Integrating hostap and iptables

John A. Sullivan III jsullivan at
Mon May 7 13:11:26 EDT 2007

Hello, all, and thank you to those who maintain this project.

We would like to have the device running the hostapd authenticator
dynamically alter iptables rules on itself based upon information
returned by RADIUS about the client.  I am brand new to hostap and
RADIUS but, upon perusing the hostapd.conf file and any documentation I
could find, I did not see a way of running a pre or post authentication
script on the authenticator device.  Is there a way to do so?

Our goal is to create a prototype switch using hostapd, iptables and the
ISCS network security management project (
If we can do what we hope to do, we should be able to achieve true,
perimeterless network security with some pretty startling results like:

1) stop LAN based worms in their tracks even on unpatched workstations
2) thwart man-in-the-middle attacks based upon ARP poisoning without
manually tying MAC addresses to ports
3) prevent intruders who have completely compromised a workstation or
server from escalating privileges even on the LAN

So, the ability to do this kind of integration is quite important to us.
Any help or guidance would be greatly appreciated.  Thanks - John
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at

Financially sustainable open source development

More information about the HostAP mailing list