EAP/802.1X authentication without susbsequent data confidentiality

Jouni Malinen jkmaline
Wed May 31 19:39:58 PDT 2006

On Thu, Jun 01, 2006 at 12:33:11PM +1000, Rupsky Gill wrote:

> I am using madwifi driver and hostapd to set up an Access Point and
> i am using wpa_supplicant and madwifi for the STA.

madwifi driver interface had some assumptions about hostapd only being
used when data packets are encrypted.. I don't remember whether this has
been fixed.

> I am experimenting with some EAP methods. I was wondering if it was
> possible
> to make hostapd authenticate the STA using EAP-TLS (or any other EAP method
> for that matter)  however not encrypt the subsequent data exchanges after
> successful authentication (i.e. not engage in 4-way hanshake etc.) It should
> be theoretically
> possible as authentication and confidentiality are two seperate security
> functions.

In theory, yes, it should be possible to configure hostapd to do this.
This requires enabling IEEE 802.1X, but not WPA and not configuring
dynamic WEP key lengths.

> I am bit lost as to is it as easy as changing particular config files
> (hostapd/wpa_supplicant)
> or would it need some code modifications ?

I haven't tried this with madwifi driver, so I'm not sure whether it
would work without any code changes. For wpa_supplicant, you will need
to set eapol_flags=0 so that it does not require dynamic WEP keys.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list