On Wed, 2024-06-19 at 11:03 +0200, Linus Lüssing wrote: > > If a user uses user123@xxxxxxxxxxx they'd be forwarded to > my-home.net. If customer333@xxxxxxxxxxxxxxxx then to > vpn-provider.org. These domains wouldn't need to be added to a > config on the AP due to being determined/parsed on-demand from EAPoL. This seems ... problematic, to say the least? Who knows they won't authenticate to pretend@xxxxxxxxxxxxxxxxx? Might want to have an allow- list or so somewhere? That sort of defeats the purpose though, but seems somewhat needed? > 2) Get hostapd + Linux kernel to emit WPA CCMP frames encapsulated > in an ethernet frame on the Wifi interface. > 3) Get hostapd to use a wifi AP interface per STA for this, similar > to WDS mode. You forgot to mention the part where you _don't_ want the wireless side to actually have the keys and decrypt the packet, I think? But that's ... tricky, hardware often requires the keys to do a proper connection in the first place, and once you have management frame encryption you also really need it. But then hardware will decrypt your data frames too. > 2) Get hostapd to create a special mac80211_hwsim virtual wifi > interface based on received EAPoL, use it to receive and decrypt the > WPA CCMP frames from the Linux kernel's WPA encryption/decryption > code, have hostapd install the PMK to it. You're confusing the key architecture and how it all works in Linux enough that I don't even know how to comment on this. johannes _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap