I've been reading the code and testing the PSK via RADIUS functionality in hostap and discovered what I believe to be a bug. When the RADIUS response includes a Session-Timeout and is otherwise valid (an Access-Accept with a valid Tunnel-Password) the association still fails due to the strict comparison of the accepted value with HOSTAPD_ACL_ACCEPT. Apparently this wasn't previously tested. The patch below allows a packet containing a valid Session-Timeout attribute to be accepted by extending the "success" comparison to include HOSTAPD_ACL_ACCEPT_TIMEOUT. Signed-off-by: Lee Harding <somerandomstring@xxxxxxxxx> Diff inline below: diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index e723ae74b..7b3b0137f 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, if (query->radius_psk) { struct sta_info *sta; - bool success = cache->accepted == HOSTAPD_ACL_ACCEPT; + bool success = cache->accepted == HOSTAPD_ACL_ACCEPT + || cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT; sta = ap_get_sta(hapd, query->addr); if (!sta || !sta->wpa_sm) { _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap