Dynamic AP selection from WPA_Supplicant

Dan Williams dcbw at redhat.com
Fri Jun 17 08:05:22 PDT 2016

On Fri, 2016-06-10 at 16:09 +0300, Raghavendra M S wrote:
> Hi,
> We have successfully been experimenting with wpa_supplicant on
> various
> versions of raspberry pies for enterprise Wifi authentication
> (802.1x). We now plan to sell our stand-alone (no other user
> interface) raspberry pie devices to customers that would deploy these
> in their SME offices. We will embed the Raspberry pies with
> pre-installed certificates and domain information about our server.
> The network administrator of the SME is required to forward the EAP
> messages to our server by configuring his/her AP. However, we don't
> want to (and cannot) standardize the access point name chosen by the
> SME administrator (the AP would also serve other general purpose
> network access). Therefore, a method for dynamic AP selection is
> needed. We plan to use EAP-TLS as the authentication method. As there
> is no visual or command line interface accessible from raspberry pie,
> we want it to try and connect with all the APs in its vicinity,
> automatically.
> We have thought about different approaches to do this. We found a
> python script that scans the network
> https://sourceforge.net/projects/wpascm/ . However, it still asks the
> user to manually choose the correct AP. We believe that we  can
> modify
> the script to dynamically select the right AP (and EAP server
> combination).  A similar approach was to use  wpa_cli scan list and
> feed formatted result to  wpa_cli to try connecting to different APs.
> Are there any better ways of doing this? Are we missing something?

An external script controlling the supplicant is the best way to
implement this.  The supplicant intentionally does not contain a ton of
policy, since everyone has different requirements for what that policy
should be.

Your modified script would listen for scan results from the supplicant,
create a network block with your TLS configuration (assuming the AP is
TLS capable of course, which you can find out from the scan results)
for each AP in turn, and then "select" that network block.  The
supplicant will try to connect, and your script would probably set a
timer to wait for a successful connection.  If that timer expires, you
would remove that network block and repeat with another AP.

A different approach would be to continuously listen for scan results
and then add a network block with your TLS config to the supplicant for
each AP.  The supplicant will then attempt to connect to each one in
turn, proceeding to the next network block when it fails to connect to
the previous one.

It all depends on your use-case, which is why this is usually left up
to a policy/controller process outside the supplicant itself.


More information about the Hostap mailing list