Question about hostapd (authenticator) support for wired (Ethernet) clients

Kuba Konczyk jakamkon at gmail.com
Mon Mar 27 17:38:09 EST 2006


Hello Sebastian,
I was not precise.
2006/3/27, Sebastian Weitzel <togg at togg.de>:
> Are you sure about that hostap does PAE functionality for wired interfaces?
We are talking about Authenticator PAE functionality.
> That means does hostap only allow traffic from and to authenticated stations?
> AFAIK hostapd does not.
This is only a part of the Authenticator PAE functionality (IEEE Std
802.1X-2004,6.6.3).
Hostap doesn't block any traffic so every traffic is allowed.In
practice you will need bridge
software to control traffic between supplicant's ports and services
port(s) according to the outcome of the authentication exchange.I'm
currently working on integrating ebtables filtering rules with hostap
state machine.The idea is simple: for example when port is in
unauthorized state we apply filtering rules saying: 'allow only eapol
traffic between supplicant and the authenticator' and when port
changes state to authorized we extend it to: 'and forward X traffic
from supplicant to service port'.I hope this will clear the case:)

Regards
Kuba



More information about the HostAP mailing list