RADIUS-assigned VLANs and hostapd

[Jouni Malinen]

On Wed, Feb 08, 2006 at 06:53:25PM +0000, Oliver Gorwits wrote:

> Do there exist any solutions for using RADIUS-assigned VLANs (under either 
> Linux or BSD) after hostapd 802.1X authentication?

Yes, the hostapd version from Devicescape that you mentioned below is
doing this on Linux.. I have not heard of other Linux implementations.

> Some vendors' access points, when acting as the 802.1X Authenticator, can 
> place an authenticated client's traffic into a particular VLAN (by mapping 
> an authorized PAE to a VLAN, I guess). Any ideas for how to go about doing 
> this with a hostapd-based system?

There are two parts for this. One will need to have separate broadcast
keys (i.e., in case of WPA, separate group key state machines) for each
VLAN to prevent leaking of multicast frames to incorrect VLANs. The
other part is to add support for virtual interfaces in the driver to
support multiple VLANs and assign stations to different VLANs based on
the RADIUS attributes in Access-Accept.

> I've googled around and also looked in the list archives back to 2004-01, 
> and not found much, except for the following use (extension?) of hostapd 
> which appears to support VLAN assignment:
> 
> http://www.devicescape.com/docs/wip/package_guide/pkg_hostapd.php#wp168055

This (plus the virtual interface support in Devicescape 802.11 code) is
indeed an implementation of dynamic VLAN assignment based on RADIUS
server decision.

The 802.11 kernel-side code for this is already included in the GPL'ed
Devicescape 802.11 stack. I'm looking into merging the hostapd part to
the open source version at some point. Though, this may take some time
since I want to do some design clean up as part of the merge.

-- 
Jouni Malinen                                            PGP id EFC895FA