802.1x, PEAP, Certificates, VLANs
smith.not.western at gmail.com
Mon Jun 15 06:42:10 EDT 2009
I'm in the planning phase of authentication for our wifi network.
I would like to integrate our existing LDAP authentication with wifi,
which I've read to understand means using 802.1x authentication. It
appears that EAP-PEAPv0/MSCHAPv2 is the best match for our
requirements (i.e. everything supports it).
However I wish to avoid having to create a certificate/pki for a
RADIUS server, as I wish to avoid having to configure all our clients
to trust the self-signed CA (especially since we allow employees to
bring their own laptops/pdas into the office and use the wifi).
So my questions are as follows:
- Is there an 802.1x mechanism that doesn't require use of a server
certificate, and is supported by hostapd, XP SP3 & Vista?
- What checks does a client perform on the server certificate? Chain
of trust verification? Do they also look at the server name e.g. If I
hosted the server on 10.0.0.1, would I need to set up DNS so that
10.0.0.1 resolves to ldap.blah.com as stated on the server
- Also a quick aside, how well does hostapd support switching a client
from one vlan to another in real time? i.e. If I wanted to reassign
their vlan, would I need to forcefully disconnect them from the ap
first? (can hostapd support forceful disconnections?). Can I do this
via the control socket/interface?
More information about the HostAP