DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Add RADIUS server support for identity selection hint (RFC 4284)

Browse source 
Previously, only the delivery option 1 from RFC 4284
(EAP-Request/Identity from the AP) was supported. Now option 3
(subsequent EAP-Request/Identity from RADIUS server) can also be used
when hostapd is used as a RADIUS server. The eap_user file will need to
have a Phase 1 user entry pointing to Identity method in order for this
to happen (e.g., "* Identity" in the end of the file). The identity hint
is configured in the same was as for AP/Authenticator case (eap_message
in hostapd.conf).
This commit is contained in:
Jouni Malinen 2008-12-26 20:22:12 +02:00
parent d9f5626293
commit 65d50f0ac6
5 changed files with 46 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/eap_server/eap.c
View file

@ -1051,11 +1051,30 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
}
if ((sm->user == NULL || sm->update_user) && sm->identity) {
/*
* Allow Identity method to be started once to allow identity
* selection hint to be sent from the authentication server,
* but prevent a loop of Identity requests by only allowing
* this to happen once.
*/
int id_req = 0;
if (sm->user && sm->currentMethod == EAP_TYPE_IDENTITY &&
sm->user->methods[0].vendor == EAP_VENDOR_IETF &&
sm->user->methods[0].method == EAP_TYPE_IDENTITY)
id_req = 1;
if (eap_user_get(sm, sm->identity, sm->identity_len, 0) != 0) {
wpa_printf(MSG_DEBUG, "EAP: getDecision: user not "
"found from database -> FAILURE");
return DECISION_FAILURE;
}
if (id_req && sm->user &&
sm->user->methods[0].vendor == EAP_VENDOR_IETF &&
sm->user->methods[0].method == EAP_TYPE_IDENTITY) {
wpa_printf(MSG_DEBUG, "EAP: getDecision: stop "
"identity request loop -> FAILURE");
sm->update_user = TRUE;
return DECISION_FAILURE;
}
sm->update_user = FALSE;
}

2
src/eap_server/eap_identity.c
View file

@ -125,6 +125,8 @@ static void eap_identity_process(struct eap_sm *sm, void *priv,
return; /* Should not happen - frame already validated */
wpa_hexdump_ascii(MSG_DEBUG, "EAP-Identity: Peer identity", pos, len);
if (sm->identity)
sm->update_user = TRUE;
os_free(sm->identity);
sm->identity = os_malloc(len ? len : 1);
if (sm->identity == NULL) {