ap_isolate=1 and WPA-Enterprise(EAP-PEAP) is it possible ?

Jouni Malinen j at w1.fi
Thu Jun 11 16:37:27 EDT 2015


On Mon, May 25, 2015 at 02:47:52PM +0200, Marek Grzybowski wrote:
> Recently we tried to enable ap_isolate=1, but it seems that ap_isolate=1 working perfectly in WPA-PSK configuration,
> but is totally ignored in WPA-Enterprise setup .

That should not be the case.. Have you tested this without VLAN setup or
external bridging in place? ap_isolate=1 is only disabling the internal
bridging within mac80211. It would still be possible for something
outside mac80211 to do bridging between netdevs.

> Is it possible to enable ap_isolate on WPA-Enterprise AP mode ?

I don't see why this would be any different between WPA2-Personal and
WPA2-Enterprise, i.e., the difference is much more likely to be
somewhere in the VLAN and/or bridging configuration. If you bridge
together multiple interface or allow bridge to forward frames back to
the same port, mac80211 won't be preventing those externally forwarded
frames from getting through to another station.
 
-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list