Adventures in WiFi

Apple and hostapd

The problem

I set up my fileserver to be a router and wireless gateway using hostapd and dnsmasq, after I got fed up with Verizon’s crappy Actiontec router.  Works great, except for Apple products.  Neither Megh’s Mac nor my iPad would connect.

The various Linux boxes, Android devices, Nintendo Wii, and HP printer connected to it without a problem, so I held out hope that this was a solvable configuration problem and not some fundamental hardware incompatibility.  I’ve been running both routers for weeks while I tried to figure this out.

My iPad has been prompting for a username and password to log into wifi, even though I’m only using WPA Personal.  Megh’s Mac refused to connect at all.

Logging hasn’t been much help, as it fills with messages like this, over and over:

Oct  3 21:30:02 dandelion hostapd: wlp3s6: STA 01:02:03:04:05:06 IEEE 802.11: authentication OK (open system)
Oct  3 21:30:02 dandelion hostapd: wlp3s6: STA 01:02:03:04:05:06 IEEE 802.11: authenticated
Oct  3 21:30:02 dandelion hostapd: wlp3s6: STA 01:02:03:04:05:06 IEEE 802.11: association OK (aid 2)
Oct  3 21:30:02 dandelion hostapd: wlp3s6: STA 01:02:03:04:05:06 IEEE 802.11: associated (aid 2)
Oct  3 21:30:11 dandelion hostapd: wlp3s6: STA 01:02:03:04:05:06 IEEE 802.11: deauthenticated due to local deauth request

Not much indication of what’s wrong there.

The Server

Wireless is provided by an Ralink RT61-based card.  I’ve used the same hardware to set up wireless networks before, because I know this chipset can enable master mode.  Not all wireless chipsets can.  This is the first where I know Apple hardware is in use, though.

Googling gave me some ideas, but nothing that I found solved the problem.  Various posts pointed fingers at hostapd’s integrated EAP server, AES, the wireless hardware itself (oh noes!), and more.

I started with a basic hostapd config file, no encryption, to rule out hardware issues.

/etc/hostapd/hostapd.conf

driver=nl80211
logger_syslog=1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=My crappy wifi name
country_code=US
hw_mode=g
channel=1
macaddr_acl=0
deny_mac_file=/etc/hostapd/hostapd.deny
auth_algs=3
wmm_enabled=0
ap_max_inactivity=600
ieee8021x=0
eap_server=1
own_ip_addr=127.0.0.1

/etc/conf.d/modules

Apparently, the hardware crypto can be a little flaky with rt61 cards so it’s safer to load it as a module (instead of compiling it into the kernel, so you can unload/reload it) and disabling hardware crypto at run time.

modules="rt61pci"
module_rt61pci_args="nohwcrypt=1"

Like that, everything connected.  Hallelujah.

Now came the fun (if tedious is fun) process of enabling and modifying options until we get an encrypted signal that everything can connect to.  The linux-based devices, bless their little electronic souls, seem to be very tolerant about network settings and kept reconnecting no matter what the encryption config was.

Here’s my final configuration:

interface=wlp3s6
driver=nl80211
logger_syslog=1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=My crappy wifi name
country_code=US
hw_mode=g
channel=1
macaddr_acl=0
deny_mac_file=/etc/hostapd/hostapd.deny
auth_algs=3
wmm_enabled=0
ap_max_inactivity=600
ieee8021x=0
eap_server=1
own_ip_addr=127.0.0.1
wpa=2
wpa_passphrase=My crappy wifi password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP

Notes:

  • wpa_key_mgmt=WPA-PSK WPA-EAP does NOT work with Apple devices, though it does work in general
  • wpa_pairwise=TKIP DOES seem to work, but AES probably provides safer encryption