user logs on (via link022) and is assigned to vlan by hostapd (based on what ssid was used).
The current acl does not specify the vlan, so it might be possible for the same mac to appear on a different vlan on the same port and be allowed through when it should be dropped. (we've gained access to a vlan we shouldn't be in).
This relates to issue #38
I'm thinking add an auth-vlan value.
3 ways to 'learn' the vlan a host is/should be on:
add to hostapd user mib what ssid or vlan user is on. (link022)
radius saving option (wired) #38
learnt vlan (wired) (spoofable/timing attack). could possibly use option 1.
user logs on (via link022) and is assigned to vlan by hostapd (based on what ssid was used). The current acl does not specify the vlan, so it might be possible for the same mac to appear on a different vlan on the same port and be allowed through when it should be dropped. (we've gained access to a vlan we shouldn't be in).
This relates to issue #38 I'm thinking add an auth-vlan value.
3 ways to 'learn' the vlan a host is/should be on: