Problem with run driver and wpa

BeerCan

I have a bunch of small fw appliances, with only usb ports available, that I would love to turn into access points but I am having a problem.  I am using 2 different usb adapters that exhibit the same problem.  One is based on the ra3070 and one is based on the ra2770/2720.  Whenever I set up wpa the client stop working.  I can set up the ap with no authentication and everything works fine, but once I set up wpa they no longer get ip addresses or actually connect.  I built a test machine that pcie slots and used an ath based card and it worked fine, but once I used the same test machine with the ralinks it stopped working.  Any ideas?

pfsense 2.0 release

system log

hostapd: run0_wlan0: STA 98:4b:4a:7e:14:87 RADIUS: starting accounting session 4E860B07-00000004
Sep 30 18:35:52 	hostapd: run0_wlan0: STA <mac redacted=""> WPA: pairwise key handshake completed (RSN)
Sep 30 18:36:38 	hostapd: run0_wlan0: STA <mac redacted=""> IEEE 802.11: deauthenticated due to local deauth request
Sep 30 18:36:38 	hostapd: run0_wlan0: STA <mac redacted=""> IEEE 802.11: deassociated
Sep 30 18:36:52 	hostapd: run0_wlan0: STA <mac redacted=""> IEEE 802.11: associated</mac></mac></mac></mac>

wallabybob

I have a run device on a pfSense box that works fine with WPA2, PSK (Pre Shared Key) and AES.  How is your configuration different? (The log extract you posted suggests you might be using RADIUS authentication.)

BeerCan

no radius, that I configed anyway.  pretty vanilla setup, just installed the nanobsd 4g image and configured the devices.  Are you using the nanobsd version?  Like I said if I switch the ralinks for the atheros card I can get it to work fine.  Perhaps I will try an install from the livedisk to see if it is a problem with the nanobsd mage.

wallabybob

I'm not using radius either and a check in the logs revealed a similar mention of RADIUS from hostapd:

clog /var/log/system.log | grep hostapd

Oct  1 15:58:57 pfsense2 hostapd: run0_wlan0: STA <mac addr="">IEEE 802.11: associated
Oct  1 15:58:57 pfsense2 hostapd: run0_wlan0: STA <mac addr="">RADIUS: starting accounting session 4E86AB2D-00000000
Oct  1 15:58:57 pfsense2 hostapd: run0_wlan0: STA <mac addr="">WPA: pairwise key handshake completed (RSN)</mac></mac></mac>

I'm not using nanobsd.

Can you try WPA2, PSK and AES (not TKIP)?

BeerCan

OK sorry for the delay, I had to go out of town for a few days.

I just tried those specific settings and I get the same exact symptoms as posted above.  I will try livecd install tonight.

EDIT
I tried using the livecd installer with the smp kernel and I still get the same errors.  So it appears that the issue lies elsewhere.  I have tried on 3 different computer platforms and 2 different ralink usb dongles.  is there anything else I can do to help diagnose this?

wallabybob

I can only recall one problem I have had with an encrypted wireless link at home: my pfSense was originally set to WPA2, PSK and (TKIP or AES) and worked fine. After a Linux upgrade my netbook stopped associating. When I removed TKIP as an option on pfSense the netbook correctly associated again.

Are you in a noisy radio environment? (Maybe using a different channel will help.)

Do the wireless parameters exactly match on AP and client?

What is the output of the pfSense shell command ifconfig run0_wlan0

BeerCan

Here ya go.

[2.0-RELEASE][root@pfsense.localdomain]/root(2): ifconfig run0_wlan0
run0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether <redacted>
        inet6 <redacted>%run0_wlan0 prefixlen 64 scopeid 0xb
        inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
        nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
        status: running
        ssid BeerCan channel 11 (2462 MHz 11g) bssid <redacted>
        country US authmode WPA2/802.11i privacy MIXED deftxkey 2
        AES-CCM 2:128-bit txpower 0 scanvalid 60 protmode OFF -apbridge
        dtimperiod 1 -dfs</redacted></hostap></performnud,accept_rtadv></redacted></redacted></up,broadcast,running,simplex,multicast>

wallabybob

Here are my settings:```

ifconfig run0_wlan0

run0_wlan0: flags=108843 <up,broadcast,running,simplex,multicast,ipfw_filter>metric 0 mtu 1500
ether <cut>inet6 <cut>%run0_wlan0 prefixlen 64 scopeid 0x9
inet 192.168.51.173 netmask 0xffffff00 broadcast 192.168.51.255
nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running
ssid Lothlorien channel 6 (2437 MHz 11g) bssid <cut>regdomain ROW country AU indoor authmode WPA2/802.11i privacy MIXED
deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 30 scanvalid 60
protmode OFF dtimperiod 1 -dfs
#</cut></hostap></performnud,accept_rtadv></cut></cut></up,broadcast,running,simplex,multicast,ipfw_filter>

Concerning differences that MIGHT be significant:
You have AES-CCM 2: whereas I have AES-CCM 2: and AES-CCM 3: That MIGHT be because I have chosen a rather lengthy pass phrase.

You have txpower 0 whereas I have txpower 30\. I don't know what the numbers mean.  "0" might mean zero or it might mean default. The FreeBSD ifconfig man page says of this parameter

> txpower power
>     Set the power used to transmit frames.  The power argument is
>     specified in .5 dBm units.  Out of range values are truncated.
>     Typically only a few discreet power settings are available and
>     the driver will use the setting closest to the specified value.
>     Not all adapters support changing the transmit power.

You should probably increase the Tx power on the pfSense interface page, _save_ and _apply_ then check the change really happened by looking with ifconfig. Does the change make a significant difference?

You have -apbridge and I don't. This means you have disabled bridging between WLAN clients on that interface. I wouldn't expect it should matter whether the bridging is enabled or not but at least for data collection, please enable the bridging (pfSense parameter _Allow intra-BSS communication_) and check if that makes a significant difference.

BeerCan

Well I can't really explain it but this just simply started working.  After running for some time my client suddenly obtained an ip address and started working.  Wish I knew what I did.

thanks for your help wallabybob

wallabybob

@BeerCan:

Well I can't really explain it but this just simply started working.  After running for some time my client suddenly obtained an ip address and started working.

I hate those "spontaneously started working" circumstances. They leave me with a suspicion that they will just spontaneously stop working at some time.

@BeerCan:

Wish I knew what I did.

It might not be something you did. Just for the record, have any of the parameters displayed by ifconfig run0_wlan0 changed?

@BeerCan:

thanks for your help wallabybob

You are welcome. Thanks for reporting back.