MAC based Access restriction


From: Benedikt 'Hunz' Heinz (hunz_at_hunz.org)
Date: 2002-02-11 21:19:57 UTC


Hi everyone!
I hacked a MAC-access list in the driver - there are 3 policies - open,allow,deny
open - which is default - ignores the list - everyone can auth at the AP allow - only MACs in the list may auth at the AP deny - everyone but the MACs from the list may auth at the AP

also ist is possible to kick associated STAs from the AP - but this isn't tested very well and no mgmt-msg are yet sent to the STA before removing the STA

i dunno wether there's a better answer on the auth if the MAC ist rejected - i currently send a WLAN_STATUS_UNSPECIFIED_FAILURE

the code is quite dirty but it works at least here with my lucent-card as client

i use a chardev to control the list via ioctls (devfs not yet supported):
crw-r--r-- 1 root root 42, 0 Feb 11 17:26 /dev/ap0 (mknod /dev/ap0 c 42 0)
and a procdev (/proc/net/prism2/wlanX/ap_control) to view the policy and MAC-list
there's a tool in the package called ap_ctrl to control the accesslist

maybe it's possible to add it in the original HostAP package with some modifications and cleanups (yes i DO know it's an absolute dirty hack!)

the package can be found here:
http://hunz2.dyndns.org/prism2_ap-ctrl.tar.bz2 feedback, bugfixes, comments & suggestions welcome

another suggestion: the AP-driver logs quite a lot via syslog - maybe it's better to build a event-device (/dev/ap0?) which transfers the events to userspace to a daemon which handles the events? (seems to be better than polling the files in /proc in my eyes)

for example to detect sp00fing in data-packets if addr2 in 802.11b header differs from the src-mac in the ethernet-header - the daemon can get a event then and add the MAC to the deny-list or remove it from the allow-list

-- 
Benedikt 'Hunz' Heinz <hunz_at_hunz.org>
http://hunz.org
ICQ #9138850


This archive was generated by hypermail 2.1.4.