We use the wired driver for wired port authentication with a slight extension
to add the port into a bridge upon successful authentication and to remove it
from the bridge when the session terminates.
Our expectation was that the Session-Timeout configuration at the RADIUS server
is respected, i.e. the session is terminated and would need re-authentication -
like it is working for WLAN sessions over the nl80211 driver. Alas it turned out
the session is not terminated with the wired driver.
Turned out when ap_handle_session_timer() is executed, the sta->flags of the
wired port has only the WLAN_STA_AUTHORIZED bit set. The WLAN_STA_AUTH bit,
which is used to check whether the STA needs to be de-authenticated, is missing.
Not sure if this is an issue with the wired driver (i.e. WLAN_STA_AUTHORIZED
can't exist without WLAN_STA_AUTH), or the Session-Timeout feature was not
considered for wired so far.
With extending the check for any of the WLAN_STA_(AUTH | ASSOC | AUTHORIZED)
bits our issue is resolved, but we are not aware whether this is a valid
workaround without potential side-effects.
---
When the wired driver is configured for RADIUS authentication,
upon successful connection establishment the sta->flags are
set to WLAN_STA_AUTHORIZED, i.e. without the WLAN_STA_AUTH or
WLAN_STA_ASSOC bits set.
As a result, when the RADIUS Session-Timeout expires and
ap_handle_session_timer() is executed, without the
WLAN_STA_AUTH bit being set, the STA is not being
deaunthenticated. As a result, the session stays alive.
This patch changes the sanity check so that STA is
deauthenticated when any of WLAN_STA_AUTH, WLAN_STA_ASSOC,
or WLAN_STA_AUTHORIZED bits are set.
Signed-off-by: Zefir Kurtisi <zefir.kurtisi@xxxxxxxxxxx>
---
src/ap/sta_info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
index 4f9eae847..fab8fb3e9 100644
--- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c
@@ -589,7 +589,7 @@ static void ap_handle_session_timer(void *eloop_ctx, void *timeout_ctx)
wpa_printf(MSG_DEBUG, "%s: Session timer for STA " MACSTR,
hapd->conf->iface, MAC2STR(sta->addr));
- if (!(sta->flags & WLAN_STA_AUTH)) {
+ if (!(sta->flags & (WLAN_STA_AUTH | WLAN_STA_ASSOC | WLAN_STA_AUTHORIZED))) {
if (sta->flags & WLAN_STA_GAS) {
wpa_printf(MSG_DEBUG, "GAS: Remove temporary STA "
"entry " MACSTR, MAC2STR(sta->addr));
--
2.17.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
