hostapd forking and enhancements
ammirata at econointl.com
Tue Jan 7 02:03:09 EST 2003
> -----Original Message-----
> From: hostap-admin at shmoo.com [mailto:hostap-admin at shmoo.com]
> On Behalf Of Jouni Malinen
> Sent: Monday, January 06, 2003 10:58 PM
> To: hostap at shmoo.com
> Subject: Re: hostapd forking and enhancements
> On Mon, Jan 06, 2003 at 02:19:23PM -0500, Sergio M. Ammirata wrote:
> > 1) hostapd should support forking. I have tried to use
> "hostapd &" on
> > my init scripts in order to get it loaded on startup but as soon as
> > the init script dies the hostapd dies with it.
> Yes, I agree. In addition, hostapd would benefit of an option
> to direct some logging to syslog instead of stdout. These are
> on my todo list..
I think the forking is rather critical since it prevents people from
deploying the software in a production environment. Specially if the are
using it in a custom distro with limited tools.
> > 2) The station authentication currently supports open
> access and mac
> > address list. It would very helpful if hostapd would add an
> option to
> > support the execution of an external bin for
> authentication. Perhaps
> > it can pass two arguments, the mac of wlan0 and the mac of
> the station
> > and based on the response from the bin it lets the station in .
> I would pass interface name and MAC address of the station,
> but yes, something like this has been requested couple of
> times. Instead of external program, hostapd could also use
> RADIUS server directly since there is already routines for
> generating and parsing RADIUS messages.
> However, there is a small issue with external authentication.
> IEEE 802.11 station implementations seem to use quite small
> timeout value for authentication frames. In other words,
> often there is not enough time to execute query to RADIUS
> server or external program. hostapd would need to cache the
> external reply for some time and rely on station trying
> again. Cached reply could then be used to generate
> authentication reply quickly enough.
There would have to be a timeout on the cache responses though. Just in
case a MAC is deactivated on the radius server.
> If someone can point me to a specification of which RADIUS
> attributes are used in this kind of authentication query
> (i.e., how to encode the MAC address of the station into
> Access-Request so that the RADIUS server understands it),
> I'll try to add support for it. I can also accept sniffed
> RADIUS exchange as an alternative for this specification ;-).
I like the idea of RADIUS. Perhaps we can use PAP authentication and
send the station MAC in both the username and password attributes.
I have attached a tcpdump capture of a PAP radius communication between
a pppd daemon and a Microsoft IAS Radius Server. It includes connect and
disconnect (use tcpdump -r filename to read).
I used "testuser" and "testpassword" in this case.
> Jouni Malinen PGP
> id EFC895FA
> HostAP mailing list
> HostAP at shmoo.com http://lists.shmoo.com/mailman/listinfo/hostap
Hope this helps,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 650 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20030107/b7a6514c/attachment.obj
More information about the HostAP