Re: Multi-PSK on Hostapd

[michael-dev <michael-dev@xxxxxxxxxxxxx>]

Hi,

maybe you could patch hostapd to accept keyid or vlanid (as in 
http://w1.fi/cgit/hostap/tree/hostapd/hostapd.wpa_psk) from RADIUS 
Access Accept by parsing the radius tunnel attribute tags and thus have 
a psk-dependend vlan id or key id.
Possibly similarly to Tunnel-Client-Auth-ID in 
https://patchwork.ozlabs.org/project/hostap/patch/20210416111825.3895-2-michael-dev@xxxxxxxxxxxxx/ 
.

Regards,
Michael

Am 11.08.2021 22:25, schrieb Colton Conor:
> Steve,
>
> Understood on the full RADIUS 802.1X auth side, but this is for an MDU
> setting where clients are in BYOD, and most of those devices don't
> support 802.1X. So we don't know the client's MAC beforehand, and want
> to give each unit a single passphrase to use for all of their devices
> within that unit.
>
> Is it easy to make custom Access-Request variables in Hostapd? This
> seems to be how commercial vendors are doing this.  Ruckus for
> example:
> https://docs.commscope.com/bundle/unleashed-200.10-onlinehelp/page/GUID-E0AD67EA-91EB-473D-9F14-1C7A3ADC1F1B.html
> and
> https://docs.commscope.com/bundle/unleashed-200.10-onlinehelp/page/GUID-2392DF4B-DBE7-4DD5-868E-6222118BE6D4.html
>
> On Wed, Aug 11, 2021 at 11:44 AM Steve deRosier <derosier@xxxxxxxxx> 
> wrote:
> > Hi Colton,
> >
> >
> > On Tue, Aug 10, 2021 at 7:02 PM Colton Conor <colton.conor@xxxxxxxxx> 
> > wrote:
> > > Michael,
> > >
> > > From the sounds of it, we don't have to convert the passphrase to the
> > > psk format. From what you are saying, HostAPD does that 
> > > automatically?
> >
> > Yes, if the RADIUS server sends the plain-text passphrase, hostapd 
> > does the right thing automatically.
> >
> > > How does this work if you don't know the MAC address of the client
> > > beforehand, and only want to authenticate them based on the 
> > > passphrase
> > > they entered? The passphrases would have to be stored on the radius
> > > server already, but they wouldn't already be associated with a MAC
> > > address.
> >
> >
> > The short answer is you can't.  Not without non-trivial changes to the 
> > code on both ends, and even then it's tricky and has various problems.
> >
> > What most people do at the point you're talking about is implement a 
> > full RADIUS 802.1X auth system. Usually requires certificates and 
> > other things managed by IT.  But if you're giving personal PSKs to 
> > people, and managing that in RADIUS anyway, so you're already managing 
> > tokens for people.  There's extensive documentation, online articles, 
> > and books written on the subject, so you should start there.
> >
> > - Steve
>
> _______________________________________________
> Hostap mailing list
> Hostap@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/hostap

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap