Re: 802.1x Problems


From: Jacques Caron (Jacques.Caron_at_IPsector.com)
Date: 2002-10-09 11:31:24 UTC



At 13:17 09/10/2002, Lei chuanhua wrote:
> My understanding as the following,
>
> 1. Broadcast packets use the old method, just like general WEP.

Yes, but 802.1X allows you to do "broadcast key rotation", i.e. change that key periodically, and inform the stations of that new key via EAPOL-Key messages.

> 2. Unicast packets. 802.1x supplicant will be authenticated to
> radius server via AP. if success, supplicant will get one WEP key. At the
> same time, Radius server will send one same WEP key copy to AP. So if
> there are many 802.1x supplicants, AP will keep every supplicant WEP key
> for encryption and decryption. HostAP will do it easily because it use
> host encryption and can receive and transmit mulitple keys.
>
> Now my question is, if we use firmware-based AP, and we can't use
> host encryption(most verdors except intersil). How does it process
> mulitple keys? In general, firmware -based AP can only proccess one
> key(determined by key index). But in the market, I have seen so many
> vendors support 802.1x, and most of them use firmware -based AP. I guess
> that Fimware-based AP will do it like hostAP with 802.1x support. But I
> am not sure.

Many firmware versions allow for per-client keys (key mapping keys they're called -- this has been part of the 802.11 spec for a long time, even if it was not always used or implemented by everybody), though the way to do that may not be documented (for the general public at least). Even Intersil has a RID to set those keys (FC29 iirc), it's just not clear whether that works in all cases or only if tertiary (ap) firmware is present, or how it works (the format of the data to provide).

Jacques.



This archive was generated by hypermail 2.1.4.