# hostapd + FreeRADIUS



## free-and-bsd (Jun 1, 2021)

Hello everyone.

I'm trying to figure out whether I'm doing something wrong or the behavior of hostapd itself is confusing (or perhaps the manual is?).
I'm using hostapd to forward requests to FreeRADIUS server for EAP-TLS authentication. So I don't use hostapd's builtin RADIUS server.
Therefore, my /etc/hostapd.conf looks like this:

```
interface=wlan0
driver=bsd
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel

logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2

ssid=My-LOCAL-SSID

auth_server_addr=10.4.0.25 ##(remote)
auth_server_port=1812
auth_server_shared_secret={my_secret}

auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret={my_other_secret}

ieee8021x=1
auth_algs=1
eapol_key_index_workaround=0

wpa=2
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
openssl_ecdh_curves=P-521:P-384:P-256
```
Now as per man pages, you can use two sets of auth_server_{addr,port,secret} entries to define one additional (backup) external RADIUS server:

```
auth_server_addr, auth_server_port, auth_server_shared_secret
             RADIUS authentication server parameters.  Can be defined twice
             for secondary servers to be used if primary one does not reply to
             RADIUS packets.
```
However, this doesn't seem to work. As seen above, my config has this defined twice, but when the first auth_server_addr is not reachable (VPN is down) hostapd doesn't use the second auth_server_{addr,port,secret} configuration at all. It then sends packets somewhere and they never reach the local FreeRADIUS.

So I want to make sure whether this is a mistake in the man page or those options must be somehow put in a different manner to make it work. BTW, don't seem to find hostapd in /usr/src/usr.sbin... or elsewhere.

For that matter, README file located on the developer's own page doesn't mention the possibility to use _two sets_ of external RADIUS addr/port/secret. So maybe this just doesn't work in the version distributed with FreeBSD?? If so, FreeBSD man page must be fixed accordingly... Other than that, I'm quite satisfied with this hostapd


----------



## SirDice (Jun 2, 2021)

free-and-bsd said:


> BTW, don't seem to find hostapd in /usr/src/usr.sbin... or elsewhere.








						wpa « usr.sbin - src - FreeBSD source tree
					






					cgit.freebsd.org
				







free-and-bsd said:


> For that matter, README file located on the developer's own page doesn't mention the possibility to use _two sets_ of external RADIUS addr/port/secret. So maybe this just doesn't work in the version distributed with FreeBSD??


Note that there is a difference between hostapd(8) and net/hostapd. They're two different implementations that happen to have the same name.


----------



## free-and-bsd (Jun 2, 2021)

SirDice said:


> wpa « usr.sbin - src - FreeBSD source tree
> 
> 
> 
> ...


OK, it's under /usr/src/usr.sbin/wpa. Thank you!
And of course, the port will be found under /usr/local. I don't have that one installed, so the man page (hostapd.conf) is from the base.


----------

