On Thu, Jun 20, 2024 at 11:46:58AM +0800, kinbell4 wrote: > EAP-TLS does not need trusted AP, certificate will prevent fake server, EAP-TLS does need a trusted AP: If your RADIUS/TLS server accepts any AP / RADIUS/TLS client with any client certificate then I could setup my own rogue, MitM AP. Then in the final RADIUS Accept message the RADIUS server would send the pairwise-master-key to my rogue AP. And my AP would now be able to see the decrypted frames from/to the WiFi client. And would be able to see and potentially manipulate what the WiFi client tries to access on the internet. > your design require AP side to have CCMP key, it is still the same problem, > any internet traffic will also need to be decrypted before sending to WAN. > The original idea was to have no keys on the AP. The WiFi AP would not encrypt/decrypt the packets and would just proxy the encrypted CCMP frames to some remote authenticator which then would decrypt/encrypt instead. For the remote authenticator to have the keys the AP would not only proxy the encrypted payload but would also forward the EAPoL frames to the remote authenticator. The remote authenticator would then run the RADIUS client instead of the WiFi AP. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap