802.1x, PEAP, Certificates, VLANs

WangYue wangyue0921 at yahoo.com.cn
Mon Jun 15 21:54:08 EDT 2009


For the 3rd question, in my opinion, the answer is yes.

Most AP from markets can support VLAN. They assigned a specific VLAN
to a given BSS, and assemble BSSes from different APs to the same ESS.
One wireless STA will associate with this ESS when they want to join
this VLAN. So, if the STA is switched from one VLAN to another, it should
diassociate with current ESS and associate with target ESS.

Furthermore, different VLANs maybe refer to different rights. It is 
terrible that several STAs try to associate with the sepecific ESS all the
time with 4-way handshake, and AP which is associated can not do anything
else.
We can not isolate mcast in one VLAN from another without encryption. AP 
is the boundary node which should strip VLAN tag. STA maybe hear messages
from another VLAN. So encryption and 4-way handshake are both necessary.


I think bounding BSS with VLAN is not a good idea. If there are several
VLANs belong to the same BSS(certainly the same ESS), and VLANs should
match with isolated mcast domain by encryption, security is realized.
But when a STA is switched from one VLAN to another, it still need 
disassociation and reassociation and 4-way handshake to get new PTK and 
GTK..

--- 09年6月15日,周一, Mike C <smith.not.western at gmail.com> 写道:

> 发件人: Mike C <smith.not.western at gmail.com>
> 主题: 802.1x, PEAP, Certificates, VLANs
> 收件人: hostap at lists.shmoo.com
> 日期: 2009年6月15日,周一,下午6:42
> Hi,
> 
> I'm in the planning phase of authentication for our wifi
> network.
> 
> I would like to integrate our existing LDAP authentication
> with wifi,
> which I've read to understand means using 802.1x
> authentication. It
> appears that EAP-PEAPv0/MSCHAPv2 is the best match for our
> requirements (i.e. everything supports it).
> 
> However I wish to avoid having to create a certificate/pki
> for a
> RADIUS server, as I wish to avoid having to configure all
> our clients
> to trust the self-signed CA (especially since we allow
> employees to
> bring their own laptops/pdas into the office and use the
> wifi).
> 
> So my questions are as follows:
> 
> - Is there an 802.1x mechanism that doesn't require use of
> a server
> certificate, and is supported by hostapd, XP SP3 &
> Vista?
> - What checks does a client perform on the server
> certificate? Chain
> of trust verification? Do they also look at the server name
> e.g. If I
> hosted the server on 10.0.0.1, would I need to set up DNS
> so that
> 10.0.0.1 resolves to ldap.blah.com as stated on the server
> certificate?
> 
> - Also a quick aside, how well does hostapd support
> switching a client
> from one vlan to another in real time? i.e. If I wanted to
> reassign
> their vlan, would I need to forcefully disconnect them from
> the ap
> first? (can hostapd support forceful disconnections?). Can
> I do this
> via the control socket/interface?
> 
> Regards,
> 
> Mike
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
> 


      ___________________________________________________________ 
  好玩贺卡等你发,邮箱贺卡全新上线! 
http://card.mail.cn.yahoo.com/


More information about the HostAP mailing list