Multi-PSK on Hostapd

michael-dev michael-dev at fami-braun.de
Mon Aug 23 14:18:13 PDT 2021 

Hi,

maybe you could patch hostapd to accept keyid or vlanid (as in 
http://w1.fi/cgit/hostap/tree/hostapd/hostapd.wpa_psk) from RADIUS 
Access Accept by parsing the radius tunnel attribute tags and thus have 
a psk-dependend vlan id or key id.
Possibly similarly to Tunnel-Client-Auth-ID in 
https://patchwork.ozlabs.org/project/hostap/patch/20210416111825.3895-2-michael-dev@fami-braun.de/ 
.

Regards,
Michael

Am 11.08.2021 22:25, schrieb Colton Conor:
> Steve,
> 
> Understood on the full RADIUS 802.1X auth side, but this is for an MDU
> setting where clients are in BYOD, and most of those devices don't
> support 802.1X. So we don't know the client's MAC beforehand, and want
> to give each unit a single passphrase to use for all of their devices
> within that unit.
> 
> Is it easy to make custom Access-Request variables in Hostapd? This
> seems to be how commercial vendors are doing this.  Ruckus for
> example:
> https://docs.commscope.com/bundle/unleashed-200.10-onlinehelp/page/GUID-E0AD67EA-91EB-473D-9F14-1C7A3ADC1F1B.html
> and
> https://docs.commscope.com/bundle/unleashed-200.10-onlinehelp/page/GUID-2392DF4B-DBE7-4DD5-868E-6222118BE6D4.html
> 
> On Wed, Aug 11, 2021 at 11:44 AM Steve deRosier <derosier at gmail.com> 
> wrote:
>> 
>> Hi Colton,
>> 
>> 
>> On Tue, Aug 10, 2021 at 7:02 PM Colton Conor <colton.conor at gmail.com> 
>> wrote:
>>> 
>>> Michael,
>>> 
>>> From the sounds of it, we don't have to convert the passphrase to the
>>> psk format. From what you are saying, HostAPD does that 
>>> automatically?
>>> 
>> 
>> Yes, if the RADIUS server sends the plain-text passphrase, hostapd 
>> does the right thing automatically.
>> 
>>> 
>>> How does this work if you don't know the MAC address of the client
>>> beforehand, and only want to authenticate them based on the 
>>> passphrase
>>> they entered? The passphrases would have to be stored on the radius
>>> server already, but they wouldn't already be associated with a MAC
>>> address.
>> 
>> 
>> The short answer is you can't.  Not without non-trivial changes to the 
>> code on both ends, and even then it's tricky and has various problems.
>> 
>> What most people do at the point you're talking about is implement a 
>> full RADIUS 802.1X auth system. Usually requires certificates and 
>> other things managed by IT.  But if you're giving personal PSKs to 
>> people, and managing that in RADIUS anyway, so you're already managing 
>> tokens for people.  There's extensive documentation, online articles, 
>> and books written on the subject, so you should start there.
>> 
>> - Steve
>> 
> 
> _______________________________________________
> Hostap mailing list
> Hostap at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap

More information about the Hostap mailing list