Question about hostapd (authenticator) support for wired (Ethernet) clients

Sebastian Weitzel togg at
Tue Mar 28 02:33:46 EST 2006

Zitat von Kuba Konczyk <jakamkon at>:

> Hello Sebastian,
> I was not precise.
> 2006/3/27, Sebastian Weitzel <togg at>:
>> Are you sure about that hostap does PAE functionality for wired interfaces?
> We are talking about Authenticator PAE functionality.

Yep correctly.

>> That means does hostap only allow traffic from and to authenticated  
>>  stations?
>> AFAIK hostapd does not.
> This is only a part of the Authenticator PAE functionality (IEEE Std
> 802.1X-2004,6.6.3).
> Hostap doesn't block any traffic so every traffic is allowed.In
> practice you will need bridge
> software to control traffic between supplicant's ports and services
> port(s) according to the outcome of the authentication exchange.I'm
> currently working on integrating ebtables filtering rules with hostap
> state machine.The idea is simple: for example when port is in
> unauthorized state we apply filtering rules saying: 'allow only eapol
> traffic between supplicant and the authenticator' and when port
> changes state to authorized we extend it to: 'and forward X traffic
> from supplicant to service port'.I hope this will clear the case:)

It's been a while I've looked in the Standard. However my former  
coworker Gunter Burchardt thought about the ebtables solution for  
implementing the access control, but he dropped this thought because  
of not beeing flexible enough. He implemented it in C instead. See the  
ML for more info.

Have a look at his code, it worked quite stable and effective for us.  
There were some problems with dropping gone clients if I remember  
correctly, but this could be fixed.
I just wanted to append the sources to this email when I noticed that  
my archive got corrupt. I will need to find an proper one later.

Sebastian Weitzel

More information about the HostAP mailing list