EAP/802.1X authentication without susbsequent data confidentiality

Jouni Malinen jkmaline at cc.hut.fi
Wed May 31 22:39:58 EDT 2006


On Thu, Jun 01, 2006 at 12:33:11PM +1000, Rupsky Gill wrote:

> I am using madwifi driver and hostapd to set up an Access Point and
> i am using wpa_supplicant and madwifi for the STA.

madwifi driver interface had some assumptions about hostapd only being
used when data packets are encrypted.. I don't remember whether this has
been fixed.

> I am experimenting with some EAP methods. I was wondering if it was
> possible
> to make hostapd authenticate the STA using EAP-TLS (or any other EAP method
> for that matter)  however not encrypt the subsequent data exchanges after
> successful authentication (i.e. not engage in 4-way hanshake etc.) It should
> be theoretically
> possible as authentication and confidentiality are two seperate security
> functions.

In theory, yes, it should be possible to configure hostapd to do this.
This requires enabling IEEE 802.1X, but not WPA and not configuring
dynamic WEP key lengths.

> I am bit lost as to is it as easy as changing particular config files
> (hostapd/wpa_supplicant)
> or would it need some code modifications ?

I haven't tried this with madwifi driver, so I'm not sure whether it
would work without any code changes. For wpa_supplicant, you will need
to set eapol_flags=0 so that it does not require dynamic WEP keys.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list