Overview
The hostapd package included with Dent works in the sense that you can start the service and provide a configuration, however what is missing from the public hostapd package is the Port Access Entity (PAE) component.

Use Case
When a device is attached via ethernet to a port, there should exist the capability to configure said port to only accept EAPoL frames or additional types defined in an ACL, and forward the frames to the RADIUS Server, or create a RADIUS Access Request message based on the source mac for MAB purposes.

Operation

• To keep the operation description concise, I will simply link to a better published source of how 802.1x and MAB operate.
• Operation
• Ideally configuration would be a component of netplan or systemd-networking or interfaces, however if a separate tool is required initially similary to poed that is fine.
• By simply forwarding EAPoL frames to a defined RADIUS server(s) and implementing RFC 2868 capability to assign a vlan to a port based on radius responses we have 2/3 of the feature we need
• To support MAB, a watcher would need to be running to listen to all frames initially received on a port and construct a RADIUS Access-Request message
• Finally the ability to define not just EAPoL frames to accept on a port but also other types of frames (inbound or outbound) is important in the case of silent hosts that may not send anything until a broadcast is received.

Testing
Leveraging FreeRADIUS or similar to validate that a port can be moved from an unauthorized state (dropping all frames except those specified) to an authorized state with the received tunnel ID