Release 1.1.1 TODO

Jouni Malinen jkmaline at cc.hut.fi
Thu Feb 23 04:45:25 CET 2006 

On Sun, Feb 12, 2006 at 12:45:48AM -0500, Alan DeKok wrote:

>   Do you think it would be a good idea to develop a client & server
> EAP library?  I know FreeRADIUS has bits & pieces that have been
> severely hacked over time.

Making number of modules in hostapd/wpa_supplicant more isolated from
eachother so that they could be used more easily for other purposes is
certainly an area that I'm interested in and EAP client and server sides
are good candidates for that. In other words, yes, that sounds like a
good idea to me.

Based on a quick look, the current EAP server implementation in hostapd
is quite self contained. It does require the TLS/crypto wrapper API
hostapd/wpa_supplicant are using, so that would need to linked in (maybe
as another library). Other than that, EAP code is just using couple of
generic helper functions (debug printing, etc.) that should not take too
much work to resolve nicely. There is one exception to this in
EAP-SIM/AKA access to external gateways for HLR/AuC access that is
sending and receiving messages and as such, is currently tied into an
event loop implementation. That would need to changed to use some kind
of abstraction to work with other programs.

The interface from EAP module to "lower layer" is designed based on RFC
4137 and it seems to fit in relatively easily with a RADIUS
authentication server even though some of the terminology may be
somewhat more familiar from IEEE 802.1X.

I have done some experiments with EAP implementation in FreeRADIUS, but
it has been too long from this that I would actually remember any
details, so I would probably need to take a closer look to understand
how that code interacts with rest of the implementation and how close
that would be to the design used in hostapd.

>  FreeRADIUS also needs an EAP client
> program that does more than radeapclient, and eapol_test doesn't send
> RADIUS attributes.

What do you mean with not sending RADIUS attributes? eapol_test links in
RADIUS authentication client implementation from hostapd (i.e., from a
NAS). It includes the basic attributes needed for 802.11 networks and
802.1X/EAP. However, the attributes are hardcoded in the implementation,
so that is certainly a limitation for some uses (though, so far, I have
never needed more flexibility in projects I've been working with).

>   I had patches sitting somewhere for eapol_test that would link to
> the FreeRADIUS libs & load the dictionaries.  Would you be interested
> in those patches?

If you have them easily available and against a relatively recent
version of eapol_test, it would be interesting to see them. They could
also be of interest for hostapd in the sense of allowing 802.1X
authenticator and RADIUS client to do something more flexible as far as
RADIUS attributes are concerned.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Freeradius-Devel mailing list