Multi-PSK on Hostapd
michael-dev at fami-braun.de
Mon Aug 23 14:18:13 PDT 2021
maybe you could patch hostapd to accept keyid or vlanid (as in
http://w1.fi/cgit/hostap/tree/hostapd/hostapd.wpa_psk) from RADIUS
Access Accept by parsing the radius tunnel attribute tags and thus have
a psk-dependend vlan id or key id.
Possibly similarly to Tunnel-Client-Auth-ID in
Am 11.08.2021 22:25, schrieb Colton Conor:
> Understood on the full RADIUS 802.1X auth side, but this is for an MDU
> setting where clients are in BYOD, and most of those devices don't
> support 802.1X. So we don't know the client's MAC beforehand, and want
> to give each unit a single passphrase to use for all of their devices
> within that unit.
> Is it easy to make custom Access-Request variables in Hostapd? This
> seems to be how commercial vendors are doing this. Ruckus for
> On Wed, Aug 11, 2021 at 11:44 AM Steve deRosier <derosier at gmail.com>
>> Hi Colton,
>> On Tue, Aug 10, 2021 at 7:02 PM Colton Conor <colton.conor at gmail.com>
>>> From the sounds of it, we don't have to convert the passphrase to the
>>> psk format. From what you are saying, HostAPD does that
>> Yes, if the RADIUS server sends the plain-text passphrase, hostapd
>> does the right thing automatically.
>>> How does this work if you don't know the MAC address of the client
>>> beforehand, and only want to authenticate them based on the
>>> they entered? The passphrases would have to be stored on the radius
>>> server already, but they wouldn't already be associated with a MAC
>> The short answer is you can't. Not without non-trivial changes to the
>> code on both ends, and even then it's tricky and has various problems.
>> What most people do at the point you're talking about is implement a
>> full RADIUS 802.1X auth system. Usually requires certificates and
>> other things managed by IT. But if you're giving personal PSKs to
>> people, and managing that in RADIUS anyway, so you're already managing
>> tokens for people. There's extensive documentation, online articles,
>> and books written on the subject, so you should start there.
>> - Steve
> Hostap mailing list
> Hostap at lists.infradead.org
More information about the Hostap