Authentication failed, but I still can send packets through the interface

Jouni Malinen j
Tue Nov 25 03:00:22 PST 2008


On Tue, Nov 25, 2008 at 12:01:31PM +0800, henry1412 wrote:

> I used the follow settings to config 802.1x authentication.
> wpa_supplicant installed in a client device. hostapd installed in a access device. freeradius, mysql and web pages installed in a authentication server. The authorized method was EAP/MD5 for testing.

Are you using wired networks (i.e., IEEE 802.1X for Ethernet)? If yes,
please note that hostapd does not include port access entity (PAE). In
other words, it does not enforce the port authorized/unauthorized
processing or in any way change how data frames are passed through.

If you want to block the frames on an unauthorized port in a wired
network, you will need to use external mechanism (e.g., a kernel module
to implement PAE functionality or Linux bridge filtering/ibtables) to do
this and modify hostapd wired driver wrapper (driver_wired.c) to
configure the external mechanism to block/unblock the port based on IEEE
802.1X authorization state.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list