hostapd and WLAN_STA_PERM

Lubomir Gelo lgelo
Thu Jul 17 05:05:32 PDT 2003 

On Wed, 2003-07-16 at 18:00, Jouni Malinen wrote:
> > 2) Format of accept_mac_file could be modified to hold static keys and
> >    hostapd will set keys upon authentication. Modification should (and
> >    will) be backward compatible. Eventually special file could be used.
> 
> I would move this to a separate files from the beginning.. This
> modification should also take into account default(broadcast) WEP key
> configuration and IEEE 802.1X. In other words, it should be possible for
> the user of hostapd to configure static default keys and have hostapd
> send them out for IEEE 802.1X-enabled stations to allow co-existance of
> IEEE 802.1X stations and stations that do not support IEEE 802.1X, but
> can use static WEP keys.

Coexistence of 802.1x stations and static-WEP stations is my goal as
well. We need a file with at least default key and (optional) keys for
each non-802.1x station capable of using individual per-station keys. 
I would like to use trivial to create/parse file format. Something like:

<algo>	<STA HW address>	<key>		<key_id>

e.g.:

WEP	default			0011223344	2
WEP	01:02:03:04:05:06	s:sta1

For the 802.1x authorized stations both default and individual keys will
be distributed protected by session key. Keys for static WEP stations
will be set and deleted upon authentication. 

IMHO some new configuration switches are needed. Hostapd needs to be
told (at least): 

1) How to deal with static-WEP stations which don't have individual key
defined. I mean, when the station is allowed by ACL and isn't authorized
by 802.1x and doesn't have individual key what exactly hostapd should
do: disable port or use the default key? Think of it as of
  - "strict mode": everyone not listed in keyfile have to use 802.1x 
or 
  - "open mode": 802.1x is encouraged but static WEP key is sufficient.

2) Whether it should send accounting messages for non-802.1x stations.

There're more issues and things that need to be addressed. 

LG

PS: I'm forced to deploy this kind of functionality so I'm undertaking
the modification regardless if it will be accepted or not. Naturally I
prefer colaboration, sharing and want to contribute back to community.

More information about the Hostap mailing list