802.1X Cofiguration query - can 802.1X authentication be optional?

Tue Oct 3 02:28:20 PDT 2006

On Sun, 1 Oct 2006, Jouni Malinen wrote:
> On Sun, Oct 01, 2006 at 11:23:38PM +0100, lloyd wrote:
> > On Wed, 27 Sep 2006, Jouni Malinen wrote:
> > > On Tue, Sep 19, 2006 at 06:11:28PM +0100, lloyd wrote:
> > > > Basically we want to run 802.1X alongside traditional WLAN user
> > > > authentication systems such as NoCat, WifiDog etc which run at the
> > > > transport level.  As such we need to make 802.1X authentication
> > > > 'optional' where failed connections are redirected to a different
> > > > vlan.  We can then run NoCat or whatever on traffic from this
> > > > vlan.
>
> > > This is not yet supported by the open source hostapd. However, I'm
> > > in the process of merging in support for dynamic VLANs into hostapd
> > > from Devicescape tree.
>
> > Thanks for your response, and the good news.  Are you able to provide
> > some sort of timescale for this?
>
> Well, I merged in most of the dynamic VLAN code on Friday, so at least
> that part is in the development branch. However, when thinking about
> this a bit more, I remembered one of the issues that has come up before
> when this kind of functionality has been requested..
>
> IEEE 802.11 Beacon frames have a 'privacy' flag that indicates whether
> encryption is required in the network. This is somewhat problematic
> since some clients refuse to associate with the AP if this flag does not
> match with what they expect (not set for open system; set for WEP/WPA).
> IEEE 802.1X is usually used with encryption and this makes it somewhat
> difficult to work with all clients in a mode where IEEE 802.1X and
> encryption would be optional.
>
> What kind of configuration did you have in mind for the network? Would
> the IEEE 802.1X authenticated stations use WEP (or WPA)?

This pertains to the mixed use of an AP for infrastructure AND open-access
connections, however the infrastructure ones are the only ones to be
authenticated with 802.1X.  Provided encryption can be implemented in
hardware by an Atheros chipset, it can be turned on, yes.

Atheros is new to us, we've been using Linksi for some time until
recently.  So I'm not just saying yes straight away,  But I'm assuming my
understanding of Atheros is correct and they can all do this with ease.

Also I'm wondering, respectfully, if you're asking the correct question -
can a mixed mode AP be run, where 802.1X-authenticated stations use
encryption but stations in the non-authenticated vlan are not encrypted?
If not, the answer is no - we need open access to be unencrypted.  Having
said that we could perhaps share a public WEP key, or make it the SSID, or
similar.  Or maybe we could run multiple VAPs.  We're all volunteers
though, and would need to keep things as simple as possible.

-l