Multi-PSK on Hostapd

michael-dev michael-dev at
Mon Aug 23 14:18:13 PDT 2021


maybe you could patch hostapd to accept keyid or vlanid (as in from RADIUS 
Access Accept by parsing the radius tunnel attribute tags and thus have 
a psk-dependend vlan id or key id.
Possibly similarly to Tunnel-Client-Auth-ID in 


Am 11.08.2021 22:25, schrieb Colton Conor:
> Steve,
> Understood on the full RADIUS 802.1X auth side, but this is for an MDU
> setting where clients are in BYOD, and most of those devices don't
> support 802.1X. So we don't know the client's MAC beforehand, and want
> to give each unit a single passphrase to use for all of their devices
> within that unit.
> Is it easy to make custom Access-Request variables in Hostapd? This
> seems to be how commercial vendors are doing this.  Ruckus for
> example:
> and
> On Wed, Aug 11, 2021 at 11:44 AM Steve deRosier <derosier at> 
> wrote:
>> Hi Colton,
>> On Tue, Aug 10, 2021 at 7:02 PM Colton Conor <colton.conor at> 
>> wrote:
>>> Michael,
>>> From the sounds of it, we don't have to convert the passphrase to the
>>> psk format. From what you are saying, HostAPD does that 
>>> automatically?
>> Yes, if the RADIUS server sends the plain-text passphrase, hostapd 
>> does the right thing automatically.
>>> How does this work if you don't know the MAC address of the client
>>> beforehand, and only want to authenticate them based on the 
>>> passphrase
>>> they entered? The passphrases would have to be stored on the radius
>>> server already, but they wouldn't already be associated with a MAC
>>> address.
>> The short answer is you can't.  Not without non-trivial changes to the 
>> code on both ends, and even then it's tricky and has various problems.
>> What most people do at the point you're talking about is implement a 
>> full RADIUS 802.1X auth system. Usually requires certificates and 
>> other things managed by IT.  But if you're giving personal PSKs to 
>> people, and managing that in RADIUS anyway, so you're already managing 
>> tokens for people.  There's extensive documentation, online articles, 
>> and books written on the subject, so you should start there.
>> - Steve
> _______________________________________________
> Hostap mailing list
> Hostap at

More information about the Hostap mailing list