hostapd - what "eap_authenticator" option actually is for?

Ajeet Nankani fromkth+hostap at fastmail.fm
Thu Mar 17 06:50:13 EST 2005


Jouni Malinen wrote:
> On Wed, Mar 16, 2005 at 11:16:50AM +0100, Ajeet Nankani wrote:
> 
> 
>>Atleast for me it was little bit confusing also in the begning, this 
>>eap_authenticator and then using this integrated eap_authenticator as a 
>>radius for other APs in DS.
>>
>>To make it more clear, I suggest Jouni to make a separate section in 
>>hostapd.conf file for this integrated radius server and name the section 
>>as INTEGRATED RADIUS SERVER, in which we move following options.
>>
>>eap_authenticator
>>ca_cert=/etc/hostapd.ca.pem
>>server_cert=/etc/hostapd.server.pem
>>private_key=/etc/hostapd.server.prv
>>private_key_passwd=secret passphrase
>>eap_sim_db=/etc/hostapd.sim_db
> 
> 
> Moving these (and eap_user_file) into a separate section sounds
> reasonable, but "integrated radius server" is not a correct name for it.
> This configuration is for (integrated) EAP authenticator, not RADIUS
> server. The RADIUS server can also use this EAP authenticator, but these
> fields are generic to the EAP authenticator which can be used both
> without RADIUS and with RADIUS.
> 
> 
>>and if possible rename eap_authenticator as "integrated_radius_server"
> 
> 
> I do not agree with this change, eap_authenticator is used to enable EAP
> authentication that can be used as an intergrated authentication
> server (without RADIUS) and/or EAP authenticator for a RADIUS server
> that other devices can use. In other words, this option does not enable
> RADIUS server (but it is needed for the RADIUS server).
> 

I understand that it does not enable RADIUS server, but it does enable 
minimal RADIUS like functionality in authenticator, or to keep it 
simple(to hide which part in AP enables this functionality) we can say 
that this option enables very minimal RADIUS AS in AP, in that case its 
name should reelect what it does. See my comments below to support name 
changing.

My understanding is that Authenticator is an element in AP which relays 
EAP packets from STA to AS(whether Co Located or external). But this 
Authenticator is enabled automatically when 802.1x is enabled, hence 
eap_authenticator option has nothing to do with enabling of AP 
authenticator itself, but name "eap_authenticator" of this option 
suggests otherwise.
Am i right here?

So we should use a name which reflects what it does, May be the name i 
suggested before is not a good candidate, but we can find some other 
suitable name. What about "co_located_minimal_RADIUS_AS"

-ajeet.



More information about the HostAP mailing list