[RFC] [PATCHv7] Use radius supplied PSK / Passphrase for WPA-PSK

michael-dev at fami-braun.de michael-dev at fami-braun.de
Tue Dec 6 05:32:24 EST 2011


Hi,                                                                                                                                                                                                            
                                                                                                                                                                                                               
I wanted to use the per-device-PSK (WPA) feature in conjunction with a radius server that does the authorization checking and should supply the psk.                                                           
I found RouterOS to have a feature like this (Miktronik-Wireless-PSK or so radius attribute) but no source and a hint on this mailing list                                                                     
that it should not be difficult to implement.                                                                                                                                                                  
Please find a patch against git head attached that compiles fine and is currently under testing.                                                                                                               
                                                                                                                                                                                                               
To use this, one needs to enable the macaddr_acl = RADIUS setting and have wpa_psk_radius=1.                                                                                                                   
For Freeradius, one needs to add                                                                                                                                                                               
 VENDOR          Hostapd        39014                                                                                                                                                                          
 ATTRIBUTE       Hostapd-PSK          1    integer             Hostapd                                                                                                                                         
 ATTRIBUTE       Hostapd-Passphrase          2    string             Hostapd                                                                                                                                   
to the dictionary file and make sure that either Hostapd-Passphrase or Hostapd-PSK (the latter has higher priority) is in the radius reply.                                                                    
The PSK should be supplied hex encoded, the passphrase is turned into a psk by hostapd.                                                                                                                        
The Vendor ID will be changed once assigned by IANA.                                                                                                                                                           

The Service-Type radius attribute is used to easily differentiate between PSK reqests and EAP requests.
                                                                                                                                                                                                               
Regards,                                                                                                                                                                                                       
 M. Braun                                                                                                                                                                                                      
--                                                                                                                                                                                                             
Changes since v1:                                                                                                                                                                                              
 * sent wrong file, changes only apply to documentation part                                                                                                                                                   
Changes since v2:                                                                                                                                                                                              
 * use free enterprise number                                                                                                                                                                                  
Changes since v3:                                                                                                                                                                                              
 * fix typo, make it compile with openwrt                                                                                                                                                                      
Changes since v4:                                                                                                                                                                                              
 * tested on x86, fixed all occuring issues                                                                                                                                                                    
Changes since v5:                                                                                                                                                                                              
 * rebase on git, add Signed-By for Hostapd      
Changes since v6:
 * cleanup psk code doing superflous memcpy/free
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hostapd-add-radius-wsk.diff
Type: text/x-diff
Size: 15296 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20111206/afdad1c9/attachment.diff 


More information about the HostAP mailing list