How to configure hostapd service with external RADIUS server?

I am trying to set up an AP with an external RADIUS server using two Linux hosts for each service, hostapd and freeradius, correspondingly. These hosts and the Wi-Fi client host are Raspberry Pi 4 units running Ubuntu 22.04.4 LTS (jammy).

All hosts have an Ethernet connection to the common LAN (10.1.0.0/24):

• hostA - Wi-Fi AP (10.1.0.22 Ethernet, 192.168.220.1 Wi-Fi)
• hostB - RADIUS server (10.1.0.12 Ethernet)
• hostC - Wi-Fi client (10.1.0.50 Ethernet, 192.168.220.101 Wi-Fi)

I have configured the freeradius server on the hostB and able to test it from the Wi-Fi client over the Ethernet LAN:

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.12 0 testSecret1 Sent Access-Request Id 155 from 0.0.0.0:35529 to 10.1.0.12:1812 length 79 User-Name = "testUser1" User-Password = "testPassword1" NAS-IP-Address = 10.1.0.50 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testPassword1" Received Access-Accept Id 155 from 10.1.0.12:1812 to 10.1.0.50:35529 length 20 

Then I bring up the Wi-Fi AP (hostA) configured with the following hostapd.conf content:

 logger_syslog=-1 logger_syslog_level=0 ctrl_interface=/var/run/hostapd/ interface=wlp1s0 driver=nl80211 country_code=CA ieee80211n=1 hw_mode=g channel=6 beacon_int=100 dtim_period=2 disassoc_low_ack=0 ssid=testAP ieee80211w=0 auth_algs=1 wpa=0 ignore_broadcast_ssid=0 eap_server=0 own_ip_addr=10.1.0.22 auth_server_addr=10.1.0.12 #hostB auth_server_port=1812 auth_server_shared_secret=testSecret1 

The hostapd service is built from the latest code available in the main branch with the only modification below from the defconfig file to disable the integrated RADIUS server:

# Integrated EAP server CONFIG_EAP=n 

I can see that the hostapd service starting properly with RADIUS server configuration reported accordingly:

hostA:/usr/src/hostap/hostapd$ sudo ./hostapd /etc/hostapd/hostapd.conf -i wlp1s0 wlp1s0: interface state UNINITIALIZED->COUNTRY_UPDATE wlp1s0: RADIUS Authentication server 10.1.0.12:1812 wlp1s0: interface state COUNTRY_UPDATE->ENABLED wlp1s0: AP-ENABLED 

I can successfully connect the Wi-Fi client (hostC) to the Wi-Fi AP (hostA). However, when I try to do the RADIUS test now over a Wi-Fi network (192.168.220.0/24) targeting Wi-Fi AP to process RADIUS requests, I get the failure:

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.22 0 testSecret1 Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79 User-Name = "testUser1" User-Password = "testPassword1" NAS-IP-Address = 10.1.0.50 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testPassword1" Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79 User-Name = "testUser1" User-Password = "testPassword1" NAS-IP-Address = 10.1.0.50 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testPassword1" Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79 User-Name = "testUser1" User-Password = "testPassword1" NAS-IP-Address = 10.1.0.50 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "testPassword1" (0) No reply from server for ID 235 socket 3 

I captured the traffic on the Wi-Fi interface of the hostA and see that it responds with the ICMP packet saying that Destination unreachable (Port unreachable):

Frame 2: 155 bytes on wire (1240 bits), 155 bytes captured (1240 bits) Encapsulation type: Ethernet (1) Arrival Time: Apr 2, 2024 18:18:11.473305000 PDT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1712107091.473305000 seconds [Time delta from previous captured frame: 0.000101000 seconds] [Time delta from previous displayed frame: 0.000101000 seconds] [Time since reference or first frame: 0.000101000 seconds] Frame Number: 2 Frame Length: 155 bytes (1240 bits) Capture Length: 155 bytes (1240 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:icmp:ip:udp:radius] [Coloring Rule Name: ICMP errors] [Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4] Ethernet II, Src: IntelCor_05:02:62 (80:45:dd:05:02:62), Dst: IntelCor_de:58:55 (3c:9c:0f:de:58:55) Destination: IntelCor_de:58:55 (3c:9c:0f:de:58:55) Address: IntelCor_de:58:55 (3c:9c:0f:de:58:55) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: IntelCor_05:02:62 (80:45:dd:05:02:62) Address: IntelCor_05:02:62 (80:45:dd:05:02:62) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.220.1, Dst: 192.168.220.101 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT) 1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 141 Identification: 0xa48f (42127) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set ...0 0000 0000 0000 = Fragment Offset: 0 Time to Live: 64 Protocol: ICMP (1) Header Checksum: 0x9b68 [validation disabled] [Header checksum status: Unverified] Source Address: 192.168.220.1 Destination Address: 192.168.220.101 Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Checksum: 0x3724 [correct] [Checksum Status: Good] Unused: 00000000 Internet Protocol Version 4, Src: 192.168.220.101, Dst: 192.168.220.1 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 113 Identification: 0xc1e8 (49640) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set ...0 0000 0000 0000 = Fragment Offset: 0 Time to Live: 64 Protocol: UDP (17) Header Checksum: 0x7edb [validation disabled] [Header checksum status: Unverified] Source Address: 192.168.220.101 Destination Address: 192.168.220.1 User Datagram Protocol, Src Port: 40929, Dst Port: 1812 Source Port: 40929 Destination Port: 1812 Length: 93 Checksum: 0xbfa6 [unverified] [Checksum Status: Unverified] [Stream index: 0] UDP payload (85 bytes) RADIUS Protocol Code: Access-Request (1) Packet identifier: 0x95 (149) Length: 85 Authenticator: 2cc8f534dfcac17c947a03ced3daf62f Attribute Value Pairs AVP: t=User-Name(1) l=11 val=testUser1 Type: 1 Length: 11 User-Name: testUser1 AVP: t=User-Password(2) l=18 val=Encrypted Type: 2 Length: 18 User-Password (encrypted): 986ed23c9a832e3a98a328697e8fab38 AVP: t=NAS-IP-Address(4) l=6 val=192.168.220.101 Type: 4 Length: 6 NAS-IP-Address: 192.168.220.101 AVP: t=NAS-Port(5) l=6 val=0 Type: 5 Length: 6 NAS-Port: 0 AVP: t=Message-Authenticator(80) l=18 val=b4669b2314a4738a956f683b59b645c4 Type: 80 Length: 18 Message-Authenticator: b4669b2314a4738a956f683b59b645c4 AVP: t=Framed-Protocol(7) l=6 val=PPP(1) Type: 7 Length: 6 Framed-Protocol: PPP (1) 

What do I miss here?