Question about hostapd (authenticator) support for wired (Ethernet) clients
Sebastian Weitzel
togg
Mon Mar 27 23:33:46 PST 2006
Zitat von Kuba Konczyk <jakamkon at gmail.com>:
> Hello Sebastian,
> I was not precise.
> 2006/3/27, Sebastian Weitzel <togg at togg.de>:
>> Are you sure about that hostap does PAE functionality for wired interfaces?
> We are talking about Authenticator PAE functionality.
Yep correctly.
>> That means does hostap only allow traffic from and to authenticated
>> stations?
>> AFAIK hostapd does not.
> This is only a part of the Authenticator PAE functionality (IEEE Std
> 802.1X-2004,6.6.3).
> Hostap doesn't block any traffic so every traffic is allowed.In
> practice you will need bridge
> software to control traffic between supplicant's ports and services
> port(s) according to the outcome of the authentication exchange.I'm
> currently working on integrating ebtables filtering rules with hostap
> state machine.The idea is simple: for example when port is in
> unauthorized state we apply filtering rules saying: 'allow only eapol
> traffic between supplicant and the authenticator' and when port
> changes state to authorized we extend it to: 'and forward X traffic
> from supplicant to service port'.I hope this will clear the case:)
It's been a while I've looked in the Standard. However my former
coworker Gunter Burchardt thought about the ebtables solution for
implementing the access control, but he dropped this thought because
of not beeing flexible enough. He implemented it in C instead. See the
ML for more info.
Have a look at his code, it worked quite stable and effective for us.
There were some problems with dropping gone clients if I remember
correctly, but this could be fixed.
I just wanted to append the sources to this email when I noticed that
my archive got corrupt. I will need to find an proper one later.
--
Sebastian Weitzel
More information about the Hostap
mailing list