Require Authentication?

Wed Jun 24 11:59:25 EDT 2020

On 24/06/2020 02:35, Duane Murphy wrote:
> How do I configure hostapd to _require_ that wired interface access is authenticated?
> 
> I am using a wired interface configuration with the built-in hostapd authentication server.
> 
> I can authenticate with a properly configured Windows client. 
> 
> If I set the client to not use authentication, I can still connect. There are no messages in the hostapd log that anything was even connected.
> 
> What configuration am I missing that will require connections to be authenticated otherwise they will not be allowed to connect?
> 
> Oddly, the client can ping and connect to server, but the server cannot ping the client. 
> 
> * Ubuntu 18.04
> * netplan; renderer: NetworkManager
> * Static address configuration
> 
> The client is configured with a static address for the same network. 

I have no experience with this whatsoever, but as it's been a few hours
since you asked the question I'll give you the benefit of my stab in the
dark :-)

I would say that the machine running hostapd with the wired driver has
to act as router. That is: you can't use 802.1X to prevent a client from
accessing a LAN it is already physically connected to; the purpose of
the wired authenticator is for it to act as a gatekeeper that
allows/disallows access to a network that is reachable on the other side
of the router/authenticator.

So you'd need separate Ethernet networks or VLANs: one to which the
clients are connected, the other providing connectivity to the resources
you want the clients to authenticate in order to be able to access them.
The router (running hostapd) straddles these networks or VLANs.