Using hostapd behind the AP (on the wired side)

[Bryan Kadzban]

Bryan J. Smith wrote:
> - Serve out [dynamic] WEP key to WAP-capable STA, when AP is 
> WEP-only.  Use this "behind the AP" box so WEP keys can be served out
> via hostapd to WAP/11i-capable STAs, when the AP only does WEP (would
> 802.1X/WAP/11i frames still go through the AP to this box?).  The box
> will also handle resetting the WEP on the AP (e.g., http post if we
> have to ;-).

I assume s/WAP/WPA/g, right?  ;-)

If so, I'm not sure this is possible, though I don't know for sure.  The
existence of encryption probably means the AP *MUST* be involved; if
it's not, it can't find out the pairwise key that the RADIUS server
generates, which means it won't be able to decrypt the directed traffic
from the STA in question.  It also has to have a hand in handing out the
group key, since I believe it's the only participant that knows that
key.

Unless you're going to hand out basic WEP keys (where the group key ==
the pairwise key, and everyone uses the same pairwise key); then that
might work.  (Assuming you change the key in the AP whenever you change
the key you hand out in the EAP exchange, with e.g. an HTTP POST if need
be.  And with WEP, you should probably change keys every few minutes.
Which means you'll need to trigger a reassociation or a reauthentication
somehow, every few minutes, so that all the clients get the same new WEP
key.)  But there's still an issue:

The clients won't even know to *attempt* EAP, unless you can modify the
(non-WPA-capable) AP's beacons and probe responses.  You'd have to add a
WPA or RSN IE, with key management set to 802.1x, to the normal set of
IEs.  If that's not there, then standard STAs won't even attempt EAP.
(You might also have to modify the association response, I'm not sure on
that.)

> - Last resort blocking (box as a wired bridge):  Even though a
> station might associate with an "open system" AP that isn't 
> WPA/11i-capable, we could block "behind the AP" at the wire, if a STA
> does not clear WPA/11i authentication (again, can 802.1X/WAP/11i from
> a STA reach "behind the AP"?).

Again, standard WPA STAs won't even attempt to do EAP unless the beacon
or probe response (and maybe association response) tells them to.  So
you'd have no way to eventually allow that client to pass traffic.

Unless you're going to rewrite the STA code as well -- then, I'd think
you can pretty much do whatever you want, and get it to work.  ;-)  You
could even WEP-encrypt the EAP exchange, if you really wanted to (though
that wouldn't give you much in terms of security; TTLS is much better).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20050926/84338e0f/attachment.pgp