Re: 802.1x Problems

From: Jouni Malinen (
Date: 2002-10-10 04:13:23 UTC

On Wed, Oct 09, 2002 at 07:17:43PM +0800, Lei chuanhua wrote:

> 2. Unicast packets. 802.1x supplicant will be authenticated to radius server via AP. if success, supplicant will get one WEP key. At the same time, Radius server will send one same WEP key copy to AP. So if there are many 802.1x supplicants, AP will keep every supplicant WEP key for encryption and decryption. HostAP will do it easily because it use host encryption and can receive and transmit mulitple keys.

Authentication server (usually RADIUS server) does not generate or send WEP keys. It sends a key pair both to station and AP. After this, AP generates the WEP keys and delivers the needed keys to the station encrypted with the keys from authentication server. Other than this detail, you description is correct.

> Now my question is, if we use firmware-based AP, and we can't use host encryption(most verdors except intersil). How does it process mulitple keys? In general, firmware -based AP can only proccess one key(determined by key index). But in the market, I have seen so many vendors support 802.1x, and most of them use firmware -based AP. I guess that Fimware-based AP will do it like hostAP with 802.1x support. But I am not sure.

If the AP performs WEP encryption/decryption in WLAN card hardware, the AP firmware (that is quite often downloaded into card RAM) must support key mapping. If not, they can use similar method that the Host AP driver.

> Is corrent my understanding of 802.1x implementation? If not, is is possible to implement 802.1x above driver without firmware support for multiple session keys?

You will need some support from the firmware--either support for WEP key mapping or support for host-based encryption.

Jouni Malinen                                            PGP id EFC895FA

This archive was generated by hypermail 2.1.4.