Multiple AUTH Methods on AP

[Bryan Kadzban]

On Wed, Jun 27, 2007 at 11:14:05PM +1000, Nazeer Khan wrote:
> Hi,
> 
> Is there any way to use multiple authentication methods on single access
> point. I mean to use WPA-PSK for certain stations and EAP-TLS for others
> on the same AP?

It's possible to have some stations doing EAP-TLS and other stations
doing some other EAP method.  The RADIUS server has to decide which EAP
method to use based on the identity in the initial response/identity
that it gets, but that's the way we have our secured network working
here.  (It's possible because as far as the AP is concerned, it's just
tunnelling the EAP exchange inside a bunch of RADIUS packets.  It
doesn't care what EAP method is being used, as long as all stations use
EAP.)

An SSID can run either EAP or PSK, but (AFAIK) not both.  The choice of
EAP or PSK is communicated to the client via the WPA or WPA2 information
element in the beacon and probe-response frames, and AFAIK you can't
have more than one WPA or WPA2 IE.  (And I don't think you can have one
of each IE on one SSID, either.)

It's possible to do a PSK/EAP mix if you don't mind setting up multiple
SSIDs, though.  Also, depending on your APs, you may have to deal with
VLANs on the wired side.  I know that's the way Cisco APs force you to do
different security settings (they assign security settings to a VLAN,
not to an SSID -- but the SSIDs are also assigned to VLANs, so that's
where they get each SSID's security settings from).

As far as the wireless side goes, you can advertise these different
SSIDs in a couple different ways, but the most compatible is probably
multiple-BSSID support (if your APs can do that).  But I think the
choice there is independent of whether you need VLANs on the wired side.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20070627/7d785b59/attachment.pgp