From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 17 Mar 2024 10:42:56 +0200 Subject: [PATCH] RADIUS: Require Message-Authenticator attribute in MAC ACL cases hostapd required Message-Authenticator attribute to be included in EAP authentication cases, but that requirement was not in place for MAC ACL cases. Start requiring Message-Authenticator attribute for MAC ACL by default. Unlike the EAP case, this can still be disabled with radius_require_message_authenticator=1 to maintain compatibility with some RADIUS servers when used in a network where the connection to such a server is secure. Signed-off-by: Jouni Malinen --- hostapd/config_file.c | 3 +++ hostapd/hostapd.conf | 11 +++++++++++ src/ap/ap_config.c | 1 + src/ap/ap_config.h | 1 + src/ap/ieee802_11_auth.c | 4 +++- 5 files changed, 19 insertions(+), 1 deletion(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 96c28aea2..3fb059770 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2988,6 +2988,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, #endif /* CONFIG_RADIUS_TLS */ } else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) { bss->radius->retry_primary_interval = atoi(pos); + } else if (os_strcmp(buf, + "radius_require_message_authenticator") == 0) { + bss->radius_require_message_authenticator = atoi(pos); } else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) { bss->acct_interim_interval = atoi(pos); } else if (os_strcmp(buf, "radius_request_cui") == 0) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index e3367b708..3f0e66beb 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1620,6 +1620,17 @@ own_ip_addr=127.0.0.1 # currently used secondary server is still working. #radius_retry_primary_interval=600 +# Message-Authenticator attribute requirement for non-EAP cases +# hostapd requires Message-Authenticator attribute to be included in all cases +# where RADIUS is used for EAP authentication. This is also required for cases +# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case +# can be configured to not require this for compatibility with RADIUS servers +# that do not include the attribute. This is not recommended due to potential +# security concerns, but can be used as a temporary workaround in networks where +# the connection to the RADIUS server is secure. +# 0 = Do not require Message-Authenticator in MAC ACL response +# 1 = Require Message-Authenticator in all authentication cases (default) +#radius_require_message_authenticator=1 # Interim accounting update interval # If this is set (larger than 0) and acct_server is configured, hostapd will diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 32b04ab35..0b5a16ef9 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -122,6 +122,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) #endif /* CONFIG_IEEE80211R_AP */ bss->radius_das_time_window = 300; + bss->radius_require_message_authenticator = 1; bss->anti_clogging_threshold = 5; bss->sae_sync = 5; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index fda937ecf..ced2181ab 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -309,6 +309,7 @@ struct hostapd_bss_config { struct hostapd_ip_addr own_ip_addr; char *nas_identifier; struct hostapd_radius_servers *radius; + int radius_require_message_authenticator; int acct_interim_interval; int radius_request_cui; struct hostapd_radius_attr *radius_auth_req_attr; diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index cc38044d8..913a99597 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -508,7 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, "Found matching Access-Request for RADIUS message (id=%d)", query->radius_id); - if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { + if (radius_msg_verify( + msg, shared_secret, shared_secret_len, req, + hapd->conf->radius_require_message_authenticator)) { wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct authenticator - dropped"); return RADIUS_RX_INVALID_AUTHENTICATOR;