127.0.0.2

#acct_server_port=1813

#acct_server_shared_secret=secret2

# Retry interval for trying to return to the primary RADIUS server (in

# seconds). RADIUS client code will automatically try to use the next server

# when the current server is not replying to requests. If this interval is set,

# primary server will be retried after configured amount of time even if the

# currently used secondary server is still working.

#radius_retry_primary_interval=600

# Interim accounting update interval

# If this is set (larger than 0) and acct_server is configured, hostapd will

# send interim accounting updates every N seconds. Note: if set, this overrides

# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this

# value should not be configured in hostapd.conf, if RADIUS server is used to

# control the interim interval.

# This value should not be less 600 (10 minutes) and must not be less than

# 60 (1 minute).

#radius_acct_interim_interval=600

# hostapd can be used as a RADIUS authentication server for other hosts. This

# requires that the integrated EAP authenticator is also enabled and both

# authentication services are sharing the same configuration.

# File name of the RADIUS clients configuration for the RADIUS server. If this

# commented out, RADIUS server is disabled.

#radius_server_clients=/etc/hostapd.radius_clients

# The UDP port number for the RADIUS authentication server

#radius_server_auth_port=1812

##### WPA/IEEE 802.11i configuration ##########################################

# Enable WPA. Setting this variable configures the AP to require WPA (either

# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either

# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.

# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),

# RADIUS authentication server must be configured, and WPA-EAP must be included

# in wpa_key_mgmt.

# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)

# and/or WPA2 (full IEEE 802.11i/RSN):

# bit0 = WPA

# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)

wpa=1

# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit

# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase

# (8..63 characters) that will be converted to PSK. This conversion uses SSID

# so the PSK changes when ASCII passphrase is used and the SSID is changed.

# wpa_psk (dot11RSNAConfigPSKValue)

# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)

#wpa_psk=

wpa_passphrase=secret_passphrase

# Optionally, WPA PSKs can be read from a separate text file (containing list

# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.

# Use absolute path name to make sure that the files can be read on SIGHUP

# configuration reloads.

#wpa_psk_file=/etc/hostapd.wpa_psk

# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The

# entries are separated with a space.

# (dot11RSNAConfigAuthenticationSuitesTable)

wpa_key_mgmt=WPA-PSK

# Set of accepted cipher suites (encryption algorithms) for pairwise keys

# (unicast packets). This is a space separated list of algorithms:

# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]

# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]

# Group cipher suite (encryption algorithm for broadcast and multicast frames)

# is automatically selected based on this configuration. If only CCMP is

# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,

# TKIP will be used as the group cipher.

# (dot11RSNAConfigPairwiseCiphersTable)

wpa_pairwise=TKIP

# Time interval for rekeying GTK (broadcast/multicast encryption keys) in

# seconds. (dot11RSNAConfigGroupRekeyTime)

wpa_group_rekey=180

# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.

# (dot11RSNAConfigGroupRekeyStrict)

wpa_strict_rekey=0

# Time interval for rekeying GMK (master key used internally to generate GTKs

# (in seconds).

wpa_gmk_rekey=1800

# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up

# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN

# authentication and key handshake before actually associating with a new AP.

# (dot11RSNAPreauthenticationEnabled)

#rsn_preauth=1

#

# Space separated list of interfaces from which pre-authentication frames are

# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all

# interface that are used for connections to other APs. This could include

# wired interfaces and WDS links. The normal wireless data interface towards

# associated stations (e.g., wlan0) should not be added, since

# pre-authentication is only used with APs other than the currently associated

# one.

#rsn_preauth_interfaces=eth0

```

[/code]

----------

## jathey

Thank you so much for posting your info.  I'm going to try this the first opportunity I get, and I'll post here with my results.

----------

## jathey

It works!  For some reason the /etc/conf.d/wireless changes don't seem to have any effect, so I had to change my iwpriv and iwconfig settings manually.  I did have to apply the madwifi-hostapd-groupkey.patch again, which I had reverted because I thought I read a forum post somewhere that said it was no longer needed.

I'm using the latest CVS for both madwifi and hostap, and I simply copied the new hostapd binary to /usr/sbin instead of running make install.

Thanks again!

----------

## Simius

You need to have the new, 1.11.* baselayout installed for wireless init scripts.

See the "wireless networking the gentoo way" HOWTO on the gentoo wiki about details. You need to unmask several ~x86 marked base packages (sysvinit, bash, readline, etc., incl. baselayout-1.11.* itself).

----------

## TobyWan

Thanks a lot for posting those config files!

I also have a D-link DWL-G520, which I've got working without encryption. I'm now trying to get WPA working, but am having trouble applying the madwifi-hostapd-groupkey patch (I already tried without the patch with no sucess).

This is the first time I've tried using the portage overlay and a modified ebuild, so I'm probably doing something stupid. Basically, I've just copied the patch posted above to a file, made sure the ebuild inherits eutils, and added an epatch line to the end of src_unpack.

However, the patch fails. Am I trying to patch against the wrong version? I also tried modifying the ebuild to get the latest cvs snapshot of the madwifi driver, but that also didn't work.

Thanks!

Toby

----------

## JoKo

Do I have to do these patches still???

I'm also trying WPA-PSK using the combination madwifi and hostapd... The authorisation seems to be OK, but later I can't get an IP from the AP...

----------

## rapsel

Hi there,

I am trying to get my acx111(D-Link DWL-G520+ PCI card; Texas Instruments ACX 111 54Mbps Wireless)  

chipset to work with hostap to build a wifi Access Point, i bought the card because I thought it had a atheros 

chipset on it,  but it doesn't seem to  be the case.... :Sad: 

Does anybody know if somebody is working on hostap and acx111 support?

(Intersil's Prism2/2.5/3 chipset) are supported as far as I can find. 

Does anybody  know if there are other programs i can use?

Thanx in advance,

Greeztz,

R.

----------

## guni

IS there a way to get intel proset software for windows to connect with hostapd and madwifi???

----------

## Paczesiowa

I know this is old topic but I cant get this to work. I tried these configs, I tried those from madwifi www and all I get is XP laptop can see protected network but when trying to connect it says "waiting for network" and after a minute it disappears but it's still not connected:/ running hostapd with "hostapd -dd /etc/hostapd/hostapd.conf" gives no errors. i tried different versions, I tried that eapol patch, I tried compiling it by hand and still nothing.

so could any of u guys post your working-at-the-moment configs? and info about how do u start it (/etc/init.d/wireless or manual with iwconfig ) because I'm about to give up, it took me 5 min to install atheros card and run it without encryption but 4days aren't enough to get it to work with wpa:/

----------

## mterlouw

I just want to do a brain dump here since I just got done configuring my new Atheros card with madwifi + hostapd. I may miss a some of the stuff I did, but hopefully what I remember will be useful to others.  Also, there may be a bunch of stuff in here that isn't necessary or doesn't apply to everyone.

 - Added bridging and wireless support to the kernel, rebuilt the kernel.

 - Got a TRENDnet TEW-503PI from Newegg.com. It's an 802.11a/b/g PCI card.

 - Added madwifi use flag to package.use next to net-wireless/hostapd.

 - Emerged -uDN madwifi-ng hostapd wireless-tools.

 - Added madwifi-ng to my kernel-rebuild script list of packages to be emerged after a kernel compile (since it makes a kernel module).

 - Added "options ath_pci autocreate=ap" to /etc/modules.d/ath_pci

 - Added ath_pci to /etc/modules.autoload.d/kernel-2.6

 - Ran modules-update

 - modprobe'd ath_pci

 - Edited my /etc/conf.d/net -- Note that there are a few things in here that are specific to my network.  Also there's a couple of things that I'm not sure what they do (iwpriv_ath0="mode 3" for one).  Info compiled from the Gentoo wiki and this topic (thanks, Simius!).

```
#-----------------------------------------------------------------------------

# Internet

config_eth0=( "dhcp" )

dhcpcd_eth0="-N -t 10"

# DHCP options:

#  -N = Don't let dhcpcd overwrite ntp.conf.

#  -t = Timeout if server is not responding.

#-----------------------------------------------------------------------------

# Intranet

# Old config (before access point and bridge):

#config_eth1=( "192.168.0.1/24 broadcast 192.168.0.255" )

# Bridge configuration.

bridge_br0=( "eth1" "ath0" )

config_br0=( "192.168.0.1/24 broadcast 192.168.0.255" )

routes_br0=( "default via 192.168.0.1" )

depend_br0() {

        need net.eth1 net.ath0

}

# Local network configuration.

config_eth1=( "null" )

# Access point configuration.

config_ath0=( "null" )

modules_ath0=( "iwconfig" )

mode_ath0=( "Master" )

essid_ath0=( "Belafonte" )

channel_ath0=( "8" )

iwpriv_ath0="mode 3"

#-----------------------------------------------------------------------------
```

 - Added links in /etc/init.d/ for net.ath0 and net.br0 (both to net.lo).

 - Removed net.eth1 from the default runlevel.

 - Added net.br0 to the default runlevel.

 - Edited my /etc/hostapd/hostapd.conf to look a whole lot like Simius' a couple of posts above.  Make sure you enable some form of encryption or else you run into this.

 - Changed /etc/conf.d/hostapd to read INTERFACES="br0".

 - Added hostapd to the default runlevel.

 - Edited my iptables firewall script and dnsmasq.conf to rename the local interface from eth1 to br0.  If you have any services running on the local network (that is now part of the bridge), and configured those services specifically for that interface (say eth1), you'll probably need to update their configuration to reflect the fact that br0 is now the local network interface and the restart the service.

 - If you're following along, you may want to reboot at this point.  And make sure you have access to a physical console since your local network is probably about to get hosed.  :Wink: 

 - Brought down the local networks.

 - Brought up br0.

 - Started hostapd.

 - Everything seems to be working.  :Smile:   Connected with a Windows and Linux client using WPA (v1).

One thing I'd like to know, is how to enable 802.11a?  My adapter in Windows says it connected using 802.11g, but I'd like to use a since both the laptop and access point support it, and it's supposed to be better in terms of lower interference.  Does anyone know how to do that using madwifi & hostapd?

----------

## mterlouw

 *Paczesiowa wrote:*   

> I know this is old topic but I cant get this to work. I tried these configs, I tried those from madwifi www and all I get is XP laptop can see protected network but when trying to connect it says "waiting for network" and after a minute it disappears but it's still not connected:/ running hostapd with "hostapd -dd /etc/hostapd/hostapd.conf" gives no errors. i tried different versions, I tried that eapol patch, I tried compiling it by hand and still nothing.
> 
> so could any of u guys post your working-at-the-moment configs? and info about how do u start it (/etc/init.d/wireless or manual with iwconfig ) because I'm about to give up, it took me 5 min to install atheros card and run it without encryption but 4days aren't enough to get it to work with wpa:/

 

Here's my hostapd.conf (below). The only things I changed in it I believe were at the very beginning and the very end.

I don't do anything to start the access point; it's all ready to go after the system boots. See my previous post as to how I got to that point. I don't have a /etc/init.d/wireless, but I do have a /etc/init.d/hostapd. I suppose the access point would work without starting hostapd, though without encryption.

```
##### hostapd configuration file ##############################################

# Empty lines and lines starting with # are ignored

# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for

# management frames); ath0 for madwifi

interface=ath0

# In case of madwifi driver, an additional configuration parameter, bridge,

# must be used to notify hostapd if the interface is included in a bridge. This

# parameter is not used with Host AP driver.

bridge=br0

# Driver interface type (hostap/wired/madwifi/prism54; default: hostap)

driver=madwifi

# hostapd event logger configuration

#

# Two output method: syslog and stdout (only usable if not forking to

# background).

#

# Module bitfield (ORed bitfield of modules that will be logged; -1 = all

# modules):

# bit 0 (1) = IEEE 802.11

# bit 1 (2) = IEEE 802.1X

# bit 2 (4) = RADIUS

# bit 3 (8) = WPA

# bit 4 (16) = driver interface

# bit 5 (32) = IAPP

#

# Levels (minimum value for logged events):

#  0 = verbose debugging

#  1 = debugging

#  2 = informational messages

#  3 = notification

#  4 = warning

#

logger_syslog=-1

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

# Debugging: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive

debug=0

# Dump file for state information (on SIGUSR1)

dump_file=/tmp/hostapd.dump

# Interface for separate control program. If this is specified, hostapd

# will create this directory and a UNIX domain socket for listening to requests

# from external programs (CLI/GUI, etc.) for status information and

# configuration. The socket file will be named based on the interface name, so

# multiple hostapd processes/interfaces can be run at the same time if more

# than one interface is used.

# /var/run/hostapd is the recommended directory for sockets and by default,

# hostapd_cli will use it when trying to connect with hostapd.

ctrl_interface=/var/run/hostapd

# Access control for the control interface can be configured by setting the

# directory to allow only members of a group to use sockets. This way, it is

# possible to run hostapd as root (since it needs to change network

# configuration and open raw sockets) and still allow GUI/CLI components to be

# run as non-root users. However, since the control interface can be used to

# change the network configuration, this access needs to be protected in many

# cases. By default, hostapd is configured to use gid 0 (root). If you

# want to allow non-root users to use the contron interface, add a new group

# and change this value to match with that group. Add users that should have

# control interface access to this group.

#

# This variable can be a group name or gid.

#ctrl_interface_group=wheel

ctrl_interface_group=0

##### IEEE 802.11 related configuration #######################################

# SSID to be used in IEEE 802.11 management frames

ssid=Belafonte

# Station MAC address -based authentication

# 0 = accept unless in deny list

# 1 = deny unless in accept list

# 2 = use external RADIUS server (accept/deny lists are searched first)

macaddr_acl=0

# Accept/deny lists are read from separate files (containing list of

# MAC addresses, one per line). Use absolute path name to make sure that the

# files can be read on SIGHUP configuration reloads.

#accept_mac_file=/etc/hostapd/hostapd.accept

#deny_mac_file=/etc/hostapd/hostapd.deny

# IEEE 802.11 specifies two authentication algorithms. hostapd can be

# configured to allow both of these or only one. Open system authentication

# should be used with IEEE 802.1X.

# Bit fields of allowed authentication algorithms:

# bit 0 = Open System Authentication

# bit 1 = Shared Key Authentication (requires WEP)

auth_algs=3

# Associate as a station to another AP while still acting as an AP on the same

# channel.

#assoc_ap_addr=00:12:34:56:78:9a

##### IEEE 802.1X-2004 related configuration ##################################

# Require IEEE 802.1X authorization

#ieee8021x=1

# IEEE 802.1X/EAPOL version

# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL

# version 2. However, there are many client implementations that do not handle

# the new version number correctly (they seem to drop the frames completely).

# In order to make hostapd interoperate with these clients, the version number

# can be set to the older version (1) with this configuration value.

#eapol_version=2

# Optional displayable message sent with EAP Request-Identity. The first \0

# in this string will be converted to ASCII-0 (nul). This can be used to

# separate network info (comma separated list of attribute=value pairs); see,

# e.g., draft-adrangi-eap-network-discovery-07.txt.

#eap_message=hello

#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com

# WEP rekeying (disabled if key lengths are not set or are set to 0)

# Key lengths for default/broadcast and individual/unicast keys:

# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)

# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)

#wep_key_len_broadcast=5

#wep_key_len_unicast=5

# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)

#wep_rekey_period=300

# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if

# only broadcast keys are used)

eapol_key_index_workaround=0

# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable

# reauthentication).

#eap_reauth_period=3600

# Use PAE group address (01:80:c2:00:00:03) instead of individual target

# address when sending EAPOL frames with driver=wired. This is the most common

# mechanism used in wired authentication, but it also requires that the port

# is only used by one station.

#use_pae_group_addr=1

##### Integrated EAP server ###################################################

# Optionally, hostapd can be configured to use an integrated EAP server

# to process EAP authentication locally without need for an external RADIUS

# server. This functionality can be used both as a local authentication server

# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.

# Use integrated EAP server instead of external RADIUS authentication

# server. This is also needed if hostapd is configured to act as a RADIUS

# authentication server.

eap_server=0

# Path for EAP server user database

#eap_user_file=/etc/hostapd/hostapd.eap_user

# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

#ca_cert=/etc/hostapd/hostapd.ca.pem

# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

#server_cert=/etc/hostapd/hostapd.server.pem

# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS

# This may point to the same file as server_cert if both certificate and key

# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be

# used by commenting out server_cert and specifying the PFX file as the

# private_key.

#private_key=/etc/hostapd/hostapd.server.prv

# Passphrase for private key

#private_key_passwd=secret passphrase

# Enable CRL verification.

# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a

# valid CRL signed by the CA is required to be included in the ca_cert file.

# This can be done by using PEM format for CA certificate and CRL and

# concatenating these into one file. Whenever CRL changes, hostapd needs to be

# restarted to take the new CRL into use.

# 0 = do not verify CRLs (default)

# 1 = check the CRL of the user certificate

# 2 = check all CRLs in the certificate path

#check_crl=1

# Configuration data for EAP-SIM database/authentication gateway interface.

# This is a text string in implementation specific format. The example

# implementation in eap_sim_db.c uses this as the file name for the GSM

# authentication triplets.

#eap_sim_db=/etc/hostapd/hostapd.sim_db

##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################

# Interface to be used for IAPP broadcast packets

#iapp_interface=eth0

##### RADIUS client configuration #############################################

# for IEEE 802.1X with external Authentication Server, IEEE 802.11

# authentication with external ACL for MAC addresses, and accounting

# The own IP address of the access point (used as NAS-IP-Address)

own_ip_addr=127.0.0.1

# Optional NAS-Identifier string for RADIUS messages. When used, this should be

# a unique to the NAS within the scope of the RADIUS server. For example, a

# fully qualified domain name can be used here.

#nas_identifier=ap.example.com

# RADIUS authentication server

#auth_server_addr=127.0.0.1

#auth_server_port=1812

#auth_server_shared_secret=secret

# RADIUS accounting server

#acct_server_addr=127.0.0.1

#acct_server_port=1813

#acct_server_shared_secret=secret

# Secondary RADIUS servers; to be used if primary one does not reply to

# RADIUS packets. These are optional and there can be more than one secondary

# server listed.

#auth_server_addr=127.0.0.2

#auth_server_port=1812

#auth_server_shared_secret=secret2

#

#acct_server_addr=127.0.0.2

#acct_server_port=1813

#acct_server_shared_secret=secret2

# Retry interval for trying to return to the primary RADIUS server (in

# seconds). RADIUS client code will automatically try to use the next server

# when the current server is not replying to requests. If this interval is set,

# primary server will be retried after configured amount of time even if the

# currently used secondary server is still working.

#radius_retry_primary_interval=600

# Interim accounting update interval

# If this is set (larger than 0) and acct_server is configured, hostapd will

# send interim accounting updates every N seconds. Note: if set, this overrides

# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this

# value should not be configured in hostapd.conf, if RADIUS server is used to

# control the interim interval.

# This value should not be less 600 (10 minutes) and must not be less than

# 60 (1 minute).

#radius_acct_interim_interval=600

##### RADIUS authentication server configuration ##############################

# hostapd can be used as a RADIUS authentication server for other hosts. This

# requires that the integrated EAP authenticator is also enabled and both

# authentication services are sharing the same configuration.

# File name of the RADIUS clients configuration for the RADIUS server. If this

# commented out, RADIUS server is disabled.

#radius_server_clients=/etc/hostapd/hostapd.radius_clients

# The UDP port number for the RADIUS authentication server

#radius_server_auth_port=1812

# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API)

#radius_server_ipv6=1

##### WPA/IEEE 802.11i configuration ##########################################

# Enable WPA. Setting this variable configures the AP to require WPA (either

# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either

# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.

# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),

# RADIUS authentication server must be configured, and WPA-EAP must be included

# in wpa_key_mgmt.

# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)

# and/or WPA2 (full IEEE 802.11i/RSN):

# bit0 = WPA

# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)

wpa=1

# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit

# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase

# (8..63 characters) that will be converted to PSK. This conversion uses SSID

# so the PSK changes when ASCII passphrase is used and the SSID is changed.

# wpa_psk (dot11RSNAConfigPSKValue)

# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)

#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

#wpa_passphrase=secret passphrase

wpa_passphrase=Put your secret passphrase here.

# Optionally, WPA PSKs can be read from a separate text file (containing list

# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.

# Use absolute path name to make sure that the files can be read on SIGHUP

# configuration reloads.

#wpa_psk_file=/etc/hostapd/hostapd.wpa_psk

# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The

# entries are separated with a space.

# (dot11RSNAConfigAuthenticationSuitesTable)

#wpa_key_mgmt=WPA-PSK WPA-EAP

wpa_key_mgmt=WPA-PSK

# Set of accepted cipher suites (encryption algorithms) for pairwise keys

# (unicast packets). This is a space separated list of algorithms:

# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]

# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]

# Group cipher suite (encryption algorithm for broadcast and multicast frames)

# is automatically selected based on this configuration. If only CCMP is

# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,

# TKIP will be used as the group cipher.

# (dot11RSNAConfigPairwiseCiphersTable)

#wpa_pairwise=TKIP CCMP

# Time interval for rekeying GTK (broadcast/multicast encryption keys) in

# seconds. (dot11RSNAConfigGroupRekeyTime)

#wpa_group_rekey=600

# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.

# (dot11RSNAConfigGroupRekeyStrict)

#wpa_strict_rekey=1

# Time interval for rekeying GMK (master key used internally to generate GTKs

# (in seconds).

#wpa_gmk_rekey=86400

# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up

# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN

# authentication and key handshake before actually associating with a new AP.

# (dot11RSNAPreauthenticationEnabled)

#rsn_preauth=1

#

# Space separated list of interfaces from which pre-authentication frames are

# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all

# interface that are used for connections to other APs. This could include

# wired interfaces and WDS links. The normal wireless data interface towards

# associated stations (e.g., wlan0) should not be added, since

# pre-authentication is only used with APs other than the currently associated

# one.

#rsn_preauth_interfaces=eth0
```

The above config works for me. I think everything else I did was in the prior post.

----------

## mterlouw

Ok, to answer my own question, it was the iwpriv="mode 3" that was forcing the card into 802.11g instead of 802.11a. Setting it to mode 1 (and an appropriate channel) got me into A.

----------

## Paczesiowa

is it possible that my card cannot do wpa in ap mode? cause I tried alredy everything:/

when using your hostapd.conf there are 2 errors:

1 of them is because "driver=madwifi " (there is space after madwifi) which results in unknown driver "madwifi "

but after fixing that I still cannot start hostapd, it doesn't want to tell me what is the error:/ but I did my own config with only important lines and it starts but still XPSP2 laptop doesn't want to connect to it (waiting for network blahblah no errors) and there are no errors on server side:/ 

these are my config files:

/etc/hostapd/hostapd.conf

```
#bridge=br0

interface=ath0

driver=madwifi

logger_syslog=-1

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

debug=2

ctrl_interface_group=0

macaddr_acl=0

#deny_mac_file=/etc/hostapd.deny

auth_algs=3

eapol_key_index_workaround=0

eapol_version=1

eap_server=0

dump_file=/tmp/hostapd.dump

ssid="DOM"

wpa=1

wpa_passphrase=bahormamona0

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP CCMP
```

that eapol_version=1 doesn't change anything:/

/etc/conf.d/net

```
ifconfig_eth1=( "83.14.227.138 broadcast 83.14.227.143 netmask 255.255.255.248"$

routes_eth1=( "default gw 83.14.227.137" )

ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )

ifconfig_eth2=( "192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0" )

config_ath0=( "null" )

modules_ath0=( "iwconfig" )

mode_ath0=( "Master" )

essid_ath0=( "Dom" )

channel_ath0=( "1" )

iwpriv_ath0="mode 3"

```

my card is 

```
00:07.0 Ethernet controller: Atheros Communications, Inc. AR5005G 802.11abg NIC (rev 01)
```

but dmesg says 

```
wifi0: Atheros 5212: mem=0xfb000000, irq=10
```

EDIT: what versions of hostapd and madwifi-ng do u use? I use ~x86 could that be the problem? (I don't think so cause drivers are working (without wpa it's ok) and hostapd alone I tried plenty of versions)

----------

## Paczesiowa

omg I lost 6 days of googling, configuring, swearing and it was fault of 

```
ssid="DOM"
```

and there shouldn't be ""

I'm oficially moron of the week

sorry to bother u all.

----------

