Using wpa_supplicant and hostapd over Wired LAN for EAP-SIM

Chaudry Chaudry novalystitag
Fri Sep 7 08:42:21 PDT 2012


Hi Jouni,
Thanks for the quick response. Actually, the main idea of sending EAPOL
packets over UDP is that I want to map the access layer authentication
mechanism to application layer (just like to mimic the concept of WISPr
which does for example the eap packets handling over the  application
layer). The main requirement of  using the hostapd as switch/wireless AP is
to avoid the real hardware and have software based authenticator /Radius
Client.

I have found one more link where wpa_supplicant and hostapd are tested on
wired LAN for EAP-PEAP.
http://inl.info.ucl.ac.be/blogs/08-10-01-sample-configurations-hostapd-and-wpa-supplicant-make-it-work-wired-connection

Can we try the same thing with EAP-SIM where:
wpa_supplicant (supplicant) <--> hostapd (authenticator + AAA Server)

I have also played with the eapol_test, but it combines the supplicant and
Radius Client. I am trying to use the wpa_supplicant as EAP-Peer and
hostapd as EAP-Authenticator (standalone or with co-located AAA Server). If
hostapd is used as EAP-Authenticator only, then it is flexible to use it
with external AAA Server e.g. FreeRadius.

wpa_supplicant (supplicant) <--> hostapd (authenticator) <----> FreeRadius
(AAA Server)

Any suggestions for that.

BR,
A.Chaudry


On Fri, Sep 7, 2012 at 4:25 PM, Jouni Malinen <j at w1.fi> wrote:

> On Fri, Sep 07, 2012 at 02:19:54PM +0200, Chaudry Chaudry wrote:
>
> > I am planning to use wpa_supplicant and hostapd on the wired LAN for
> > EAP-SIM testing.
>
> > *CONFIG_CTRL_IFACE_UDP=y*
> >
> >
> > Normally the EAPOL packets are transported between authenticator and
> > supplicant and they are encapsulated within Ethernet frames directly. Now
> > from the above parameter, are we changing the control interface to UDP
> over
> > which the EAPOL packets are encapsulated first or what?
>
> No, that has nothing to do with EAPOL - it control which communication
> mechanism is used with the control interface that wpa_supplicant
> provides for external programs like wpa_cli.
>
> > In the
> > wpa_supplicant and hostapd, is it possible to send the eapol packets over
> > UDP between EAP-Peer and authenticator ?
>
> No, that is not supported. Why would you want to send EAPOL packets over
> UDP?
>
> > Secondly, is it possible to use the hostapd as switch (authenticator)
> > instead of real switch for EAP-SIM testing over wired LAN.  From the
> > documentation, it can be guessed that hostapd can be configured as
> > standalone switch as well. Did anybody try that so far?
>
> While it would be possible to implement a managed wired switch with
> hostapd used as the authenticator, this would require additional
> components to control the IEEE 802.1X port to block frames.
>
> Do you have a particular reason for running this over wired LAN and to
> do that with full IEEE 802.1X capable switch design? What exactly are
> you trying to test? If you are just looking for a test setup for EAP-SIM
> testing, there are much simpler ways of doing that with hostapd and
> wpa_supplicant (or eapol_test for that matter).
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20120907/31658f1d/attachment-0001.htm 



More information about the Hostap mailing list