Support for RADIUS ACLs with drivers that do not use hostapd MLME

Sam Leffler <sam@errno.com>:
Attached are changes from Chris Zimmerman (cc'd) to allow drivers to handle
radius ACL's.  The patch is against 0.5.10 but I suspect will also apply to
your latest code.  These mods enable radius acl support in freebsd w/ my
vap code.

You may want to do the changes to ieee802_11_auth.c differently as they
currently require all participating drivers to work the same.  You might be
able to check the return value from hostapd_set_radius_acl_auth and use
that to decide whether the alternate code should be run so you can have 1
driver using this stuff while the other does not.

(jm: Added without more dynamic check for now; in addition, none of the
current in-tree driver wrappers actually implement these handlers, so this
is in preparation for future changes)
This commit is contained in:
Chris Zimmermann 2008-03-12 11:43:55 +02:00 committed by Jouni Malinen
parent b6745143e8
commit 6affdaee6b
4 changed files with 40 additions and 1 deletions

View file

@ -454,6 +454,10 @@ ifdef CONFIG_IPV6
CFLAGS += -DCONFIG_IPV6 CFLAGS += -DCONFIG_IPV6
endif endif
ifdef CONFIG_DRIVER_RADIUS_ACL
CFLAGS += -DCONFIG_DRIVER_RADIUS_ACL
endif
ifdef CONFIG_FULL_DYNAMIC_VLAN ifdef CONFIG_FULL_DYNAMIC_VLAN
# define CONFIG_FULL_DYNAMIC_VLAN to have hostapd manipulate bridges # define CONFIG_FULL_DYNAMIC_VLAN to have hostapd manipulate bridges
# and vlan interfaces for the vlan feature. # and vlan interfaces for the vlan feature.

View file

@ -120,3 +120,7 @@ CONFIG_IPV6=y
# IEEE 802.11r. This draft is still subject to change, so it should be noted # IEEE 802.11r. This draft is still subject to change, so it should be noted
# that this version may not comply with the final standard. # that this version may not comply with the final standard.
#CONFIG_IEEE80211R=y #CONFIG_IEEE80211R=y
# Use the hostapd's IEEE 802.11 authentication (ACL), but without
# the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211)
#CONFIG_DRIVER_RADIUS_ACL=y

View file

@ -159,6 +159,10 @@ struct wpa_driver_ops {
int (*send_ether)(void *priv, const u8 *dst, const u8 *src, u16 proto, int (*send_ether)(void *priv, const u8 *dst, const u8 *src, u16 proto,
const u8 *data, size_t data_len); const u8 *data, size_t data_len);
int (*set_radius_acl_auth)(void *priv, const u8 *mac, int accepted,
u32 session_timeout);
int (*set_radius_acl_expire)(void *priv, const u8 *mac);
}; };
static inline void * static inline void *
@ -678,4 +682,23 @@ hostapd_driver_commit(struct hostapd_data *hapd)
return hapd->driver->commit(hapd->drv_priv); return hapd->driver->commit(hapd->drv_priv);
} }
static inline int
hostapd_set_radius_acl_auth(struct hostapd_data *hapd, const u8 *mac,
int accepted, u32 session_timeout)
{
if (hapd->driver == NULL || hapd->driver->set_radius_acl_auth == NULL)
return 0;
return hapd->driver->set_radius_acl_auth(hapd->drv_priv, mac, accepted,
session_timeout);
}
static inline int
hostapd_set_radius_acl_expire(struct hostapd_data *hapd, const u8 *mac)
{
if (hapd->driver == NULL ||
hapd->driver->set_radius_acl_expire == NULL)
return 0;
return hapd->driver->set_radius_acl_expire(hapd->drv_priv, mac);
}
#endif /* DRIVER_H */ #endif /* DRIVER_H */

View file

@ -22,6 +22,7 @@
#include "radius/radius.h" #include "radius/radius.h"
#include "radius/radius_client.h" #include "radius/radius_client.h"
#include "eloop.h" #include "eloop.h"
#include "driver.h"
#define RADIUS_ACL_TIMEOUT 30 #define RADIUS_ACL_TIMEOUT 30
@ -293,7 +294,9 @@ static void hostapd_acl_expire_cache(struct hostapd_data *hapd, time_t now)
prev->next = entry->next; prev->next = entry->next;
else else
hapd->acl_cache = entry->next; hapd->acl_cache = entry->next;
#ifdef CONFIG_DRIVER_RADIUS_ACL
hostapd_set_radius_acl_expire(hapd, entry->addr);
#endif /* CONFIG_DRIVER_RADIUS_ACL */
tmp = entry; tmp = entry;
entry = entry->next; entry = entry->next;
os_free(tmp); os_free(tmp);
@ -417,11 +420,16 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
cache->next = hapd->acl_cache; cache->next = hapd->acl_cache;
hapd->acl_cache = cache; hapd->acl_cache = cache;
#ifdef CONFIG_DRIVER_RADIUS_ACL
hostapd_set_radius_acl_auth(hapd, query->addr, cache->accepted,
cache->session_timeout);
#else /* CONFIG_DRIVER_RADIUS_ACL */
/* Re-send original authentication frame for 802.11 processing */ /* Re-send original authentication frame for 802.11 processing */
wpa_printf(MSG_DEBUG, "Re-sending authentication frame after " wpa_printf(MSG_DEBUG, "Re-sending authentication frame after "
"successful RADIUS ACL query"); "successful RADIUS ACL query");
ieee802_11_mgmt(hapd, query->auth_msg, query->auth_msg_len, ieee802_11_mgmt(hapd, query->auth_msg, query->auth_msg_len,
WLAN_FC_STYPE_AUTH, NULL); WLAN_FC_STYPE_AUTH, NULL);
#endif /* CONFIG_DRIVER_RADIUS_ACL */
done: done:
if (prev == NULL) if (prev == NULL)