From b031338cf080a07e23ad5ca75e577b49a23b8093 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 6 May 2012 22:02:42 +0300 Subject: Add preliminary RADIUS dynamic authorization server (RFC 5176) This adds the basic DAS mechanism to enable hostapd to be configured to request dynamic authorization requests (Disconnect-Request and CoA-Request). This commit does not add actual processing of the requests, i.e., this will only receive and authenticate the requests and NAK them regardless of what operation is requested. Signed-hostap: Jouni Malinen --- hostapd/Makefile | 1 + hostapd/config_file.c | 36 ++++++++++++++++++++++++++++++++++++ hostapd/hostapd.conf | 13 +++++++++++++ 3 files changed, 50 insertions(+) (limited to 'hostapd') diff --git a/hostapd/Makefile b/hostapd/Makefile index 05a363b..9e42d03 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -110,6 +110,7 @@ CONFIG_NO_ACCOUNTING=y else OBJS += ../src/radius/radius.o OBJS += ../src/radius/radius_client.o +OBJS += ../src/radius/radius_das.o endif ifdef CONFIG_NO_ACCOUNTING diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 5c8824c..eab8ad4 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -561,6 +561,34 @@ hostapd_parse_radius_attr(const char *value) return attr; } + + +static int hostapd_parse_das_client(struct hostapd_bss_config *bss, + const char *val) +{ + char *secret; + size_t len; + + secret = os_strchr(val, ' '); + if (secret == NULL) + return -1; + + secret++; + len = os_strlen(secret); + + if (hostapd_parse_ip_addr(val, &bss->radius_das_client_addr)) + return -1; + + os_free(bss->radius_das_shared_secret); + bss->radius_das_shared_secret = os_malloc(len); + if (bss->radius_das_shared_secret == NULL) + return -1; + + os_memcpy(bss->radius_das_shared_secret, secret, len); + bss->radius_das_shared_secret_len = len; + + return 0; +} #endif /* CONFIG_NO_RADIUS */ @@ -1657,6 +1685,14 @@ static int hostapd_config_fill(struct hostapd_config *conf, a = a->next; a->next = attr; } + } else if (os_strcmp(buf, "radius_das_port") == 0) { + bss->radius_das_port = atoi(pos); + } else if (os_strcmp(buf, "radius_das_client") == 0) { + if (hostapd_parse_das_client(bss, pos) < 0) { + wpa_printf(MSG_ERROR, "Line %d: invalid " + "DAS client", line); + errors++; + } #endif /* CONFIG_NO_RADIUS */ } else if (os_strcmp(buf, "auth_algs") == 0) { bss->auth_algs = atoi(pos); diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 8890cd2..611ce95 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -696,6 +696,19 @@ own_ip_addr=127.0.0.1 # Operator-Name = "Operator" #radius_acct_req_attr=126:s:Operator +# Dynamic Authorization Extensions (RFC 5176) +# This mechanism can be used to allow dynamic changes to user session based on +# commands from a RADIUS server (or some other disconnect client that has the +# needed session information). For example, Disconnect message can be used to +# request an associated station to be disconnected. +# +# This is disabled by default. Set radius_das_port to non-zero UDP port +# number to enable. +#radius_das_port=3799 +# +# DAS client (the host that can send Disconnect/CoA requests) and shared secret +#radius_das_client=192.168.1.123 shared secret here + ##### RADIUS authentication server configuration ############################## # hostapd can be used as a RADIUS authentication server for other hosts. This -- cgit v1.1