On Sun, Feb 12, 2006 at 12:45:48AM -0500, Alan DeKok wrote:
Do you think it would be a good idea to develop a client & server EAP library? I know FreeRADIUS has bits & pieces that have been severely hacked over time.
Making number of modules in hostapd/wpa_supplicant more isolated from eachother so that they could be used more easily for other purposes is certainly an area that I'm interested in and EAP client and server sides are good candidates for that. In other words, yes, that sounds like a good idea to me. Based on a quick look, the current EAP server implementation in hostapd is quite self contained. It does require the TLS/crypto wrapper API hostapd/wpa_supplicant are using, so that would need to linked in (maybe as another library). Other than that, EAP code is just using couple of generic helper functions (debug printing, etc.) that should not take too much work to resolve nicely. There is one exception to this in EAP-SIM/AKA access to external gateways for HLR/AuC access that is sending and receiving messages and as such, is currently tied into an event loop implementation. That would need to changed to use some kind of abstraction to work with other programs. The interface from EAP module to "lower layer" is designed based on RFC 4137 and it seems to fit in relatively easily with a RADIUS authentication server even though some of the terminology may be somewhat more familiar from IEEE 802.1X. I have done some experiments with EAP implementation in FreeRADIUS, but it has been too long from this that I would actually remember any details, so I would probably need to take a closer look to understand how that code interacts with rest of the implementation and how close that would be to the design used in hostapd.
FreeRADIUS also needs an EAP client program that does more than radeapclient, and eapol_test doesn't send RADIUS attributes.
What do you mean with not sending RADIUS attributes? eapol_test links in RADIUS authentication client implementation from hostapd (i.e., from a NAS). It includes the basic attributes needed for 802.11 networks and 802.1X/EAP. However, the attributes are hardcoded in the implementation, so that is certainly a limitation for some uses (though, so far, I have never needed more flexibility in projects I've been working with).
I had patches sitting somewhere for eapol_test that would link to the FreeRADIUS libs & load the dictionaries. Would you be interested in those patches?
If you have them easily available and against a relatively recent version of eapol_test, it would be interesting to see them. They could also be of interest for hostapd in the sense of allowing 802.1X authenticator and RADIUS client to do something more flexible as far as RADIUS attributes are concerned. -- Jouni Malinen PGP id EFC895FA