wifi: Combining open non-encrypted AP and EAP-TLS in one

[Erik Norgaard]

Hi:

I have got the idea that I want to set up a hostap on my FBSD box.

My idea is that I want to allow strangers to associate and get their 
network configuration via dhcp. Any attempt to access the Internet will 
then be redirected to a web page explaining that they have to register 
first.

Once registered, the AP should support (or rather require) EAP-TLS and 
allow access to the Internet.

I know, this sounds very much like VPN. Indeed it is, (and I might fall 
back on this). But the difference is that it is bound to a particular 
wireless network. Users may connect to other networks where all this is 
not required. So for usability I think it is easier if the wifi 
controller takes care of connecting with the correct certificate.

So, my first question: Is it possible to configure a Wireless NIC in 
hostap mode to support both non-encrypted open association as well as 
EAP-TLS (or some other type of encryption/authentication scheme)?

Secondly, is it possible to make the firewall (on the the hostap box) 
aware of whether a client uses security and only allow access if the 
wireless connection is encrypted? I use packet filter, and this is 
somewhat like authpf w. ssh that can invoke rules, or it could be solved 
with the traditional VPN. But I would like to use the EAP-TLS scheme.

Thanks, Erik