Add RADIUS Service-Type attribute with a value of Framed

[mech_eap.git] / src / ap / ieee802_1x.c

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index d09267a..c774d5c 100644 (file)
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -222,7 +222,7 @@ static void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta)
                   MAC2STR(sta->addr));
 
 #ifndef CONFIG_NO_VLAN
-       if (sta->vlan_id > 0 && sta->vlan_id <= MAX_VLAN_ID) {
+       if (sta->vlan_id > 0) {
                wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported.");
                return;
        }
@@ -405,6 +405,14 @@ static int add_common_radius_sta_attr(struct hostapd_data *hapd,
        char buf[128];
 
        if (!hostapd_config_get_radius_attr(req_attr,
+                                           RADIUS_ATTR_SERVICE_TYPE) &&
+           !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE,
+                                      RADIUS_SERVICE_TYPE_FRAMED)) {
+               wpa_printf(MSG_ERROR, "Could not add Service-Type");
+               return -1;
+       }
+
+       if (!hostapd_config_get_radius_attr(req_attr,
                                            RADIUS_ATTR_NAS_PORT) &&
            !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) {
                wpa_printf(MSG_ERROR, "Could not add NAS-Port");
@@ -438,9 +446,9 @@ static int add_common_radius_sta_attr(struct hostapd_data *hapd,
                return -1;
        }
 
-       if (sta->acct_session_id_hi || sta->acct_session_id_lo) {
-               os_snprintf(buf, sizeof(buf), "%08X-%08X",
-                           sta->acct_session_id_hi, sta->acct_session_id_lo);
+       if (sta->acct_session_id) {
+               os_snprintf(buf, sizeof(buf), "%016llX",
+                           (unsigned long long) sta->acct_session_id);
                if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
                                         (u8 *) buf, os_strlen(buf))) {
                        wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id");
@@ -448,6 +456,21 @@ static int add_common_radius_sta_attr(struct hostapd_data *hapd,
                }
        }
 
+       if ((hapd->conf->wpa & 2) &&
+           !hapd->conf->disable_pmksa_caching &&
+           sta->eapol_sm && sta->eapol_sm->acct_multi_session_id) {
+               os_snprintf(buf, sizeof(buf), "%016llX",
+                           (unsigned long long)
+                           sta->eapol_sm->acct_multi_session_id);
+               if (!radius_msg_add_attr(
+                           msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
+                           (u8 *) buf, os_strlen(buf))) {
+                       wpa_printf(MSG_INFO,
+                                  "Could not add Acct-Multi-Session-Id");
+                       return -1;
+               }
+       }
+
 #ifdef CONFIG_IEEE80211R
        if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
            sta->wpa_sm &&
@@ -587,7 +610,10 @@ static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
                return;
        }
 
-       radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta));
+       if (radius_msg_make_authenticator(msg) < 0) {
+               wpa_printf(MSG_INFO, "Could not make Request Authenticator");
+               goto fail;
+       }
 
        if (sm->identity &&
            !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
@@ -1133,7 +1159,7 @@ void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
                sta->eapol_sm->authFail = FALSE;
                if (sta->eapol_sm->eap)
                        eap_sm_notify_cached(sta->eapol_sm->eap);
-               pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm);
+               pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm);
                ap_sta_bind_vlan(hapd, sta);
        } else {
                if (reassoc) {
@@ -1599,10 +1625,16 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
        struct hostapd_data *hapd = data;
        struct sta_info *sta;
        u32 session_timeout = 0, termination_action, acct_interim_interval;
-       int session_timeout_set, vlan_id = 0;
+       int session_timeout_set;
        struct eapol_state_machine *sm;
        int override_eapReq = 0;
        struct radius_hdr *hdr = radius_msg_get_hdr(msg);
+       struct vlan_description vlan_desc;
+#ifndef CONFIG_NO_VLAN
+       int *untagged, *tagged, *notempty;
+#endif /* CONFIG_NO_VLAN */
+
+       os_memset(&vlan_desc, 0, sizeof(vlan_desc));
 
        sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier);
        if (sm == NULL) {
@@ -1666,27 +1698,32 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
 
        switch (hdr->code) {
        case RADIUS_CODE_ACCESS_ACCEPT:
-               if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_DISABLED)
-                       vlan_id = 0;
 #ifndef CONFIG_NO_VLAN
-               else
-                       vlan_id = radius_msg_get_vlanid(msg);
-               if (vlan_id > 0 &&
-                   hostapd_vlan_id_valid(hapd->conf->vlan, vlan_id)) {
-                       hostapd_logger(hapd, sta->addr,
-                                      HOSTAPD_MODULE_RADIUS,
-                                      HOSTAPD_LEVEL_INFO,
-                                      "VLAN ID %d", vlan_id);
-               } else if (vlan_id > 0) {
+               if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED) {
+                       notempty = &vlan_desc.notempty;
+                       untagged = &vlan_desc.untagged;
+                       tagged = vlan_desc.tagged;
+                       *notempty = !!radius_msg_get_vlanid(msg, untagged,
+                                                           MAX_NUM_TAGGED_VLAN,
+                                                           tagged);
+               }
+
+               if (vlan_desc.notempty &&
+                   !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) {
                        sta->eapol_sm->authFail = TRUE;
                        hostapd_logger(hapd, sta->addr,
                                       HOSTAPD_MODULE_RADIUS,
                                       HOSTAPD_LEVEL_INFO,
-                                      "Invalid VLAN ID %d received from RADIUS server",
-                                      vlan_id);
+                                      "Invalid VLAN %d%s received from RADIUS server",
+                                      vlan_desc.untagged,
+                                      vlan_desc.tagged[0] ? "+" : "");
+                       os_memset(&vlan_desc, 0, sizeof(vlan_desc));
+                       ap_sta_set_vlan(hapd, sta, &vlan_desc);
                        break;
-               } else if (hapd->conf->ssid.dynamic_vlan ==
-                          DYNAMIC_VLAN_REQUIRED) {
+               }
+
+               if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED &&
+                   !vlan_desc.notempty) {
                        sta->eapol_sm->authFail = TRUE;
                        hostapd_logger(hapd, sta->addr,
                                       HOSTAPD_MODULE_IEEE8021X,
@@ -1697,7 +1734,18 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
                }
 #endif /* CONFIG_NO_VLAN */
 
-               sta->vlan_id = vlan_id;
+               if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0)
+                       break;
+
+#ifndef CONFIG_NO_VLAN
+               if (sta->vlan_id > 0) {
+                       hostapd_logger(hapd, sta->addr,
+                                      HOSTAPD_MODULE_RADIUS,
+                                      HOSTAPD_LEVEL_INFO,
+                                      "VLAN ID %d", sta->vlan_id);
+               }
+#endif /* CONFIG_NO_VLAN */
+
                if ((sta->flags & WLAN_STA_ASSOC) &&
                    ap_sta_bind_vlan(hapd, sta) < 0)
                        break;
@@ -2493,12 +2541,12 @@ int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
                          /* TODO: dot1xAuthSessionOctetsTx */
                          /* TODO: dot1xAuthSessionFramesRx */
                          /* TODO: dot1xAuthSessionFramesTx */
-                         "dot1xAuthSessionId=%08X-%08X\n"
+                         "dot1xAuthSessionId=%016llX\n"
                          "dot1xAuthSessionAuthenticMethod=%d\n"
                          "dot1xAuthSessionTime=%u\n"
                          "dot1xAuthSessionTerminateCause=999\n"
                          "dot1xAuthSessionUserName=%s\n",
-                         sta->acct_session_id_hi, sta->acct_session_id_lo,
+                         (unsigned long long) sta->acct_session_id,
                          (wpa_key_mgmt_wpa_ieee8021x(
                                   wpa_auth_sta_key_mgmt(sta->wpa_sm))) ?
                          1 : 2,
@@ -2508,11 +2556,11 @@ int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta,
                return len;
        len += ret;
 
-       if (sm->acct_multi_session_id_hi) {
+       if (sm->acct_multi_session_id) {
                ret = os_snprintf(buf + len, buflen - len,
-                                 "authMultiSessionId=%08X+%08X\n",
-                                 sm->acct_multi_session_id_hi,
-                                 sm->acct_multi_session_id_lo);
+                                 "authMultiSessionId=%016llX\n",
+                                 (unsigned long long)
+                                 sm->acct_multi_session_id);
                if (os_snprintf_error(buflen - len, ret))
                        return len;
                len += ret;