802.1X Cofiguration query - can 802.1X authentication be optional?

Jouni Malinen jkmaline
Sun Oct 1 16:19:58 PDT 2006

On Sun, Oct 01, 2006 at 11:23:38PM +0100, lloyd wrote:
> On Wed, 27 Sep 2006, Jouni Malinen wrote:
> > On Tue, Sep 19, 2006 at 06:11:28PM +0100, lloyd wrote:
> > > Basically we want to run 802.1X alongside traditional WLAN user
> > > authentication systems such as NoCat, WifiDog etc which run at the
> > > transport level.  As such we need to make 802.1X authentication 'optional'
> > > where failed connections are redirected to a different vlan.  We can then
> > > run NoCat or whatever on traffic from this vlan.

> > This is not yet supported by the open source hostapd. However, I'm in
> > the process of merging in support for dynamic VLANs into hostapd from
> > Devicescape tree.

> Thanks for your response, and the good news.  Are you able to provide some
> sort of timescale for this?

Well, I merged in most of the dynamic VLAN code on Friday, so at least
that part is in the development branch. However, when thinking about
this a bit more, I remembered one of the issues that has come up before
when this kind of functionality has been requested..

IEEE 802.11 Beacon frames have a 'privacy' flag that indicates whether
encryption is required in the network. This is somewhat problematic
since some clients refuse to associate with the AP if this flag does not
match with what they expect (not set for open system; set for WEP/WPA).
IEEE 802.1X is usually used with encryption and this makes it somewhat
difficult to work with all clients in a mode where IEEE 802.1X and
encryption would be optional.

What kind of configuration did you have in mind for the network? Would
the IEEE 802.1X authenticated stations use WEP (or WPA)?

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list