Jacques Caron Jacques.Caron at
Tue Dec 24 20:58:20 EST 2002

At 22:31 24/12/2002, Sergio M. Ammirata wrote:
>I am not suggesting that we do a proprietary key exchanging mechanism. I
>am suggesting that hostapd be enhanced to do what the radius server does
>as far as key rotation. Perhaps starting with a random key for each
>client and keeping track of the key changes per client.

Well then you mean having a RADIUS server built-in :-) Install freeRADIUS 
on the same box and off you go. I don't think putting this functionality in 
hostapd itself would be a good thing, you would need to implement (again) 
the EAP methods, when you could just use a RADIUS server which is really 
not that hard to set up.

And even if the keys are random (they can be), you *need* to have a master 
session key that has been derived independently by the client and server 
sides of the EAP method based on the credentials (which btw limits the use 
to EAP methods that can actually do that, like EAP TLS, EAP SRP, but not 
EAP MD5 or EAP OTP). And this implies having a credentials database on the 
server side, so putting all this in hostapd would make it a lot bigger 
without much gain if compared to separate hostapd / RADIUS servers on the 
same box (and less flexibility etc.).

> > The big problem with MAC addresses is that they are so easy to change
> > it doesn't even qualify as a security feature, and certainly not for a
> > large-scale setup where you need/use a central auth server.
>I agree that this layer of security is easily hackable. But why discard
>it? It will detour at least the roaming users that are not supposed to
>link to your network.

If it is used as a first step auth (e.g. at association time, before moving 
on to 802.1X for known MAC addresses), it could indeed be a good idea. But 
there might be timing issues with that, I'm not sure a round-trip to a 
possibly remote RADIUS server would be possible within the time allowed for 
the association (but I'm wild guessing here and too lazy to go check the 
spec right now).

BTW, Merry Christmas to everybody!


-- Jacques Caron, IP Sector Technologies
    Join the discussion on public WLAN open global roaming:

More information about the HostAP mailing list