802.1X Cofiguration query - can 802.1X authentication be optional?

[Jouni Malinen]

On Tue, Sep 19, 2006 at 06:11:28PM +0100, lloyd wrote:

> Basically we want to run 802.1X alongside traditional WLAN user
> authentication systems such as NoCat, WifiDog etc which run at the
> transport level.  As such we need to make 802.1X authentication 'optional'
> where failed connections are redirected to a different vlan.  We can then
> run NoCat or whatever on traffic from this vlan.

> Basically we're looking to implement this proprietary feature in Open
> Source on a wireless AP, however I cannot see anything in HostAPd
> configuration to allow it.  Any thoughts/comments on this would be
> useful.

This is not yet supported by the open source hostapd. However, I'm in
the process of merging in support for dynamic VLANs into hostapd from
Devicescape tree. This does not yet provide the exact functionality that
you are asking for here, but it provides the basics needed for
supporting dynamic selection of VLAN based on RADIUS server response.
The only needed addition would be to add a configuration option that
maps access rejects to a specific VLAN ID. This should be easy to add
once the core functionality for dynamic VLANs is merged in.

-- 
Jouni Malinen                                            PGP id EFC895FA