Arch Linux

Beemo

Member

Registered: 2024-12-20

Posts: 36

[SOLVED] hostapd: Why auth_algs cannot be 0 for WPA authentication?

If I say auth_algs=0 in my config, hostapd complains:

hostapd[2748]: Line 17: no authentication algorithms allowed
hostapd[2748]: Failed to set up interface with /etc/hostapd/ax-6.conf

auth_algs=1 works. But why must I enable Open System authentication (i.e. free access)?

According to the (long spaghetti) documentation inside the example config:

# IEEE 802.11 specifies two authentication algorithms. hostapd can be
# configured to allow both of these or only one. Open system authentication
# should be used with IEEE 802.1X.
# Bit fields of allowed authentication algorithms:
# bit 0 = Open System Authentication
# bit 1 = Shared Key Authentication (requires WEP)

Then there is another chunk of config for 802.11i far below it for WPA and SAE.

According to 802.11-2020 (so it's the updated / amended version):

IEEE Std 802.11 defines five IEEE 802.11 authentication methods: Open System authentication, Shared Key authentication, FT authentication, simultaneous authentication of equals (SAE), and FILS authentication.

Plus "12.4 Authentication using a password" contains only SAE.

Is this just a quirk of hostapd? I'm not sure if Open auth is disallowed when WPA is enabled. (I hope so...)

Last edited by Beemo (2025-01-27 04:22:31)

dakota

Member

Registered: 2016-05-20

Posts: 362

Re: [SOLVED] hostapd: Why auth_algs cannot be 0 for WPA authentication?

hostapd[2748]: Line 17: no authentication algorithms allowed

... sounds like you must have some sort of authentication algorithm, and

# Bit fields of allowed authentication algorithms:
# bit 0 = Open System Authentication
# bit 1 = Shared Key Authentication (requires WEP)

specifies two accepted types.

auth_algs=1     #Open System Authentication (and you probably don't want to use WEP)

From reading the documentation, it appears that Open System Authentication and WPA are *not* mutually exclusive (and probably serve different purposes). In fact, the upstream docs include a sample config that includes

#auth_algs=1
#wpa=2

... and the Arch wiki has

# Bit field: bit0 = WPA, bit1 = WPA2
wpa=2
# Bit field: 1=wpa, 2=wep, 3=both
auth_algs=1

Cheers,

Last edited by dakota (2025-01-04 15:17:56)

---

"Before Enlightenment chop wood, carry water. After Enlightenment chop wood, carry water." -- Zen proverb

Beemo

Member

Registered: 2024-12-20

Posts: 36

Re: [SOLVED] hostapd: Why auth_algs cannot be 0 for WPA authentication?

Yea that's what I'm saying, hostapd is just not following the spec, and the worst case, I don't know if it means anyone can use my Wi-Fi by saying they don't support SAE in their request.

# IEEE 802.11 specifies two authentication algorithms.

IEEE Std 802.11 defines five IEEE 802.11 authentication methods

Open System auth:

Open System authentication is a null authentication algorithm.
Any non-DMG STA requesting Open System authentication can be authenticated if dot11AuthenticationAlgorithmsTable at the peer STA includes an entry with dot11AuthenticationAlgorithm equal to openSystem and dot11AuthenticationAlgorithmActivated equal to true.

dakota

Member

Registered: 2016-05-20

Posts: 362

Re: [SOLVED] hostapd: Why auth_algs cannot be 0 for WPA authentication?

I understand the problem, but I don't understand why the Arch wiki says

auth_algs=1    # wpa

but the project docs say:

auth_algs=1    # Shared Key Authentication (requires WEP) -- EDIT, this is wrong as Beemo points out, below
auth_algs=1    # Open System Authentication

Perhaps post your hostapd.conf and a journal from both a successful start and a failed start? I probably won't be able to help, but someone else might.

Cheers,

Last edited by dakota (2025-01-06 01:48:26)

---

"Before Enlightenment chop wood, carry water. After Enlightenment chop wood, carry water." -- Zen proverb

Beemo

Member

Registered: 2024-12-20

Posts: 36

Re: [SOLVED] hostapd: Why auth_algs cannot be 0 for WPA authentication?

I think it says "bit 1" not "1"? So "0b10"(=2) means WEP. Bit 0, "0b01" (=1) means Open.

Config below, it's working and I'm using the AP:

interface=wlp0s20f0u1
bridge=bridge-0
driver=nl80211
logger_stdout=-1
logger_stdout_level=3
ssid=REDACTED
country_code=AU
country3=0x49
ieee80211d=1
ieee80211h=1
local_pwr_constraint=0
hw_mode=a
channel=5
op_class=133
enable_background_radar=1
preamble=1
auth_algs=1
wmm_enabled=1
uapsd_advertisement_enabled=1
max_acceptable_idle_period=3600
disassoc_low_ack=1

wpa=2
extended_key_id=1
wpa_key_mgmt=SAE
rsn_pairwise=CCMP CCMP-256 GCMP GCMP-256
wpa_strict_rekey=1
ieee80211w=2
beacon_prot=1
# ocv=1
sae_password=REDACTED
sae_groups=19 20 21
sae_pwe=2
transition_disable=0xf
# pasn_groups=19 20 21
ssid_protection=1

# oce=4

ieee80211ax=1
require_he=1
he_su_beamformee=1
he_bss_color=1
he_bss_color_partial=0
he_oper_centr_freq_seg0_idx=7
he_basic_mcs_nss_set=65530

# unsol_bcast_probe_resp_interval=20
# fils_discovery_max_interval=20

# he_oper_chwidth=1
# wds_sta=1
# wpa_passphrase=
# okc=1

# transition_disable=0b1111
# he_basic_mcs_nss_set=0b 11 11 11 11 11 11 10 10

systemd[1]: Started Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator.
hostapd[609]: wlp0s20f0u1: interface state UNINITIALIZED->COUNTRY_UPDATE
hostapd[609]: wlp0s20f0u1: interface state COUNTRY_UPDATE->ENABLED
hostapd[609]: wlp0s20f0u1: AP-ENABLED

Changing auth_algs to 0 leads to error in the original post:

hostapd[2748]: Line 17: no authentication algorithms allowed
hostapd[2748]: Failed to set up interface with /etc/hostapd/ax-6.conf

Beemo

Member

Registered: 2024-12-20

Posts: 36

Re: [SOLVED] hostapd: Why auth_algs cannot be 0 for WPA authentication?

I just found this in the source (src/common/defs.h)

#define WPA_AUTH_ALG_OPEN BIT(0)
#define WPA_AUTH_ALG_SHARED BIT(1)
#define WPA_AUTH_ALG_LEAP BIT(2)
#define WPA_AUTH_ALG_FT BIT(3)
#define WPA_AUTH_ALG_SAE BIT(4)
#define WPA_AUTH_ALG_FILS BIT(5)
#define WPA_AUTH_ALG_FILS_SK_PFS BIT(6)

Pretty sure they are bit masks judging by the usage, but my IDE cannot find where BIT() is defined.
And auth_algs is just parsed as a number in hostapd/config_file.c. Not sure where they go from there...

So I think the correct value for SAE is auth_algs=16. No one on the Internet seems to be doing this.
I changed the value and my AP is still working, though that doesn't say much at this point...

p.s. yup that part of the documentation hasn't been touched in 17 years, and the bit field defs were extended a few years later.

Last edited by Beemo (2025-01-27 04:30:29)

ReDress

Member

From: Nairobi

Registered: 2024-11-30

Posts: 96

Re: [SOLVED] hostapd: Why auth_algs cannot be 0 for WPA authentication?

If I say auth_algs=0 in my config, hostapd complains:

hostapd[2748]: Line 17: no authentication algorithms allowed
hostapd[2748]: Failed to set up interface with /etc/hostapd/ax-6.conf

Is this really an error from a C program? It seems like one from a scripting langauge.

Though, supposedly, _LINE_ would have this effect even in C

Beemo

Member

Registered: 2024-12-20

Posts: 36

Re: [SOLVED] hostapd: Why auth_algs cannot be 0 for WPA authentication?

Is this really an error from a C program? It seems like one from a scripting langauge.

Yeah this is actually an explicit error from the config parser: hostapd/config_file.c

else if (os_strcmp(buf, "auth_algs") == 0) {
		bss->auth_algs = atoi(pos);
		if (bss->auth_algs == 0) {
			wpa_printf(MSG_ERROR, "Line %d: no authentication algorithms allowed",
				   line);
			return 1;
		}