hostapd forking and enhancements

Sergio Ammirata ammirata at econointl.com
Tue Jan 7 02:03:09 EST 2003


> -----Original Message-----
> From: hostap-admin at shmoo.com [mailto:hostap-admin at shmoo.com]
> On Behalf Of Jouni Malinen
> Sent: Monday, January 06, 2003 10:58 PM
> To: hostap at shmoo.com
> Subject: Re: hostapd forking and enhancements
> 
> 
> On Mon, Jan 06, 2003 at 02:19:23PM -0500, Sergio M. Ammirata wrote:
> 
> > 1) hostapd should support forking. I have tried to use
> "hostapd &" on
> > my init scripts in order to get it loaded on startup but as soon as
> > the init script dies the hostapd dies with it.
> 
> Yes, I agree. In addition, hostapd would benefit of an option
> to direct some logging to syslog instead of stdout. These are 
> on my todo list..

I think the forking is rather critical since it prevents people from
deploying the software in a production environment. Specially if the are
using it in a custom distro with limited tools.

> 
> > 2) The station authentication currently supports open
> access and mac
> > address list. It would very helpful if hostapd would add an
> option to
> > support the execution of an external bin for
> authentication. Perhaps
> > it can pass two arguments, the mac of wlan0 and the mac of
> the station
> > and based on the response from the bin it lets the station in .
> 
> I would pass interface name and MAC address of the station,
> but yes, something like this has been requested couple of 
> times. Instead of external program, hostapd could also use 
> RADIUS server directly since there is already routines for 
> generating and parsing RADIUS messages.
> 
> However, there is a small issue with external authentication.
> IEEE 802.11 station implementations seem to use quite small 
> timeout value for authentication frames. In other words, 
> often there is not enough time to execute query to RADIUS 
> server or external program. hostapd would need to cache the 
> external reply for some time and rely on station trying 
> again. Cached reply could then be used to generate 
> authentication reply quickly enough.

There would have to be a timeout on the cache responses though. Just in
case a MAC is deactivated on the radius server.

> If someone can point me to a specification of which RADIUS
> attributes are used in this kind of authentication query 
> (i.e., how to encode the MAC address of the station into 
> Access-Request so that the RADIUS server understands it), 
> I'll try to add support for it. I can also accept sniffed 
> RADIUS exchange as an alternative for this specification ;-).

I like the idea of RADIUS. Perhaps we can use PAP authentication and
send the station MAC in both the username and password attributes.

I have attached a tcpdump capture of a PAP radius communication between
a pppd daemon and a Microsoft IAS Radius Server. It includes connect and
disconnect (use tcpdump -r filename to read).

I used "testuser" and "testpassword" in this case.

> 
> -- 
> Jouni Malinen                                            PGP 
> id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com http://lists.shmoo.com/mailman/listinfo/hostap
> 

Hope this helps,

Sergio Ammirata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcpdump.log
Type: application/octet-stream
Size: 650 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20030107/b7a6514c/attachment.obj 


More information about the HostAP mailing list