On Wed, Jun 27, 2007 at 11:14:05PM +1000, Nazeer Khan
wrote:
> Hi,
>
> Is there any way to use multiple authentication methods
on single access
> point. I mean to use WPA-PSK for certain stations and
EAP-TLS for others
> on the same AP?
It's possible to have some stations doing EAP-TLS and other
stations
doing some other EAP method. The RADIUS server has to
decide which EAP
method to use based on the identity in the initial
response/identity
that it gets, but that's the way we have our secured network
working
here. (It's possible because as far as the AP is concerned,
it's just
tunnelling the EAP exchange inside a bunch of RADIUS
packets. It
doesn't care what EAP method is being used, as long as all
stations use
EAP.)
An SSID can run either EAP or PSK, but (AFAIK) not both.
The choice of
EAP or PSK is communicated to the client via the WPA or WPA2
information
element in the beacon and probe-response frames, and AFAIK
you can't
have more than one WPA or WPA2 IE. (And I don't think you
can have one
of each IE on one SSID, either.)
It's possible to do a PSK/EAP mix if you don't mind setting
up multiple
SSIDs, though. Also, depending on your APs, you may have to
deal with
VLANs on the wired side. I know that's the way Cisco APs
force you to do
different security settings (they assign security settings
to a VLAN,
not to an SSID -- but the SSIDs are also assigned to VLANs,
so that's
where they get each SSID's security settings from).
As far as the wireless side goes, you can advertise these
different
SSIDs in a couple different ways, but the most compatible is
probably
multiple-BSSID support (if your APs can do that). But I
think the
choice there is independent of whether you need VLANs on the
wired side.
_______________________________________________
HostAP mailing list
HostAP shmoo.com
http:/
/lists.shmoo.com/mailman/listinfo/hostap
|
