HS 2.0: Deauthenticate STA on deauth-imminent more quickly if no URL
When the RADIUS server requests a STA to be deauthenticated imminently without providing a reason URL, there is no need to allow the STA spend any additional time associated. Deauthenticate the STA immediately after it has ACK'ed the WNM-Notification frame indicating imminent deauthentication or at latest two seconds after having processes the Access-Accept message. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
2e40f969b1
commit
34d93b0c9d
4 changed files with 39 additions and 7 deletions
|
|
@ -2799,7 +2799,12 @@ own_ip_addr=127.0.0.1
|
||||||
# If the RADIUS server indicates that the station is not allowed to connect to
|
# If the RADIUS server indicates that the station is not allowed to connect to
|
||||||
# the BSS/ESS, the AP can allow the station some time to download a
|
# the BSS/ESS, the AP can allow the station some time to download a
|
||||||
# notification page (URL included in the message). This parameter sets that
|
# notification page (URL included in the message). This parameter sets that
|
||||||
# timeout in seconds.
|
# timeout in seconds. If the RADIUS server provides no URL, this value is
|
||||||
|
# reduced to two seconds with an additional trigger for immediate
|
||||||
|
# deauthentication when the STA acknowledges reception of the deauthentication
|
||||||
|
# imminent indication. Note that setting this value to 0 will prevent delivery
|
||||||
|
# of the notification to the STA, so a value of at least 1 should be used here
|
||||||
|
# for normal use cases.
|
||||||
#hs20_deauth_req_timeout=60
|
#hs20_deauth_req_timeout=60
|
||||||
|
|
||||||
# Operator Friendly Name
|
# Operator Friendly Name
|
||||||
|
|
|
||||||
|
|
@ -5838,6 +5838,19 @@ static void handle_action_cb(struct hostapd_data *hapd,
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_HS20
|
||||||
|
if (ok && len >= IEEE80211_HDRLEN + 2 &&
|
||||||
|
mgmt->u.action.category == WLAN_ACTION_WNM &&
|
||||||
|
mgmt->u.action.u.vs_public_action.action == WNM_NOTIFICATION_REQ &&
|
||||||
|
sta->hs20_deauth_on_ack) {
|
||||||
|
wpa_printf(MSG_DEBUG, "HS 2.0: Deauthenticate STA " MACSTR
|
||||||
|
" on acknowledging the WNM-Notification",
|
||||||
|
MAC2STR(sta->addr));
|
||||||
|
ap_sta_session_timeout(hapd, sta, 0);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_HS20 */
|
||||||
|
|
||||||
if (len < 24 + 5 + sizeof(*report))
|
if (len < 24 + 5 + sizeof(*report))
|
||||||
return;
|
return;
|
||||||
report = (const struct rrm_measurement_report_element *)
|
report = (const struct rrm_measurement_report_element *)
|
||||||
|
|
|
||||||
|
|
@ -1709,23 +1709,35 @@ static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len)
|
||||||
|
|
||||||
|
|
||||||
static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd,
|
static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd,
|
||||||
struct sta_info *sta, u8 *pos,
|
struct sta_info *sta, const u8 *pos,
|
||||||
size_t len)
|
size_t len)
|
||||||
{
|
{
|
||||||
|
size_t url_len;
|
||||||
|
unsigned int timeout;
|
||||||
|
|
||||||
if (len < 3)
|
if (len < 3)
|
||||||
return; /* Malformed information */
|
return; /* Malformed information */
|
||||||
|
url_len = len - 3;
|
||||||
sta->hs20_deauth_requested = 1;
|
sta->hs20_deauth_requested = 1;
|
||||||
|
sta->hs20_deauth_on_ack = url_len == 0;
|
||||||
wpa_printf(MSG_DEBUG,
|
wpa_printf(MSG_DEBUG,
|
||||||
"HS 2.0: Deauthentication request - Code %u Re-auth Delay %u",
|
"HS 2.0: Deauthentication request - Code %u Re-auth Delay %u URL length %zu",
|
||||||
*pos, WPA_GET_LE16(pos + 1));
|
*pos, WPA_GET_LE16(pos + 1), url_len);
|
||||||
wpabuf_free(sta->hs20_deauth_req);
|
wpabuf_free(sta->hs20_deauth_req);
|
||||||
sta->hs20_deauth_req = wpabuf_alloc(len + 1);
|
sta->hs20_deauth_req = wpabuf_alloc(len + 1);
|
||||||
if (sta->hs20_deauth_req) {
|
if (sta->hs20_deauth_req) {
|
||||||
wpabuf_put_data(sta->hs20_deauth_req, pos, 3);
|
wpabuf_put_data(sta->hs20_deauth_req, pos, 3);
|
||||||
wpabuf_put_u8(sta->hs20_deauth_req, len - 3);
|
wpabuf_put_u8(sta->hs20_deauth_req, url_len);
|
||||||
wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3);
|
wpabuf_put_data(sta->hs20_deauth_req, pos + 3, url_len);
|
||||||
}
|
}
|
||||||
ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout);
|
timeout = hapd->conf->hs20_deauth_req_timeout;
|
||||||
|
/* If there is no URL, no need to provide time to fetch it. Use a short
|
||||||
|
* timeout here to allow maximum time for completing 4-way handshake and
|
||||||
|
* WNM-Notification delivery. Acknowledgement of the frame will result
|
||||||
|
* in cutting this wait further. */
|
||||||
|
if (!url_len && timeout > 2)
|
||||||
|
timeout = 2;
|
||||||
|
ap_sta_session_timeout(hapd, sta, timeout);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1813,6 +1825,7 @@ static void ieee802_1x_check_hs20(struct hostapd_data *hapd,
|
||||||
buf = NULL;
|
buf = NULL;
|
||||||
sta->remediation = 0;
|
sta->remediation = 0;
|
||||||
sta->hs20_deauth_requested = 0;
|
sta->hs20_deauth_requested = 0;
|
||||||
|
sta->hs20_deauth_on_ack = 0;
|
||||||
|
|
||||||
for (;;) {
|
for (;;) {
|
||||||
if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC,
|
if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC,
|
||||||
|
|
|
||||||
|
|
@ -118,6 +118,7 @@ struct sta_info {
|
||||||
unsigned int qos_map_enabled:1;
|
unsigned int qos_map_enabled:1;
|
||||||
unsigned int remediation:1;
|
unsigned int remediation:1;
|
||||||
unsigned int hs20_deauth_requested:1;
|
unsigned int hs20_deauth_requested:1;
|
||||||
|
unsigned int hs20_deauth_on_ack:1;
|
||||||
unsigned int session_timeout_set:1;
|
unsigned int session_timeout_set:1;
|
||||||
unsigned int radius_das_match:1;
|
unsigned int radius_das_match:1;
|
||||||
unsigned int ecsa_supported:1;
|
unsigned int ecsa_supported:1;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue