RADIUS: Require Message-Authenticator attribute in MAC ACL cases

hostapd required Message-Authenticator attribute to be included in EAP authentication cases, but that requirement was not in place for MAC ACL cases. Start requiring Message-Authenticator attribute for MAC ACL by default. Unlike the EAP case, this can still be disabled with radius_require_message_authenticator=1 to maintain compatibility with some RADIUS servers when used in a network where the connection to such a server is secure. Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-17 10:42:56 +02:00 · 2024-03-17 10:42:56 +02:00 · 58097123ec
commit 58097123ec
parent 934b0c3a45
5 changed files with 19 additions and 1 deletions
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@ -2988,6 +2988,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 #endif /* CONFIG_RADIUS_TLS */
 	} else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) {
 		bss->radius->retry_primary_interval = atoi(pos);
+	} else if (os_strcmp(buf,
+			     "radius_require_message_authenticator") == 0) {
+		bss->radius_require_message_authenticator = atoi(pos);
 	} else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) {
 		bss->acct_interim_interval = atoi(pos);
 	} else if (os_strcmp(buf, "radius_request_cui") == 0) {
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@ -1620,6 +1620,17 @@ own_ip_addr=127.0.0.1
 # currently used secondary server is still working.
 #radius_retry_primary_interval=600

+# Message-Authenticator attribute requirement for non-EAP cases
+# hostapd requires Message-Authenticator attribute to be included in all cases
+# where RADIUS is used for EAP authentication. This is also required for cases
+# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case
+# can be configured to not require this for compatibility with RADIUS servers
+# that do not include the attribute. This is not recommended due to potential
+# security concerns, but can be used as a temporary workaround in networks where
+# the connection to the RADIUS server is secure.
+# 0 = Do not require Message-Authenticator in MAC ACL response
+# 1 = Require Message-Authenticator in all authentication cases (default)
+#radius_require_message_authenticator=1

 # Interim accounting update interval
 # If this is set (larger than 0) and acct_server is configured, hostapd will
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@ -122,6 +122,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 #endif /* CONFIG_IEEE80211R_AP */

 	bss->radius_das_time_window = 300;
+	bss->radius_require_message_authenticator = 1;

 	bss->anti_clogging_threshold = 5;
 	bss->sae_sync = 5;
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@ -309,6 +309,7 @@ struct hostapd_bss_config {
 	struct hostapd_ip_addr own_ip_addr;
 	char *nas_identifier;
 	struct hostapd_radius_servers *radius;
+	int radius_require_message_authenticator;
 	int acct_interim_interval;
 	int radius_request_cui;
 	struct hostapd_radius_attr *radius_auth_req_attr;
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@ -508,7 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
 		   "Found matching Access-Request for RADIUS message (id=%d)",
 		   query->radius_id);

-	if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {
+	if (radius_msg_verify(
+		    msg, shared_secret, shared_secret_len, req,
+		    hapd->conf->radius_require_message_authenticator)) {
 		wpa_printf(MSG_INFO,
 			   "Incoming RADIUS packet did not have correct authenticator - dropped");
 		return RADIUS_RX_INVALID_AUTHENTICATOR;