Wired -802.1x authentication

Scott Armitage s.p.armitage at scottarmitage.eu
Tue Dec 9 18:31:04 EST 2014


> On 9 Dec 2014, at 23:16, Scott Armitage <s.p.armitage at scottarmitage.eu> wrote:
> 
> 
>> On 9 Dec 2014, at 17:26, Sarah Thomas <sarah040.thomas at gmail.com> wrote:
>> 
>> Hi,
>> 
>>  Would like to have a 802.1x authentication on a wired set up , using wpa_supplicant, hostapd code
>> 
>> Wired setup - Supplicant connected via ethernet to Authenticator and Authenticator to radius server is anyways connected via ethernet
>> 
>> Current Setup I have: 3 Ubuntu laptops , one running wpa_supplicant, another running  hostapd as Authenticator and 3rd one as radius server. 802.1x authentication goes through fine.
>> 
>> Hardware requirements:
>> 
>> Since Authenticator(laptop), has only one ethernet port, how do we achieve connecting it to supplicant and server?
> 
> I suppose it depends on what you are trying to achieve.  The simplest way is to use a switch which supports 802.1X authentication.  Why the requirement for a laptop to act as the NAS?


Sorry, misinterpreted / misread your question.  How can one port talk to both supplicant and server?  Short answer, it can’t, long answer maybe.  Short answer, the NAS is authorising the port and therefore can’t really talk to the RADIUS server on the same port it is trying to authorise.  However, it may be possible (although I haven’t tried it, so this is just an idea) to turn the laptop port into a trunk link and connect it to a switch which understands VLANS.  You could then have two VLANs on the trunk, one for talking to the RADIUS server, and one for talking to the supplicant.  However, you would need a switch which supported 802.11Q and if you are getting a switch which supports VLANs why not just get one which can also do 802.1X.  


> 
>> Should we use a hub/Switch or something?
> 
> Using the laptop as the NAS with a hub / switch wouldn’t work.  You need something which can individually authenticate and authorise each port.  If you used the laptop as the NAS, then once one device authenticated, all ports on the switch / would be authorised (because there is no per port control).  Whilst I have not tried it, it maybe possible to use hostapd on a device running OpenWRT to authorise / change the VLAN assignment for individual ports.
> 
> Whilst it sounds like a fun way to waste some hours (getting OpenWRT to do per port authorisations using hostapd as the authenticator), personally, I’d just get a cheap switch which can do 802.1X (perhaps I’m just lazy).  Depends what you want to do, but for a small simple setup something like a Cisco SG 200-08 8-port or HP 1910-8G should do the trick.
> 
> 
> Regards
> 
> Scott Armitage
> 



More information about the HostAP mailing list