802.1x, PEAP, Certificates, VLANs

Mike C smith.not.western at gmail.com
Mon Jun 15 06:42:10 EDT 2009


Hi,

I'm in the planning phase of authentication for our wifi network.

I would like to integrate our existing LDAP authentication with wifi,
which I've read to understand means using 802.1x authentication. It
appears that EAP-PEAPv0/MSCHAPv2 is the best match for our
requirements (i.e. everything supports it).

However I wish to avoid having to create a certificate/pki for a
RADIUS server, as I wish to avoid having to configure all our clients
to trust the self-signed CA (especially since we allow employees to
bring their own laptops/pdas into the office and use the wifi).

So my questions are as follows:

- Is there an 802.1x mechanism that doesn't require use of a server
certificate, and is supported by hostapd, XP SP3 & Vista?
- What checks does a client perform on the server certificate? Chain
of trust verification? Do they also look at the server name e.g. If I
hosted the server on 10.0.0.1, would I need to set up DNS so that
10.0.0.1 resolves to ldap.blah.com as stated on the server
certificate?

- Also a quick aside, how well does hostapd support switching a client
from one vlan to another in real time? i.e. If I wanted to reassign
their vlan, would I need to forcefully disconnect them from the ap
first? (can hostapd support forceful disconnections?). Can I do this
via the control socket/interface?

Regards,

Mike


More information about the HostAP mailing list