diff options
| author | Jouni Malinen <j@w1.fi> | 2012-05-06 22:02:42 +0300 |
|---|---|---|
| committer | Jouni Malinen <j@w1.fi> | 2012-05-06 22:02:42 +0300 |
| commit | b031338cf080a07e23ad5ca75e577b49a23b8093 (patch) | |
| tree | 8331e43a3f08996225af8988ccc0cea9be45a082 /hostapd | |
| parent | af35e7af7f8bb1ca9f0905b4074fb56a264aa12b (diff) | |
| download | external_wpa_supplicant_8_ti-b031338cf080a07e23ad5ca75e577b49a23b8093.zip external_wpa_supplicant_8_ti-b031338cf080a07e23ad5ca75e577b49a23b8093.tar.gz external_wpa_supplicant_8_ti-b031338cf080a07e23ad5ca75e577b49a23b8093.tar.bz2 | |
Add preliminary RADIUS dynamic authorization server (RFC 5176)
This adds the basic DAS mechanism to enable hostapd to be configured
to request dynamic authorization requests (Disconnect-Request and
CoA-Request). This commit does not add actual processing of the
requests, i.e., this will only receive and authenticate the requests
and NAK them regardless of what operation is requested.
Signed-hostap: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'hostapd')
| -rw-r--r-- | hostapd/Makefile | 1 | ||||
| -rw-r--r-- | hostapd/config_file.c | 36 | ||||
| -rw-r--r-- | hostapd/hostapd.conf | 13 |
3 files changed, 50 insertions, 0 deletions
diff --git a/hostapd/Makefile b/hostapd/Makefile index 05a363b..9e42d03 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -110,6 +110,7 @@ CONFIG_NO_ACCOUNTING=y else OBJS += ../src/radius/radius.o OBJS += ../src/radius/radius_client.o +OBJS += ../src/radius/radius_das.o endif ifdef CONFIG_NO_ACCOUNTING diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 5c8824c..eab8ad4 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -561,6 +561,34 @@ hostapd_parse_radius_attr(const char *value) return attr; } + + +static int hostapd_parse_das_client(struct hostapd_bss_config *bss, + const char *val) +{ + char *secret; + size_t len; + + secret = os_strchr(val, ' '); + if (secret == NULL) + return -1; + + secret++; + len = os_strlen(secret); + + if (hostapd_parse_ip_addr(val, &bss->radius_das_client_addr)) + return -1; + + os_free(bss->radius_das_shared_secret); + bss->radius_das_shared_secret = os_malloc(len); + if (bss->radius_das_shared_secret == NULL) + return -1; + + os_memcpy(bss->radius_das_shared_secret, secret, len); + bss->radius_das_shared_secret_len = len; + + return 0; +} #endif /* CONFIG_NO_RADIUS */ @@ -1657,6 +1685,14 @@ static int hostapd_config_fill(struct hostapd_config *conf, a = a->next; a->next = attr; } + } else if (os_strcmp(buf, "radius_das_port") == 0) { + bss->radius_das_port = atoi(pos); + } else if (os_strcmp(buf, "radius_das_client") == 0) { + if (hostapd_parse_das_client(bss, pos) < 0) { + wpa_printf(MSG_ERROR, "Line %d: invalid " + "DAS client", line); + errors++; + } #endif /* CONFIG_NO_RADIUS */ } else if (os_strcmp(buf, "auth_algs") == 0) { bss->auth_algs = atoi(pos); diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 8890cd2..611ce95 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -696,6 +696,19 @@ own_ip_addr=127.0.0.1 # Operator-Name = "Operator" #radius_acct_req_attr=126:s:Operator +# Dynamic Authorization Extensions (RFC 5176) +# This mechanism can be used to allow dynamic changes to user session based on +# commands from a RADIUS server (or some other disconnect client that has the +# needed session information). For example, Disconnect message can be used to +# request an associated station to be disconnected. +# +# This is disabled by default. Set radius_das_port to non-zero UDP port +# number to enable. +#radius_das_port=3799 +# +# DAS client (the host that can send Disconnect/CoA requests) and shared secret +#radius_das_client=192.168.1.123 shared secret here + ##### RADIUS authentication server configuration ############################## # hostapd can be used as a RADIUS authentication server for other hosts. This |