Question about hostapd (authenticator) support for wired (Ethernet) clients
Kuba Konczyk
jakamkon at gmail.com
Tue Mar 28 03:28:36 EST 2006
Hello,
Do you mean this patch?
http://lists.shmoo.com/pipermail/hostap/2004-December/008719.html
Thanks.
Kuba
2006/3/28, Sebastian Weitzel <togg at togg.de>:
> Zitat von Kuba Konczyk <jakamkon at gmail.com>:
>
> > Hello Sebastian,
> > I was not precise.
> > 2006/3/27, Sebastian Weitzel <togg at togg.de>:
> >> Are you sure about that hostap does PAE functionality for wired interfaces?
> > We are talking about Authenticator PAE functionality.
>
> Yep correctly.
>
> >> That means does hostap only allow traffic from and to authenticated
> >> stations?
> >> AFAIK hostapd does not.
> > This is only a part of the Authenticator PAE functionality (IEEE Std
> > 802.1X-2004,6.6.3).
> > Hostap doesn't block any traffic so every traffic is allowed.In
> > practice you will need bridge
> > software to control traffic between supplicant's ports and services
> > port(s) according to the outcome of the authentication exchange.I'm
> > currently working on integrating ebtables filtering rules with hostap
> > state machine.The idea is simple: for example when port is in
> > unauthorized state we apply filtering rules saying: 'allow only eapol
> > traffic between supplicant and the authenticator' and when port
> > changes state to authorized we extend it to: 'and forward X traffic
> > from supplicant to service port'.I hope this will clear the case:)
>
> It's been a while I've looked in the Standard. However my former
> coworker Gunter Burchardt thought about the ebtables solution for
> implementing the access control, but he dropped this thought because
> of not beeing flexible enough. He implemented it in C instead. See the
> ML for more info.
>
> Have a look at his code, it worked quite stable and effective for us.
> There were some problems with dropping gone clients if I remember
> correctly, but this could be fixed.
> I just wanted to append the sources to this email when I noticed that
> my archive got corrupt. I will need to find an proper one later.
>
>
> --
> Sebastian Weitzel
>
More information about the HostAP
mailing list