Tuesday, November 15, 2016

Multiple SSIDs hostapd on CentOS 7

Here's how I set up hostapd on my CentOS 7/PCEngines APU 2C4.  First, I needed to ensure I had the capabilities.  I'm using the WLE200NL device.

my setup for hostapd :
    [root@hostname home]# yum install iw
    
Next, I needed to check and ensure the driver would work as an Access Point, so I ran an "iw list" :
    [root@hostname home]# iw list
      Wiphy phy0
      max # scan SSIDs: 4
      max scan IEs length: 2257 bytes
      Coverage class: 0 (up to 0m)
      Device supports RSN-IBSS.
      Device supports AP-side u-APSD.
      Supported Ciphers:
        * WEP40 (00-0f-ac:1)
        * WEP104 (00-0f-ac:5)
        * TKIP (00-0f-ac:2)
        * CCMP (00-0f-ac:4)
        * 00-0f-ac:10
        * GCMP (00-0f-ac:8)
        * 00-0f-ac:9
        * CMAC (00-0f-ac:6)
        * 00-0f-ac:13
        * 00-0f-ac:11
        * 00-0f-ac:12
      Available Antennas: TX 0x3 RX 0x3
      Configured Antennas: TX 0x3 RX 0x3
      Supported interface modes:
        * IBSS
        * managed
        * AP
        * AP/VLAN
        * WDS
        * monitor
        * P2P-client
        * P2P-GO
      Band 1:
        Capabilities: 0x11ce
          HT20/HT40
          SM Power Save disabled
          RX HT40 SGI
          TX STBC
          RX STBC 1-stream
          Max AMSDU length: 3839 bytes
          DSSS/CCK HT40
        Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
        Minimum RX AMPDU time spacing: 8 usec (0x06)
        HT TX/RX MCS rate indexes supported: 0-15
        Bitrates (non-HT):
          * 1.0 Mbps
    [...snip...]
          * 54.0 Mbps
        Frequencies:
          * 2412 MHz [1] (30.0 dBm)
    [...snip...]
          * 2484 MHz [14] (disabled)
      Band 2:
        Capabilities: 0x11ce
          HT20/HT40
          SM Power Save disabled
          RX HT40 SGI
          TX STBC
          RX STBC 1-stream
          Max AMSDU length: 3839 bytes
          DSSS/CCK HT40
        Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
        Minimum RX AMPDU time spacing: 8 usec (0x06)
        HT TX/RX MCS rate indexes supported: 0-15
        Bitrates (non-HT):
          * 6.0 Mbps
    [...snip...]
          * 54.0 Mbps
        Frequencies:
          * 5180 MHz [36] (17.0 dBm)
    [...snip...]
          * 5825 MHz [165] (30.0 dBm)
      Supported commands:
    [...snip...]
        * start_ap
        * new_station
    [...snip...]
        * connect
        * disconnect
      Supported TX frame types:
    [...snip...]
        * managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
        * AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
        * AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
    [...snip...]
      Supported RX frame types:
    [...snip...]
        * managed: 0x40 0xd0
        * AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
        * AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
    [...snip...]
      software interface modes (can always be added):
        * AP/VLAN
        * monitor
      valid interface combinations:
        * #{ managed } <= 2048, #{ AP } <= 8, #{ P2P-client, P2P-GO } <= 1,
          total <= 2048, #channels <= 1, STA/AP BI must match
        * #{ WDS } <= 2048,
          total <= 2048, #channels <= 1, STA/AP BI must match
      HT Capability overrides:
    [...snip...]
      Device supports AP scan.
    [root@hostname home]#
    
I snipped out some of the repetitive-styled output (marked by the "[...snipped...]" lines), just to shorten the output of the iw command.  I highlighted a couple of the things I thought were relevant in bold.  I needed to grab the source for hostapd :
    [root@hostname home]# wget http://w1.fi/releases/hostapd-2.6.tar.gz
    
Extract it (tar -xf hostapd-2.6.tar.gz), then configure it (note, no ./configure script) :
    [root@hostname hostapd]# cd hostapd-2.6/hostapd
    [root@hostname hostapd]# cp defconfig .config
    
    [root@hostname hostapd]# make
      CC  main.c
      CC  config_file.c
      CC  ../src/ap/hostapd.c
      CC  ../src/ap/wpa_auth_glue.c
      CC  ../src/ap/drv_callbacks.c
      CC  ../src/ap/ap_drv_ops.c
      CC  ../src/ap/utils.c
      CC  ../src/ap/authsrv.c
      CC  ../src/ap/ieee802_1x.c
      CC  ../src/ap/ap_config.c
      CC  ../src/ap/eap_user_db.c
      CC  ../src/ap/ieee802_11_auth.c
      CC  ../src/ap/sta_info.c
      CC  ../src/ap/wpa_auth.c
      CC  ../src/ap/tkip_countermeasures.c
      CC  ../src/ap/ap_mlme.c
      CC  ../src/ap/wpa_auth_ie.c
      CC  ../src/ap/preauth_auth.c
      CC  ../src/ap/pmksa_cache_auth.c
      CC  ../src/ap/ieee802_11_shared.c
      CC  ../src/ap/beacon.c
      CC  ../src/ap/bss_load.c
      CC  ../src/ap/neighbor_db.c
      CC  ../src/ap/rrm.c
      CC  ../src/drivers/drivers.c
      CC  ../src/utils/eloop.c
      CC  ../src/utils/common.c
      CC  ../src/utils/wpa_debug.c
      CC  ../src/utils/wpabuf.c
      CC  ../src/utils/os_unix.c
      CC  ../src/utils/ip_addr.c
      CC  ../src/common/ieee802_11_common.c
      CC  ../src/common/wpa_common.c
      CC  ../src/common/hw_features_common.c
      CC  ../src/eapol_auth/eapol_auth_sm.c
      CC  ../src/eapol_auth/eapol_auth_dump.c
      CC  ../src/radius/radius.c
      CC  ../src/radius/radius_client.c
      CC  ../src/radius/radius_das.c
      CC  ../src/ap/accounting.c
      CC  ../src/ap/vlan_init.c
      CC  ../src/ap/vlan_ifconfig.c
      CC  ../src/ap/vlan.c
      CC  ../src/common/ctrl_iface_common.c
      CC  ctrl_iface.c
      CC  ../src/ap/ctrl_iface_ap.c
      CC  ../src/ap/iapp.c
      CC  ../src/ap/peerkey_auth.c
      CC  ../src/drivers/driver_hostap.c
    ../src/drivers/driver_nl80211.c:17:31: fatal error: netlink/genl/genl.h: No such file or directory
     #include <netlink/gen1/genl.h>
                                   ^
    compilation terminated.
    make: *** [../src/drivers/driver_nl80211.o] Error 1
    [root@hostname hostapd]#
    
Argh! I need to install the libnl-devel package!
    [root@hostname hostapd]# yum install libnl-devel.x86_64
    
Then, re-run "make" :
    [root@hostname hostapd]# make
      CC  ../src/drivers/driver_nl80211.c
      CC  ../src/drivers/driver_nl80211_capa.c
      CC  ../src/drivers/driver_nl80211_event.c
      CC  ../src/drivers/driver_nl80211_monitor.c
      CC  ../src/drivers/driver_nl80211_scan.c
      CC  ../src/drivers/netlink.c
      CC  ../src/drivers/linux_ioctl.c
      CC  ../src/drivers/rfkill.c
      CC  ../src/utils/radiotap.c
      CC  ../src/l2_packet/l2_packet_linux.c
      CC  ../src/eap_server/eap_server_md5.c
      CC  ../src/eap_server/eap_server_tls.c
      CC  ../src/eap_server/eap_server_peap.c
      CC  ../src/eap_common/eap_peap_common.c
      CC  ../src/eap_server/eap_server_ttls.c
      CC  ../src/eap_server/eap_server_mschapv2.c
      CC  ../src/eap_server/eap_server_gtc.c
      CC  eap_register.c
      CC  ../src/eap_server/eap_server.c
      CC  ../src/eap_common/eap_common.c
      CC  ../src/eap_server/eap_server_methods.c
      CC  ../src/eap_server/eap_server_identity.c
      CC  ../src/crypto/ms_funcs.c
      CC  ../src/eap_common/chap.c
      CC  ../src/eap_server/eap_server_tls_common.c
    ../src/crypto/tls_openssl.c:19:25: fatal error: openssl/ssl.h: No such file or directory
     #include <openssl ssl.h>
                             ^
    compilation terminated.
    make: *** [../src/crypto/tls_openssl.o] Error 1
    [root@hostname hostapd]# 
    
Yet another package I needed to install :
    [root@hostname hostapd]# yum install openssl-devel
    
Again, re-run "make" :
    [root@hostname hostapd]# make
      CC  ../src/crypto/tls_openssl.c
      CC  ../src/crypto/tls_openssl_ocsp.c
      CC  ../src/crypto/crypto_openssl.c
      CC  ../src/crypto/aes-omac1.c
      CC  ../src/crypto/sha1-prf.c
      CC  ../src/crypto/sha1-tlsprf.c
      CC  ../src/crypto/sha256-prf.c
      CC  ../src/crypto/sha256-tlsprf.c
      CC  ../src/crypto/sha256-kdf.c
      CC  ../src/crypto/random.c
      CC  ../src/ap/wmm.c
      CC  ../src/ap/ap_list.c
      CC  ../src/ap/ieee802_11.c
      CC  ../src/ap/hw_features.c
      CC  ../src/ap/dfs.c
      CC  ../src/drivers/driver_common.c
      LD  hostapd
      CC  hostapd_cli.c
      CC  ../src/common/wpa_ctrl.c
      CC  ../src/common/cli.c
      CC  ../src/utils/edit_simple.c
      LD  hostapd_cli
    [root@hostname hostapd]# make install
    install -D hostapd /usr/local/bin//hostapd
    install -D hostapd_cli /usr/local/bin//hostapd_cli
    [root@hostname hostapd]#
    
Success! Let's run it :
    [root@hostname hostapd]# hostapd
    hostapd v2.6
    User space daemon for IEEE 802.11 AP management,
    IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
    Copyright (c) 2002-2016, Jouni Malinen  and contributors
    
    usage: hostapd [-hdBKtv] [-P ] [-e ] \
             [-g ] [-G ]\
             [-i ]\
             
    
    options:
       -h   show this usage
       -d   show more debug messages (-dd for even more)
       -B   run daemon in the background
       -e   entropy file
       -g   global control interface path
       -G   group for control interfaces
       -P   PID file
       -K   include key data in debug messages
       -i   list of interface names to use
       -S   start all the interfaces synchronously
       -t   include timestamps in some debug messages
       -v   show hostapd version
    [root@hostname hostapd]#
    
Worked well enough to know we're installed, so let's get it configured. First, we need to grab the hardware address :
    [root@hostname hostapd]# ifconfig wlp1s0
    wlp1s0: flags=4098  mtu 1500
            ether 04:f0:21:26:d5:1f  txqueuelen 1000  (Ethernet)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    [root@hostname hostapd]# 
    
For multiple SSID's, you might need to "change the MAC". You can do this from the command line as :
    [root@hostname hostapd]# ifconfig wlp1s0 hw ether 02:f0:21:26:d5:30
    
Or, add the new MAC address as "MACADDR=" in the ifcfg-wlp1s0 file for a more permanent home :
    [root@hostname hostapd]# ifconfig wlp1s0
    wlp1s0: flags=4098  mtu 1500
            ether 02:f0:21:26:d5:30  txqueuelen 1000  (Ethernet)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    [root@hostname hostapd]# ifconfig wlp1s0 up
    [root@hostname hostapd]#
    
Check and ensure it took :
    [root@hostname hostapd]# ifconfig wlp1s0
    wlp1s0: flags=4099  mtu 1500
            ether 02:f0:21:26:d5:30  txqueuelen 1000  (Ethernet)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    [root@hostname hostapd]# vi ifcfg-enp4s0
    
Create our required configuration files :
    [root@hostname hostapd]# mkdir -p /etc/hostapd
    [root@hostname etc]# cd /etc/hostapd/
    [root@hostname hostapd]# vi hostapd.conf
    
Here is the content of my hostapd.conf file (shamelessly copied from another source) for the trial run :
    interface=wlp1s0
    bridge=br0
    driver=nl80211
    logger_syslog=-1
    logger_syslog_level=2
    logger_stdout=-1
    logger_stdout_level=2
    dump_file=/tmp/hostapd.dump
    ctrl_interface=/var/run/hostapd
    ctrl_interface_group=0
    ssid=wifiname
    hw_mode=g
    channel=1
    beacon_int=100
    dtim_period=2
    max_num_sta=255
    rts_threshold=2347
    fragm_threshold=2346
    macaddr_acl=1
    accept_mac_file=/etc/hostapd/hostapd.accept
    deny_mac_file=/etc/hostapd/hostapd.deny
    auth_algs=1
    ignore_broadcast_ssid=0
    wmm_enabled=1
    wmm_ac_bk_cwmin=4
    wmm_ac_bk_cwmax=10
    wmm_ac_bk_aifs=7
    wmm_ac_bk_txop_limit=0
    wmm_ac_bk_acm=0
    wmm_ac_be_aifs=3
    wmm_ac_be_cwmin=4
    wmm_ac_be_cwmax=10
    wmm_ac_be_txop_limit=0
    wmm_ac_be_acm=0
    wmm_ac_vi_aifs=2
    wmm_ac_vi_cwmin=3
    wmm_ac_vi_cwmax=4
    wmm_ac_vi_txop_limit=94
    wmm_ac_vi_acm=0
    wmm_ac_vo_aifs=2
    wmm_ac_vo_cwmin=2
    wmm_ac_vo_cwmax=3
    wmm_ac_vo_txop_limit=47
    wmm_ac_vo_acm=0
    eapol_key_index_workaround=0
    eap_server=0
    wpa=2
    wpa_passphrase=wifipassword
    wpa_key_mgmt=WPA-PSK
    wpa_pairwise=CCMP
    rsn_pairwise=CCMP
    wpa_group_rekey=600
    wpa_gmk_rekey=86400
    
Let's get a few more files created :
    [root@hostname hostapd]# touch /etc/hostapd/hostapd.deny
    [root@hostname hostapd]# touch /etc/hostapd/hostapd.accept
    [root@hostname hostapd]# 
    
Note, if you forget the hostapd.deny/hostapd.accept files, it will error out with :
    [root@hostname hostapd]# hostapd /etc/hostapd/hostapd.conf 
    Configuration file: /etc/hostapd/hostapd.conf
    Line 8: DEPRECATED: 'dump_file' configuration variable is not used anymore
    MAC list file '/etc/hostapd/hostapd.accept' not found.
    Line 20: Failed to read accept_mac_file '/etc/hostapd/hostapd.accept'
    MAC list file '/etc/hostapd/hostapd.deny' not found.
    Line 21: Failed to read deny_mac_file '/etc/hostapd/hostapd.deny'
    2 errors found in configuration file '/etc/hostapd/hostapd.conf'
    Failed to set up interface with /etc/hostapd/hostapd.conf
    Failed to initialize interface
    [root@hostname hostapd]#
    
And a successful run :
    [root@hostname hostapd]# hostapd /etc/hostapd/hostapd.conf 
    Configuration file: /etc/hostapd/hostapd.conf
    Line 8: DEPRECATED: 'dump_file' configuration variable is not used anymore
    Using interface wlp1s0 with hwaddr 02:f0:21:26:d5:30 and ssid "wifiname"
    random: Only 15/20 bytes of strong random data available from /dev/random
    random: Not enough entropy pool available for secure operations
    WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects
    wlp1s0: interface state UNINITIALIZED->ENABLED
    wlp1s0: AP-ENABLED 
    
You should now have a wireless network named "wifiname"! Congrats!  But wait! That's not all!  For a down payment of $49.95, you can also get MULTIPLE networks in separate subnets!  No VLAN necessary!  Here's how to order.
    [root@hostname homedir]# ifconfig wlp1s0|grep ether
            ether 09:f0:21:26:d5:d8  txqueuelen 1000  (Ethernet)
    [root@hostname homedir]#
    
First, you need to ensure the BSSID is defined in your hostapd.conf.  Grab the hardware address out of ifconfig :
    [root@hostname homedir]# ifconfig wlp1s0|grep ether
            ether 04:f0:21:26:d5:1f  txqueuelen 1000  (Ethernet)
    [root@hostname homedir]#
    
Then, change the first octet to 02 (meaning it's locally managed), and the last octet to 30.  For example :
    04:f0:21:26:d5:1f
    02:f0:21:26:d5:30
    
Then, throw that value into your hostapd.conf file under the setting of "bssid=02:f0:21:26:d5:30".  The next step is to define your secondary SSID's using stanzas like :
    bss=wlp1s0_0
    ssid=guest
    wpa=2
    wpa_passphrase=Brawnd0! It's what plants crave.
    
    bss=wlp1s0_1
    ssid=nonrouted
    wpa=2
    wpa_passphrase=securityVan09
    accept_mac_file=/etc/hostapd/hostapd.nonrouted.allow
    
Once you restart hostapd, you will note that you have two new interfaces : wlp1s0_0 and wlp1s0_1. These will correlate to the three wireless networks. One is the main wireless network (wlp1s0), one is the guest network (wlp1s0_0), and one is a non-routable network (wlp1s0_1). The non-routable network is where I put all of my security stuff that I play with - for example, I don't want the chinese test hardware dialing home to papa.

So, how do we give them separate subnets? I spent a few days trying to figure this out, wanting terribly to use the defect-standard scripts on the system (before I really found out that you can't use the /etc/sysconfig/network-scripts/ifcfg-*). The "systemctl restart network.service" refused to work with them. It baffled me for a while, until I got tired of the inability for it to work, and simply created a systemd startup file for hostapd that had a post-configuration (I placed mine into "/etc/systemd/system/hostapd.service") :
    [Unit]
    Description=Wireless AP Daemon
    Documentation=http://www.silverhawk.net/search/label/hostapd
    Wants=basic.target
    After=basic.target
    Before=network.target
    
    [Service]
    Type=forking
    ExecStart=/usr/local/bin/hostapd -B -P /var/run/hostapd.pid /etc/hostapd/hostapd.conf
    #ExecStartPre=
    ExecStartPost=/bin/sh -c '/usr/sbin/ifconfig wlp1s0 inet 172.16.64.1 netmask 255.255.224.0 up;/usr/sbin/ifconfig wlp1s0_0 inet 172.16.96.1 netmask 255.255.224.0 up;/usr/sbin/ifconfig wlp1s0_1 inet 172.16.224.1 netmask 255.255.224.0 up'
    ExecReload=kill -HUP $MAINPID
    ExecStop=kill $MAINPID
    PIDFile=/var/run/hostapd.pid
    
    [Install]
    WantedBy=multi-user.target
    
I needed to enable the new systemd startup :
    systemctl daemon-reload
    systemctl start hostapd
    systemctl enable hostapd
    
A reboot, and I was finally online with two networks!

Saturday, November 12, 2016

I Broke the Lathe (Well, Maybe)

I was trying to create one of the gear arbors for a gear depth gauge tool.  I faced the brass, then drilled with a #43 drill bit for the needle underneath approximately 3/4" in depth, then turned about 3/4" of the outside to a half inch diameter.  I threw the home-made knurling tool in place, and tried my hand at knurling :



It worked great, but when I tried to clean the lathe, I realized it had broken (whether that is me or a previous owner) :



Now I need to replace the cross slide.