Hello,
I'm trying to figure out how to force an EAP-FAIL to get sent back to
a supplicant in src/ap/ieee802_1x.c:ieee802_1x_receive_auth().
We have freeradius sending a set of NAS-Filter-Rule attributes (92)
in an Access-Accept RADIUS packet.
The only problem is that we want to detect when the
rules have invalid syntax (or there is a filter we cannot apply).
We have other code we're testing to install the filters correctly if they
are
valid (to us).
Since the case here is RADIUS_CODE_ACCESS_ACCEPT, when we add the following
code to the top of this case statement in ieee802_1x_receive_auth():
/* check for valid NAS-Filter-Rule */
if (radius_check_invalid_filters()) {
/* Nas-Filter-Rule was invalid or was something we cannot
apply */
sm->eap_if->aaaFail = TRUE;
override_eapReq = 1;
break;
}
So with this extra code in the case for the Access-Accept,
hostapd seems to not authorize the supplicant
(we see these debugs
-------------------
RADIUS server sent invalid NAS-Filter-Rule for 00:02:00:00:00:02
swp2: STA 00:02:00:00:00:02 IEEE 802.1X: decapsulated EAP packet (code=3
id=104 len=4) from RADIUS server: EAP Success
EAP: EAP entering state FAILURE2
swp2: CTRL-EVENT-EAP-FAILURE2 00:02:00:00:00:02
IEEE 802.1X: 00:02:00:00:00:02 BE_AUTH entering state FAIL
swp2: STA 00:02:00:00:00:02 IEEE 802.1X: Sending EAP Packet (identifier 104)
IEEE 802.1X: 00:02:00:00:00:02 AUTH_PAE entering state HELD
WIRED: set STA entry ifname=swp2 ifindex=4 NOT AUTHORIZED for
00:02:00:00:00:02
wired_set_sta_authorized: sta address=00:02:00:00:00:02 auth fail state 1
swp2: STA 00:02:00:00:00:02 IEEE 802.1X: unauthorizing port
swp2: STA 00:02:00:00:00:02 IEEE 802.1X: authentication failed - EAP type:
4 (MD5)
swp2: IEEE 802.1X: Force disconnection of 00:02:00:00:00:02 after
EAP-Failure in 10 ms
IEEE 802.1X: 00:02:00:00:00:02 BE_AUTH entering state IDLE
swp2: IEEE 802.1X: Scheduled disconnection of 00:02:00:00:00:02 after
EAP-Failure
swp2: ap_sta_disconnect STA 00:02:00:00:00:02 reason=23
WIRED: wired_sta_deauth called ifname=swp2 address=00:02:00:00:00:02
swp2: ap_sta_disconnect: reschedule ap_handle_timer timeout for
00:02:00:00:00:02 (5 seconds - AP_MAX_INACTIVITY_AFTER_DEAUTH)
IEEE 802.1X: 00:02:00:00:00:02 AUTH_PAE entering state INITIALIZE
EAP: EAP entering state DISABLED
swp2: Deauthentication callback for STA 00:02:00:00:00:02
swp2: Removing STA 00:02:00:00:00:02 from kernel driver
WIRED: wired_sta_remove called ifname=swp2 address=00:02:00:00:00:02
So even though hostapd sees the supplicant as deauthenticated, the
supplicant
doesn't know this and sees the following:
# wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i swp1
Successfully initialized wpa_supplicant
swp1: Associated with 01:80:c2:00:00:03
swp1: CTRL-EVENT-EAP-STARTED EAP authentication started
swp1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4
swp1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
swp1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
swp1: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed
[id=0 id_str=]
So my question how do we force hostapd to send an
"CTRL-EVENT-EAP-FAILURE EAP authentication failed"
to the supplicant so the user knows there was something wrong in the Access
Accept Nas-Filter-Rule attribute?
hostapd knows this failed and logs messages on the hostapd syslog but
the client seems
to think everything is fine.
Thanks for any pointers.
Sam Tannous
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
