802.1x, PEAP, Certificates, VLANs

WangYue wangyue0921
Mon Jun 15 18:54:08 PDT 2009

For the 3rd question, in my opinion, the answer is yes.

Most AP from markets can support VLAN. They assigned a specific VLAN
to a given BSS, and assemble BSSes from different APs to the same ESS.
One wireless STA will associate with this ESS when they want to join
this VLAN. So, if the STA is switched from one VLAN to another, it should
diassociate with current ESS and associate with target ESS.

Furthermore, different VLANs maybe refer to different rights. It is 
terrible that several STAs try to associate with the sepecific ESS all the
time with 4-way handshake, and AP which is associated can not do anything
We can not isolate mcast in one VLAN from another without encryption. AP 
is the boundary node which should strip VLAN tag. STA maybe hear messages
from another VLAN. So encryption and 4-way handshake are both necessary.

I think bounding BSS with VLAN is not a good idea. If there are several
VLANs belong to the same BSS(certainly the same ESS), and VLANs should
match with isolated mcast domain by encryption, security is realized.
But when a STA is switched from one VLAN to another, it still need 
disassociation and reassociation and 4-way handshake to get new PTK and 

--- 09?6?15????, Mike C <smith.not.western at gmail.com> ???

> ???: Mike C <smith.not.western at gmail.com>
> ??: 802.1x, PEAP, Certificates, VLANs
> ???: hostap at lists.shmoo.com
> ??: 2009?6?15?,??,??6:42
> Hi,
> I'm in the planning phase of authentication for our wifi
> network.
> I would like to integrate our existing LDAP authentication
> with wifi,
> which I've read to understand means using 802.1x
> authentication. It
> appears that EAP-PEAPv0/MSCHAPv2 is the best match for our
> requirements (i.e. everything supports it).
> However I wish to avoid having to create a certificate/pki
> for a
> RADIUS server, as I wish to avoid having to configure all
> our clients
> to trust the self-signed CA (especially since we allow
> employees to
> bring their own laptops/pdas into the office and use the
> wifi).
> So my questions are as follows:
> - Is there an 802.1x mechanism that doesn't require use of
> a server
> certificate, and is supported by hostapd, XP SP3 &
> Vista?
> - What checks does a client perform on the server
> certificate? Chain
> of trust verification? Do they also look at the server name
> e.g. If I
> hosted the server on, would I need to set up DNS
> so that
> resolves to ldap.blah.com as stated on the server
> certificate?
> - Also a quick aside, how well does hostapd support
> switching a client
> from one vlan to another in real time? i.e. If I wanted to
> reassign
> their vlan, would I need to forcefully disconnect them from
> the ap
> first? (can hostapd support forceful disconnections?). Can
> I do this
> via the control socket/interface?
> Regards,
> Mike
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap


More information about the Hostap mailing list