IEEE 802.1X support with Host AP driver


From: Jouni Malinen (jkmaline_at_cc.hut.fi)
Date: 2002-09-01 18:10:10 UTC



Well, here goes the feature freeze.. ;-) Although, most of the changes are in the hostapd and the kernel driver needed only some small changes. I'm still trying to get the next release out soon, but it is waiting for reports of crash fixes and didn't want to leave these in my work directory indefinitely.

I was reading IEEE 802.1X standard yesterday and ended up implementing IEEE 802.1X Authenticator for the hostapd daemon. This is not yet complete (state machines are missing, i.e., no packet retransmits, and WEP re-keying is not yet supported). However, the Authenticator and port access controlling seemed to be working fine both with minimal authentication server included in the hostapd (it just requests identity info and authorizes everyone using IEEE 802.1X Supplicant) and with external RADIUS server as the authentication server (I'm using FreeRadius and EAP/TLS).

I used only Xsupplicant (from www.open1x.org) in testing. So if anyone would be interested in testing hostapd with IEEE 802.1X and WinXP Supplicant, I would be interested in hearing whether this works. Even the minimal authentication server should provide useful information and it should be trivial to setup.

The new features are not yet documented (surprise ;-), but following steps should be enough to get the system running. The source code is available from CVS repository (http//hostap.epitest.fi/).

# compile Host AP kernel driver with PRISM2_HOSTAPD defined, i.e., to be
# used with user space daemon, hostapd

make pccard EXTRA_CFLAGS="-DPRISM2_HOSTAPD"
# load the newly compiled kernel modules and initialize wlan card

# compile hostapd

cd hostapd
make

# test the minimal authentication

./hostapd -xm wlan0
# associate a station with the AP and use Supplicant to get the port
# authorized

# alternatively, test an external authentication server (RADIUS)
./hostapd -x -o<AP IP addr> -a<RADIUS server IP addr> \

    -s<shared secret AP-auth.serv.> wlan0
# use Supplicant to authenticate with the authentication server; any
# EAP/whatever should do; http://www.missl.cs.umd.edu/wireless/eaptls/
# has useful information about using EAP/TLS with FreeRadius and
# Xsupplicant (just replace Cisco access point with Host AP driver,
# hostapd daemon, and a Prism2 card ;-)

-- 
Jouni Malinen                                            PGP id EFC895FA


This archive was generated by hypermail 2.1.4.