While setting up firewall rules, make sure that you have a way to access the server other than through the network because you can end-up locking yourself out of the system. This solutions does not work well - as in, it is not doing what it is supposed to. Kept here for a later date.
As previously introduced, the the simple event correlator is able to monitor log files and trigger an action on a regex match. The required action file is:
### IEEE 802.1X Portal
# Authenticated.
type=Single
ptype=RegExp
pattern=hostapd.*?STA (([0-9a-fA-F]{2}[:]){5}([0-9a-fA-F]{2})) IEEE 802.1X: authorizing port$
desc=$0
action=shellcmd /sbin/iptables -A INPUT -m mac --mac-source $1 -j ACCEPT -m comment --comment 'IEEE802.1X'
##
# Deauthenticated.
type=Single
ptype=RegExp
pattern=hostapd.*?STA (([0-9a-fA-F]{2}[:]){5}([0-9a-fA-F]{2})) IEEE 802.1X: unauthorizing port$
desc=$0
action=shellcmd /sbin/iptables -D INPUT -m mac --mac-source $1 -j ACCEPT -m comment --comment 'IEEE802.1X'
###
and monitors the log files for hostapd authorizing and unauthorizing events. This requires hostapd to be switched to debug logging by editing /etc/hostapd.conf:
logger_syslog_level=1 # debug output to capture authorizing and unauthorizing messages logger_syslog=2 # debug just IEEE802.1X
when a port is authorized, the script will add the MAC address to the firewall and, when the port is deauthorized (including system reboot, shutdown and manual deauthorization), the rule accepting traffic from the MAC address is removed from the firewall.
This is perhaps the best solution given hostapd's lack of proper hooks.
For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.