On Thu, Feb 20, 2020 at 04:23:06PM -0500, Sam Tannous wrote:
> I'm trying to figure out how to force an EAP-FAIL to get sent back to
> a supplicant in src/ap/ieee802_1x.c:ieee802_1x_receive_auth().
> Since the case here is RADIUS_CODE_ACCESS_ACCEPT, when we add the following
> code to the top of this case statement in ieee802_1x_receive_auth():
>
>
> /* check for valid NAS-Filter-Rule */
> if (radius_check_invalid_filters()) {
> /* Nas-Filter-Rule was invalid or was something we cannot
> apply */
> sm->eap_if->aaaFail = TRUE;
> override_eapReq = 1;
> break;
> }
The EAP and EAPOL authenticator state machines will send the EAP request
from the EAP server (i.e., what was received in that RADIUS
Access-Accept) even in the failure case. The easiest way to force
EAP-Failure to go out in this case is to force the port to be
unauthorized with following:
sm->portControl = ForceUnauthorized;
This will make the AUTH_PAE state machine go to the FORCE_UNAUTH state
and send out a canned EAP packet (EAP-Failure in this case) instead of
what the EAP server sent.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
