hostapd 配置「建议收藏」
hostapd 配置
Homepage: http://w1.fi/hostapd/
hostapd is an IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator. This page is dedicated to the Linux documentation of it’s implementation and use. Please refer to the hostapd
home page for information for other Operating Systems.
As far a Linux is concerned, out of the old drivers you can only use these 3 drivers with hostapd:
HostAP
madwifi
prism54
All new mac80211 based drivers that implement AP functionality are supported with hostapd’s nl80211 driver.
The mac80211 subsystem moves all aspects of master mode into user space. It depends on hostapd to handle authenticating clients, setting encryption keys, establishing key rotation policy, and other
aspects of the wireless infrastructure. Due to this, the old method of issuing ‘ iwconfig <wireless interface> mode master’ no longer works. Userspace programs like hostapd now use netlink (the nl80211
driver) to create a master mode interface for your traffic and a monitor mode interface for receiving and transmitting management frames.
Getting hostapd
Using your distributions hostapd
It is advisable to try your distributions version of hostapd before taking the time to compile and install your own copy. This will make future maintenance easier as you’ll be able to use the init scripts
shipped by the distro and hostapd will be updated by it as well. If your distribution ships 0.6.8 or later, you can test with this bare minimum config by creating the file hostapd-minimal.conf:
#change wlan0 to your wireless device
interface=wlan0
driver=nl80211
ssid=test
channel=1
If that config errors out with something like:
hostapd $ sudo hostapd ./hostapd-minimal.conf
Configuration file: ./hostapd-minimal.conf
Line 2: invalid/unknown driver ‘nl80211’
1 errors found in configuration file ‘./hostapd-minimal.conf’
that means that your distro is not shipping hostapd with nl80211 driver support and you’ll need to follow the building instructions that follow. If it works, you can skip down to the configuring hostapd
section. If not, continue on.
Download and compile hostapd
Using hostapd with nl80211 requires you to have at least libnl-1.0 pre8 as this release introduced genl, Generic Netlink, which nl80211 relies on. Most distributions are shipping this or a later release by
now. To compile on fedora or other distibutions that separate out the headers from the binaries, you need the libnl-devel package.
Throughout this section, versions will be referred to by: x.y.z
ex: hostapd-0.6.8.tar.gz would be referred to as hostapd-x.y.z.tar.gz
You can get the latest development version of hostapd from the git repository with:
git clone git://w1.fi/srv/git/hostap.git
cd hostap/hostapd
Or you can get a stable release (0.6.8 or later reccomended) by downloading the tarball from http://w1.fi/hostapd/.
wget http://w1.fi/releases/hostapd-x.y.z.tar.gz
tar xzvf hostapd-x.y.z.tar.gz
cd hostapd-x.y.z/hostapd
Next, we need to configure the hostapd build to enable nl80211 driver support. Copy defconfig to .config, and open it in your preferred text editor. Also, there are other options that you may want to
enable, like 802.11n support if your hardware can do it. Most of the other encryption types and features aren’t needed for most applications, so if you’re questioning if you need to enable it, you probably
don’t need to.
cp defconfig .config
vi .config
Now find this line:
#CONFIG_DRIVER_NL80211=y
and uncomment it by removing the ‘#’ sign. Repeat for other settings that you may be interested in. The basic configuration, with only this line uncommented is enough to get hostapd up and running
with WPA/WPA2 authentication and encryption.
Next, compile hostapd:
make
if this fails with errors like:
driver_nl80211.c:21:31: warning: netlink/genl/genl.h: No such file or directory
driver_nl80211.c:22:33: warning: netlink/genl/family.h: No such file or directory
driver_nl80211.c:23:31: warning: netlink/genl/ctrl.h: No such file or directory
driver_nl80211.c:24:25: warning: netlink/msg.h: No such file or directory
driver_nl80211.c:25:26: warning: netlink/attr.h: No such file or directory
you need to install/update libnl-1.0pre8 (or later). If all goes well and the compilation finishes, try the minimal hostapd again, see the section Using your distributions hostapd above for that.
hostapd # ./hostapd ./hostapd-minimal.conf
Configuration file: ./hostapd-minimal.conf
Using interface wlan1 with hwaddr 00:0d:0b:cf:04:40 and ssid ‘test’
If that starts as the example here shows, you can move on to configuring hostapd. If it fails to start with errors about the driver not being found, review the steps listed above for compiling hostapd again.
Hardware does not support configured mode
wlan0: IEEE 802.11 Hardware does not support configured mode (2)
Could not select hw_mode and channel. (-2)
wlan0: Unable to setup interface.
rmdir[ctrl_interface]: No such file or directory
then it means the hw_mode (a, b or g) in the config file is set to a value not supported by the hardware.
Configuring hostapd
Establishing Baseline for Configuration
Before configuring hostapd, you need to know the capabilities of the clients that will be using it. Not all clients will support al l of the methods you may want to implement, so a baseline configuration
needs to be established. You will also want to do a survey of your area to find the channel that has the fewest other APs on it. When choosing which channel to use, it is important to remember that
channels overlap with any channels that are within 20MHz.
Examples of the baseline you might establ ish:
Encryption: wpa-psk + tkip
Wireless Mode: g
Normal for an environment that has to support semi legacy devices, that don’t support ccmp or wpa2
Encryption: wpa2-psk + ccmp
Wireless Mode: g+n
Normal for an environment that has only up to date hardware and software
Encryption: wep
Wireless Mode: b
This is the works case scenario, as wep is broken and can be trivially cracked. Don’t consider this as anything more than keeping casual free loaders
Once you’ve found your baseline, it’s time to edit hostapd.conf. The configuration options will be broken into 3 sections:
Common Options: options that you will probably want to set
Additional Options: options that are likely useful to at least know you have
Extra Options: options that you aren’t likely to need for most setups
Common Options
The most basic set of options for using hostapd with the nl80211 driver have already been provided as the hostapd-minimal.conf. That is all you need if you don’t care about consistantly being on the
same channel, don’t need/want encryption, and don’t need a flashy name. However, that is not a realistic idea in the real world.
First, we’ll setup the wireless interface settings, then the wireless environment settings, and finally the authentication and encryption.
Wireless Interface
Setting Summary:
interface: Tells hostapd what wireless interface to use
bridge: Set to a bridge if the wireless interface in use is part of a network bridge interface
driver: For our purposes, always nl80211
If you only have 1 wireless interface, and it’s going to be bridged with a wired interface, a good example setup would be:
interface=wlan0
bridge=br0
driver=nl80211
Wireless Environment
Setting Summary:
ssid: Sets the name (SSID = service set identifier) of the network, wireless extensions/iwconfig incorrectly calls this “essid”.
hw_mode: Sets the operating mode of the interface, and the allowed channels. Valid values depend on hardware, but are always a subset of a, b, g
channel: Sets the channel for hostapd to operate on. Must be a channel supported by the mode set in hw_mode, as well as allowed by your countries Wireless Regulatory rules.
The ssid is just for ease of configuration. It is what shows up in scan results, and can help in configuring your clients. Check the scan results for your area and choose a name.
hw_mode needs to be something that all of your hardware supports. Setting this to ‘g’ is probably the most common setup, and also enables backwards compatability with 802.11b devices. Note, this
not where you enable 802.11n support, as 802.11n operates on top of 802.11a or 802.11g’s functionality.
channel should be chosen so that it has the minimum overlap with other APs or other networks in your area. 802.11 channels are 20mhz (4 channels) wide in total, or 10mhz (2 channels) wide on ea
side. This means that an access point on channel 3 will interfere with an acces point on channel 1 or channel 5. Use this to pick a channel. Most consumer APs default to channel 6, so you can use
channel 1 or channel 11 in most cases for the best results. Also note that the channels available to you depends heavily entirerly on the local regulatory rules.
An example of a good normal setup is:
ssid=MyNetwork
hw_mode=g
channel=1
802.11n Setting Summary
802.11n builds on the settings above, and adds additional functionality. If your hardware doesn’t support 802.11n, or you don’t plan on using it, you can ignore these.
ieee80211n: Set to 1 to enable 802.11n support, 0 to disable it
ht_capab: A list of the 802.11n features supported by your device
The explanation of these settings in the sample config file are quite helpful, so I’ll suggest reading those. You can use the command ‘iw list’ to find a short list of the capabilities of your device.
Example settings:
wme_enabled=1
ieee80211n=1
ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40]
Authentication and Encryption
There is a lot to the authentication and encryption options in hostapd. This section will cover the basics as far as wep/wpa/wpa2 goes, as well as some of the other commonly used options.
Settings Summary:
macaddr_acl: This controls mac address filtering. Mac addresses are easily spoofed, so only consider the use of this to be augmenting other security measures you have in place.
auth_algs: This is a bit field where the first bit (1) is for open auth, the second bit (2) is for Shared key auth (wep) and both (3) is both.
ignore_broadcast_ssid: This enables/disables broadcasting the ssid.
wpa_psk/wpa_passphrase: These establish what the pre-shared key will be for wpa authentication.
wpa_key_mgmt: This controls what key management algorithms a client can authenticate with.
wpa_pairwise: This controls wpa’s data encryption
rsn_pairwise: This controls wpa2’s data encryption
First, scratch macaddr_acl and ignore_broadcast_ssid from your priorities as they only enhance security (and even then, only slightly). Also, WEP has been effectively broken now, so unless you HAVE
to support wep, scratch that from your list. This just leaves wpa/wpa2. Per the draft standard, wpa2 is required for 802.11n, and as there are known attacks on wpa now, wpa2 is the recommended
authentication and encryption suite to use. Fortunately, you can have both enabled at once. If Windows clients are going to be connecting, you should leave ccmp encryption out of the wpa_pairwise
option, as some windows drivers have problems with systems that enable it.
A good starting point for a wpa & wpa2 enabled access point is:
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=YourPassPhrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
If, alternately, you just want to support wpa2, you could use something like:
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=YourPassPhrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
That should be all of the settings that you’ll need to change for a basic, secure, access point using hostapd with an AP enabled mac80211 driver.
Additional Options
Extra Options
Dynamic VLAN tagging
hostapd can be configured to move STAs into separate VLANs based on RADIUS tunnel attributes (as specified in RFC3580, http://tools.ietf.org/html/rfc3580#section-3.31):
Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID
To enable dynamic VLAN tagging the following options in hostapd.conf need to be set:
dynamic_vlan=1
vlan_file=/etc/hostapd.vlan
A value of 0 disables dynamic VLAN tagging, a value of 1 allows dynamic VLAN tagging and a value of 2 will reject the authentication if the RADIUS server does not provide the appropriate tunnel
attributes.
Furthermore, hostapd needs to know how the VLAN interfaces should be named, this is done through an additional config file as specified in vlan_file.
Example /etc/hostapd.vlan:
1 wlan0.1
* wlan0.#
This will create a wlan0.1 interface on top of wlan0 and move all STAs with the RADIUS supplied vlantag 1 to that interface. The second entry is used to dynamically create VLAN interfaces on top of
wlan0, hostapd will create an interface wlan0.vlantag for each different vlantag as supplied by the RADIUS server. For example, if a STA associates and the RADIUS server attributes contain the vlantag
100 hostapd will create a wlan0.100 interface and map the STA to this new interface.
hostapd基本配置
最近在公司做一些路由器功能的实现。板子是现成的,在其之上跑一个Linux
操作系统,我的主要任务就是利用一些工具让板子的路由和无线接入功能运作
起来。其中在做无线接入的功能使用hostapd来实现。hostapd是一个带加密功
能的无线接入点程序,是Linux操作系统上构件无线接入点的一个比较方便的
工具,支持IEEE 802.11协议和IEEE 802.1X/WPA/WPA2/EAP/RADIUS加密
。hostapd的官方介绍请看这里,具体的配置方法和含义在这里有比较详尽的
介绍。
首先需要从官网上获得hostapd的源程序,通过修改Makefile文件将其移植到板
子上,然后最关键的一步就是配置hostapd的配置文件了。源程序里面包含了
一个hostapd.conf文件(也可以从这里获得),这个文件很大,里面的配置项
相当的多,从简单到高级。但一般地我们能够使用到的功能只是其中很少的一
部分,下面介绍一下我认为最常用的一些配置选项。首先介绍一些基本的配置
项:
ssid=test
hw_mode=g
channel=10
interface=wlan0
bridge=br0
driver=nl80211
ignore_broadcast_ssid=0
macaddr_acl=0
accept_mac_file=/etc/hostapd.accept
deny_mac_file=/etc/hostapd.deny
上面列出的配置基本上是必须的,其中:
ssid:别人所看到的我们这个无线接入点的名称;
hw_mode:指定802.11协议,包括 a = IEEE 802.11a, b = IEEE 8
02.11b, g = IEEE 802.11g;
channel:设定无线频道;
interface:接入点设备名称,注意不要包含ap后缀,即如果该设备
称为wlan0ap,填写wlan0即可;
bridge:指定所处网桥,对于一个同时接入公网、提供内部网和无
线接入的路由器来说,设定网桥很有必要;
driver:设定无线驱动,我这里是nl80211;
macaddr_acl:可选,指定MAC地址过滤规则,0表示除非在禁止
列表否则允许,1表示除非在允许列表否则禁止,2表示使用外部RA
DIUS服务器;
accept_mac_file:指定允许MAC列表文件所在;
deny_mac_file:指定禁止MAC列表文件所在;
下面介绍关于认证方式的配置:
auth_algs=1
其中auth_algs指定采用哪种认证算法,采用位域(bit fields)方式来制定,其
中第一位表示开放系统认证(Open System Authentication, OSA),第二位表
示共享密钥认证(Shared Key Authentication, SKA)。我这里设置alth_algs
的值为1,表示只采用OSA;如果为3则两种认证方式都支持。不过很奇怪的是
,在我工作中如果配置了3,不管采用WEP/WPA/WP2加密的方式都从没连接
成功过,配置为2也是如此。所以在我的配置当中,如果采用认证,则设置aut
h_algs为1;否则把这行代码注释掉(在前面加#)。
由于RADIUS认证需要提供外部RADIUS服务器,我们没有这个功能,因此我
只研究了WEP、WPA和WPA2这三种加密方式。
#wep_default_key=0
#wep_key0=1234567890
#wep_key1=”vwxyz”
#wep_key2=0102030405060708090a0b0c0d
#wep_key3=”.2.4.6.8.0.23″
#wep_key_len_broadcast=13
#wep_key_len_unicast=13
#wep_rekey_period=300
如果要启用WEP加密,只需配置wep_default_key和其中一个wep_keyx,其中
x的值只能在0~3之间,wep_default_key的值必须启用了。注意wep_keyx的
值不是任意的,只能是5、13或16个字符(用双引号括住),或者是10、26或3
2个16进制数字。由于WEP加密算法已经被破解了,所以通常不启用它,全部
注释掉。
wpa=2
wpa_passphrase=12345678
wpa_key_mgmt=WPA-PSK
#wpa_pairwise=TKIP CCMP
rsn_pairwise=TKIP CCMP
现在推荐的加密方式是WPA/WPA2,由于时间紧迫,我没有怎么去了解过这
两者的差别。不过配置是很简单的:
wpa:指定WPA类型,这是一个位域值(bit fields),第一位表示
启用WPA,第二位表示启用WPA2。在我的配置中,无论设置成1
、2或3,都可以正常连接;
wpa_passphrase:WPA/WPA2加密需要指定密钥,这个选项就是
配置WPA/WPA2的密钥。注意wpa_passphrase要求8~63个字符。
另外还可以通过配置wpa_psk来制定密钥,不过要设置一个256位
的16进制密钥,不适合我们的需求;
wpa_pairwise/rsn_pairwise:如果启用了WPA,需要指定wpa_pa
irwise;如果启用了WPA2,需要指定rsn_pairwise,或者采用wpa
_pairwise的设定。都可以设定成TKIP、CCMP或者两者都有,具
体含义我也没仔细弄清楚。一篇比较老的文章说TKIP不兼容Windo
ws Mobile,但我的Windows Mobile 6.5在这两种算法下都没有遇到
任何问题。
经过这样一些配置,启动hostapd之后应该就可以按照自己的需求正常使用无
线接入点功能了:
/usr/bin/hostapd -f /etc/hostapd.conf