802.1x wired and hostapd

[Michał Zegan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Switches and routers usually do switching in hardware, not using linux
bridge interface?

About those sta events, actually not sure what about eap logoff. a
station should be deauthorized immediately after a cable is removed.
although such a command may exist too, right?

W dniu 2015-06-18 o 20:33, Jouni Malinen pisze:
> On Thu, Jun 18, 2015 at 08:03:28PM +0200, Micha? Zegan wrote:
>> I am curious if there is going to be sufficient interest,
>> considering that someone may want to make a managed switch with
>> linux on it, and then it would be really really nice if that
>> would work, at least the first thing.
> 
> I'm not sure. This has come up every now and then (maybe once a
> year or so)..
> 
>> About modifying ebtables I would prefer something like 
>> connect/disconnect scripts, or really listening to events,
>> especially because of nftables, and maybe for other reasons,
>> including people who want full control over layout of their
>> rules. I am interested in all of that without a specific reason,
>> I would even happily play with a multiport ethernet card or few
>> ethernet cards attached to a pc to create a software switch just
>> for fun, but I do not have any of those to ever try that.
> 
> That should be doable already with the current hostapd version.
> hostapd sends AP-STA-CONNECTED and AP-STA-DISCONNECT event messages
> on the control interface whenever a station gets
> authorized/unauthorized. That message includes the MAC address of
> the station.
> 
> NEW_STA control interface command can be used to trigger EAPOL 
> authentication based on link up events detected by an external
> tool.
> 
> If you are interested in getting a convenient test setup for this,
> some of the OpenWrt compatible APs with an integrated 4-5 port
> switch are likely to provide sufficient control to the Linux driver
> to implement something like this. This may require some fine-tuning
> of the bridge parameters and/or the driver to change default mode
> in which those are normally used with one WAN port and four LAN
> ports with hardware switching, but anyway, the actual hardware
> components are likely to support full software control.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVgxAVAAoJEHb1CzgxXKwY5t8QALUbeFS2EOssLi7kR6Y7USLK
P20AWRz85kEP6RqeB6dMIbkg1WIJCtBbQVzZapVftTxj+IKTSBJFZa0k+CMNOAXo
x5t2b/45t/QunYUt5Kejx3oCevhX8HjFJ0G4Juonb086NiLx5uxdgLZM8rp8iBKi
fGKglpzQWzXt0r0Et8BaNoLUwyqbbmOLDboOjAZa349HT31HijDpM5rJCJAcmCLT
ULGTz3Elrm25LaVQCOe+37AICIDimcDofheXyID/yXCsWfq4YWDCWOUsVN+L4bS2
rqlOhKBz1Na51/oRKTg4xSSuyMpoAUKpT70bvNFhashkSFtTXYuKtad2E4H+IK+p
GCq/FsXEXOGq7MuZNFxdEL58dG9MZ9YVx9CN6DOE3oaJcig56gB+zDjZrSGMu4aI
/tiKKDUSbcjhczi8TSasWiPNlNigRiadcakKCR09w/hQKgtL9WB3zdWpW4MbABrK
viwJ8twvE4fuRwFXz9NdYGrtET0oHA335d56M5YGGuox6FyHP9UcGgw3Ix9keyKF
/G/cebwDpJAVNoOkjWRTKwVsDfvXV4NMqIAApkp4TVtvGq9mn1LndwgKNc3x+9GJ
r97T2+AJdaJt19P8wOfWi80IkQpjoQhwAiVrHO+tRBLdoISGUXOhjzHtnQCWiYaF
QjbfRWS1vIqQe0K2xKe2
=E+jQ
-----END PGP SIGNATURE-----