# hostapd issue (won't start)

## Akaihiryuu

I am using an Atheros based card and madwifi...right now I'm just using basic WEP so it works, but I want to do additional things with my access point that I need hostapd for.  I have configured hostapd correctly as far as I can tell, but it will not start:

```
triforce music # /etc/init.d/hostapd start

 * Starting hostapd ...

Configuration file: /etc/hostapd/hostapd.conf

Using interface ath0 with hwaddr 00:14:6c:c4:99:23 and ssid 'triforce'

Flushing old station entries

ioctl[unknown???]: Invalid argument

Could not connect to kernel driver.

Deauthenticate all stations

rmdir[ctrl_interface]: No such file or directory                          [ !! ]
```

Here is my hostapd.conf.  Everything as far as the wireless interface is working, it's just hostapd that won't start.  Any assistance would be appreciated.

```
##### hostapd configuration file ##############################################

# Empty lines and lines starting with # are ignored

# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for

# management frames); ath0 for madwifi

interface=ath0

# In case of madwifi driver, an additional configuration parameter, bridge,

# must be used to notify hostapd if the interface is included in a bridge. This

# parameter is not used with Host AP driver.

bridge=br0

# Driver interface type (hostap/wired/madwifi/prism54; default: hostap)

driver=madwifi

# hostapd event logger configuration

#

# Two output method: syslog and stdout (only usable if not forking to

# background).

#

# Module bitfield (ORed bitfield of modules that will be logged; -1 = all

# modules):

# bit 0 (1) = IEEE 802.11

# bit 1 (2) = IEEE 802.1X

# bit 2 (4) = RADIUS

# bit 3 (8) = WPA

# bit 4 (16) = driver interface

# bit 5 (32) = IAPP

#

# Levels (minimum value for logged events):

#  0 = verbose debugging

#  1 = debugging

#  2 = informational messages

#  3 = notification

#  4 = warning

#

logger_syslog=-1

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

# Debugging: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive

debug=0

# Dump file for state information (on SIGUSR1)

dump_file=/tmp/hostapd.dump

# Interface for separate control program. If this is specified, hostapd

# will create this directory and a UNIX domain socket for listening to requests

# from external programs (CLI/GUI, etc.) for status information and

# configuration. The socket file will be named based on the interface name, so

# multiple hostapd processes/interfaces can be run at the same time if more

# than one interface is used.

# /var/run/hostapd is the recommended directory for sockets and by default,

# hostapd_cli will use it when trying to connect with hostapd.

ctrl_interface=/var/run/hostapd

# Access control for the control interface can be configured by setting the

# directory to allow only members of a group to use sockets. This way, it is

# possible to run hostapd as root (since it needs to change network

# configuration and open raw sockets) and still allow GUI/CLI components to be

# run as non-root users. However, since the control interface can be used to

# change the network configuration, this access needs to be protected in many

# cases. By default, hostapd is configured to use gid 0 (root). If you

# want to allow non-root users to use the contron interface, add a new group

# and change this value to match with that group. Add users that should have

# control interface access to this group.

#

# This variable can be a group name or gid.

#ctrl_interface_group=wheelctrl_interface_group=0

##### IEEE 802.11 related configuration #######################################

# SSID to be used in IEEE 802.11 management frames

ssid=triforce

# Station MAC address -based authentication

# 0 = accept unless in deny list

# 1 = deny unless in accept list

# 2 = use external RADIUS server (accept/deny lists are searched first)

macaddr_acl=0

# Accept/deny lists are read from separate files (containing list of

# MAC addresses, one per line). Use absolute path name to make sure that the

# files can be read on SIGHUP configuration reloads.

#accept_mac_file=/etc/hostapd/hostapd.accept

#deny_mac_file=/etc/hostapd/hostapd.deny

# IEEE 802.11 specifies two authentication algorithms. hostapd can be

# configured to allow both of these or only one. Open system authentication

# should be used with IEEE 802.1X.

# Bit fields of allowed authentication algorithms:

# bit 0 = Open System Authentication

# bit 1 = Shared Key Authentication (requires WEP)

auth_algs=3

# Associate as a station to another AP while still acting as an AP on the same

# channel.

#assoc_ap_addr=00:12:34:56:78:9a

##### IEEE 802.1X-2004 related configuration ##################################

# Require IEEE 802.1X authorization

#ieee8021x=1

# IEEE 802.1X/EAPOL version

# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL

# version 2. However, there are many client implementations that do not handle

# the new version number correctly (they seem to drop the frames completely).

# In order to make hostapd interoperate with these clients, the version number

# can be set to the older version (1) with this configuration value.

#eapol_version=2

# Optional displayable message sent with EAP Request-Identity. The first \0

# in this string will be converted to ASCII-0 (nul). This can be used to

# separate network info (comma separated list of attribute=value pairs); see,

# e.g., draft-adrangi-eap-network-discovery-07.txt.

#eap_message=hello

#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com

# WEP rekeying (disabled if key lengths are not set or are set to 0)

# Key lengths for default/broadcast and individual/unicast keys:

# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)

# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)

#wep_key_len_broadcast=5

#wep_key_len_unicast=5

# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)

#wep_rekey_period=300

# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if

# only broadcast keys are used)

eapol_key_index_workaround=0

# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable

# reauthentication).

#eap_reauth_period=3600

# Use PAE group address (01:80:c2:00:00:03) instead of individual target

# address when sending EAPOL frames with driver=wired. This is the most common

# mechanism used in wired authentication, but it also requires that the port

# is only used by one station.

#use_pae_group_addr=1

##### Integrated EAP server ###################################################

# Optionally, hostapd can be configured to use an integrated EAP server

# to process EAP authentication locally without need for an external RADIUS

# server. This functionality can be used both as a local authentication server

# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.

# Use integrated EAP server instead of external RADIUS authentication

# server. This is also needed if hostapd is configured to act as a RADIUS

# authentication server.

eap_server=0

# Path for EAP server user database

#eap_user_file=/etc/hostapd/hostapd.eap_user

# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

#ca_cert=/etc/hostapd/hostapd.ca.pem

# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

#server_cert=/etc/hostapd/hostapd.server.pem

# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS

# This may point to the same file as server_cert if both certificate and key

# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be

# used by commenting out server_cert and specifying the PFX file as the

# private_key.

#private_key=/etc/hostapd/hostapd.server.prv

# Passphrase for private key

#private_key_passwd=secret passphrase

# Enable CRL verification.

# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a

# valid CRL signed by the CA is required to be included in the ca_cert file.

# This can be done by using PEM format for CA certificate and CRL and

# concatenating these into one file. Whenever CRL changes, hostapd needs to be

# restarted to take the new CRL into use.

# 0 = do not verify CRLs (default)

# 1 = check the CRL of the user certificate

# 2 = check all CRLs in the certificate path

#check_crl=1

# Configuration data for EAP-SIM database/authentication gateway interface.

# This is a text string in implementation specific format. The example

# implementation in eap_sim_db.c uses this as the file name for the GSM

# authentication triplets.

#eap_sim_db=/etc/hostapd/hostapd.sim_db

##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################

# Interface to be used for IAPP broadcast packets

#iapp_interface=eth0

##### RADIUS client configuration #############################################

# for IEEE 802.1X with external Authentication Server, IEEE 802.11

# authentication with external ACL for MAC addresses, and accounting

# The own IP address of the access point (used as NAS-IP-Address)

#own_ip_addr=127.0.0.1

# Optional NAS-Identifier string for RADIUS messages. When used, this should be

# a unique to the NAS within the scope of the RADIUS server. For example, a

# fully qualified domain name can be used here.

#nas_identifier=ap.example.com

# RADIUS authentication server

#auth_server_addr=127.0.0.1

#auth_server_port=1812

#auth_server_shared_secret=secret

# RADIUS accounting server

#acct_server_addr=127.0.0.1

#acct_server_port=1813

#acct_server_shared_secret=secret

# Secondary RADIUS servers; to be used if primary one does not reply to

# RADIUS packets. These are optional and there can be more than one secondary

# server listed.

#auth_server_addr=127.0.0.2

#auth_server_port=1812

#auth_server_shared_secret=secret2

#

#acct_server_addr=127.0.0.2

#acct_server_port=1813

#acct_server_shared_secret=secret2

# Retry interval for trying to return to the primary RADIUS server (in

# seconds). RADIUS client code will automatically try to use the next server

# when the current server is not replying to requests. If this interval is set,

# primary server will be retried after configured amount of time even if the

# currently used secondary server is still working.

#radius_retry_primary_interval=600

# Interim accounting update interval

# If this is set (larger than 0) and acct_server is configured, hostapd will

# send interim accounting updates every N seconds. Note: if set, this overrides

# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this

# value should not be configured in hostapd.conf, if RADIUS server is used to

# control the interim interval.

# This value should not be less 600 (10 minutes) and must not be less than

# 60 (1 minute).

#radius_acct_interim_interval=600

##### RADIUS authentication server configuration ##############################

# hostapd can be used as a RADIUS authentication server for other hosts. This

# requires that the integrated EAP authenticator is also enabled and both

# hostapd can be used as a RADIUS authentication server for other hosts. This

# requires that the integrated EAP authenticator is also enabled and both

# authentication services are sharing the same configuration.

# File name of the RADIUS clients configuration for the RADIUS server. If this

# commented out, RADIUS server is disabled.

#radius_server_clients=/etc/hostapd/hostapd.radius_clients

# The UDP port number for the RADIUS authentication server

#radius_server_auth_port=1812

# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API)

#radius_server_ipv6=1

##### WPA/IEEE 802.11i configuration ##########################################

# Enable WPA. Setting this variable configures the AP to require WPA (either

# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either

# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.

# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),

# RADIUS authentication server must be configured, and WPA-EAP must be included

# in wpa_key_mgmt.

# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)

# and/or WPA2 (full IEEE 802.11i/RSN):

# bit0 = WPA

# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)

#wpa=1

# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit

# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase

# (8..63 characters) that will be converted to PSK. This conversion uses SSID

# so the PSK changes when ASCII passphrase is used and the SSID is changed.

# wpa_psk (dot11RSNAConfigPSKValue)

# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)

#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

#wpa_passphrase=secret passphrase

# Optionally, WPA PSKs can be read from a separate text file (containing list

# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.

# Use absolute path name to make sure that the files can be read on SIGHUP

# configuration reloads.

#wpa_psk_file=/etc/hostapd/hostapd.wpa_psk

# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The

# entries are separated with a space.

# (dot11RSNAConfigAuthenticationSuitesTable)

#wpa_key_mgmt=WPA-PSK WPA-EAP

# Set of accepted cipher suites (encryption algorithms) for pairwise keys

# (unicast packets). This is a space separated list of algorithms:

# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]

# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]

# Group cipher suite (encryption algorithm for broadcast and multicast frames)

# is automatically selected based on this configuration. If only CCMP is

# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,

# TKIP will be used as the group cipher.

# (dot11RSNAConfigPairwiseCiphersTable)

#wpa_pairwise=TKIP CCMP

# Time interval for rekeying GTK (broadcast/multicast encryption keys) in

# seconds. (dot11RSNAConfigGroupRekeyTime)

#wpa_group_rekey=600

# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.

# (dot11RSNAConfigGroupRekeyStrict)

#wpa_strict_rekey=1

# Time interval for rekeying GMK (master key used internally to generate GTKs

# (in seconds).

#wpa_gmk_rekey=86400

# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up

# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN

# authentication and key handshake before actually associating with a new AP.

# (dot11RSNAPreauthenticationEnabled)

#rsn_preauth=1

#

# Space separated list of interfaces from which pre-authentication frames are

# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all

# interface that are used for connections to other APs. This could include

# wired interfaces and WDS links. The normal wireless data interface towards

# associated stations (e.g., wlan0) should not be added, since

# pre-authentication is only used with APs other than the currently associated

# one.

#rsn_preauth_interfaces=eth0
```

----------

## didymos

What's the hostapd version? And madwifi?  Also, what's the goal w/hostapd?  You looking to do WPA/WPA2, PSK or Radius, etc?

----------

## Akaihiryuu

 *didymos wrote:*   

> What's the hostapd version? And madwifi?  Also, what's the goal w/hostapd?  You looking to do WPA/WPA2, PSK or Radius, etc?

 

For now, I just want to be able to use WEP with BOTH open and shared key authentication, so I don't have to lock my access point to shared only just to make my DS work.  At some future point I will want to enable WPA and such, but for right now I just want to get open and shared both working.

Here are my version numbers:

triforce akai # emerge -pv hostapd madwifi-ng

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] net-wireless/hostapd-0.4.9  USE="ipv6 madwifi ssl -logwatch" 0 kB

[ebuild   R   ] net-wireless/madwifi-ng-0.9.3.3  USE="injection" 0 kB

----------

## didymos

Oh, yeah, I remember from the other thread.  Try this:

```

interface=ath0

bridge=br0

driver=madwifi

logger_syslog=-1

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

# For testing purposes. Reduce it back to 0 if everything works. It'll show up in the system log, but you can change you're logger config so that it goes into its own file, if you want.

debug=4

dump_file=/tmp/hostapd.dump

ctrl_interface=/var/run/hostapd

ctrl_interface_group=0

ssid=triforce 

macaddr_acl=0 

auth_algs=3 

eap_server=0

own_ip_addr=127.0.0.1

# OK, this how hostapd-0.6.1 does WEP.  I don't know if it holds for earlier versions, but I don't think it does. I'm including the comments from its default config file

# Static WEP key configuration

#

# The key number to use when transmitting.

# It must be between 0 and 3, and the corresponding key must be set.

# default: not set

wep_default_key=0

# The WEP keys to use.

# A key may be a quoted string or unquoted hexadecimal digits.

# The key length should be 5, 13, or 16 characters, or 10, 26, or 32

# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or

# 128-bit (152-bit) WEP is used.

# Only the default key must be supplied; the others are optional.

# default: not set

wep_key0=<your key here>

```

Just to make sure, the ath_pci module was loaded already when you went to start hostapd and the ath0 interface was up, right?

----------

## Akaihiryuu

Yes, the module was loaded, interface was up.  In fact, my laptop can connect to it...I just want to use hostapd so I can use open and shared authentication simultaneously, which my current setup doesn't allow me to do.  The two WEP options in the config file you linked were rejected (hostapd said those two didn't exist), so I commented them out.  I'm still getting the same error:

```
triforce hostapd # /etc/init.d/hostapd start

 * Starting hostapd ...

Configuration file: /etc/hostapd/hostapd.conf

Configure bridge br0 for EAPOL traffic.

madwifi_set_iface_flags: dev_up=0

Using interface ath0 with hwaddr 00:14:6c:c4:99:23 and ssid 'triforce'

Flushing old station entries

madwifi_sta_deauth: addr=ff:ff:ff:ff:ff:ff reason_code=3

ioctl[unknown???]: Invalid argument

Could not connect to kernel driver.

Deauthenticate all stations

rmdir[ctrl_interface]: No such file or directory

madwifi_set_privacy: enabled=0

madwifi_set_iface_flags: dev_up=0                                         [ !! ]
```

It works perfectly fine without hostapd:

```
triforce conf.d # /etc/init.d/net.ath0 restart

 * Caching service dependencies ...                                       [ ok ]

 * Stopping ath0

 *   Bringing down ath0

 *     Shutting down ath0 ...                                             [ ok ]

 * Starting ath0

 *   Configuring wireless network for ath0

 *     ath0 configured as ESSID "triforce"

 *     in master mode on channel 11 (WEP enabled - restricted)

 *   Bringing up ath0                                                     [ ok ]
```

And my /etc/conf.d/net

```
modules=( "iproute2" )

modules_eth0=( "!plug" )

config_eth0=( "null" )

config_ath0=( "null" )

config_eth1=( "dhcp" )

config_br0=( "192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255" )

bridge_br0="eth0 ath0"

dhcpcd_eth1="-t 10 -R -Y -N"

essid_ath0="triforce"

mode_ath0="master"

channel_ath0="11"

key_triforce="<key goes here> enc restricted"

iwpriv_ath0="mode 0 authmode 2"
```

And once it's up without hostapd, my laptop can see and connect:

```
Cell 02 - Address: 00:14:6C:C4:99:23

                    ESSID:"triforce"

                    Protocol:IEEE 802.11b

                    Mode:Managed

                    Frequency:2.462 GHz (Channel 11)

                    Quality:89/100  Signal level:-39 dBm  Noise level:-96 dBm

                    Encryption key:on

                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s

                              11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s

                              48 Mb/s; 54 Mb/s

                    Extra:bcn_int=100

                    Extra:atim=0
```

Edit: I just found this:  http://readlist.com/lists/shmoo.com/hostap/0/430.html

I'm not sure if that's the problem or not this time though.

----------

## Akaihiryuu

I just decided to upgrade to the latest ~x86 version of hostapd...I ended up with 0.6.1.  It's working with all the options now, it does start and seem to work (WEP key shows up properly, other devices see the access point), however nothing is able to connect.  I even tried disabling WEP completely, and still nothing is able to connect to the access point.  I'm not getting any errors or anything in syslog that indicates what the problem may be.

Here are the options I'm using now in hostapd.conf:

```
interface=ath0

bridge=br0

driver=madwifi

logger_syslog=-1

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

debug=0

dump_file=/tmp/hostapd.dump

ctrl_interface_group=0

country_code=US

ieee80211d=1

ieee80211h=1

channel=11

auth_algs=3

wep_default_key=0

wep_key0=<key goes here>
```

Any ideas?

----------

## didymos

Set the debug level back to 4.  On 0 it's completely disabled.

[edit]  Oh, and setting the channel doesn't work with the madwifi driver.  You have to do that outside of hostapd. Probably doesn't make any difference though.  Hostapd should just say basically "Sorry, can't do that" and then go on.

----------

## Akaihiryuu

Ok, even at debug level 4 I'm still getting absolutely nothing in /var/log/messages.  However, with enough playing around, I made it work without encryption.  WEP is completely nonfunctional, however, no matter what I try to connect to it with...it just times out.  I have no idea what's going on, but I need both open and shared authentication to work, or I'm just going to have to run completely unencrypted.

```
interface=ath0

bridge=br0

driver=madwifi

logger_syslog=-1

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

debug=4

dump_file=/tmp/hostapd.dump

ctrl_interface_group=0

auth_algs=3

wep_default_key=0

wep_key0=<key>
```

Both my laptop and my DS just refuse to associate at all.  With WEP off, if something does associate, I do get stuff in /var/log/messages.

Edit: I've gotten my laptop to associate...but that's all it can do.  DHCP does not work with WEP on (in fact, the server never even sees the DHCP request).  Also, the auth_algs option does not do anything, it still uses open authentication whether it's set to 1 (open), 2 (shared), or 3 (both).  This explains why the DS cannot associate, as it only supports shared.

----------

## didymos

OK, strange.  You should be seeing all sorts of stuff in the logs.  Have you tried using tcpdump to sniff the ath0 interface?  Also, you may want to just try using WPA, as that and WPA2 are really what hostapd was designed for.  I've never tried to use it with WEP and I'm pretty sure only the latest versions can do that, and I wouldn't be surprised if the auth_algs option only matters for WPA/WPA2. I'd have to look at the source. For testing, I'd just use a really dumb, toy key.  Say, for instance, "key".  Then when it's debugged, you can generate a good random one with maximum length.

----------

## Akaihiryuu

Yeah, I have the latest version now, it DOES seem to work with WEP (iwconfig shows the key set correctly), I can associate, but something is keeping traffic from passing with WEP on.  If I leave WEP off...everything works fine.  The problem (and the reason I need WEP) is because I have 1 wireless device that does not support WPA.  Unless there is a way to mix WPA and WEP or WPA and unencrypted, I need to have shared authentication WEP going to support this device.  If not for it, I would be happy to use WPA, but it doesn't support it.   :Sad: 

----------

## didymos

Well, WEP mixed with WPA is fairly pointless.  I suppose if you hardly ever use the WEP device (let me guess: the DS), then security is improved on average, since there's a reduced likelihood that at any given time there is WEPped traffic to sniff.  With hostapd, you can set individual keys based on MAC addresses, but as far as I know that's only with WPA/WPA2.  Plus, I have no idea how it handles WEP+WPA/WPA2.  God, I wish WEP would just die already.

----------

## Akaihiryuu

I can definitely relate to that...if they would just add WPA support to the DS then that would solve all of my issues.  But I do use it online from time to time, and I'd rather not have to change my configuration every time I want to do so.   :Sad:   Every other device I have supports WPA.  But I KNOW it has to be possible to do my original plan of both open/shared authentication, because Linux-based access points do it.  I just don't know what's up with hostapd and the auth_algs argument...I read more on it and that option is definitely for WEP.

----------

