Allow arbitrary RADIUS attributes to be added into Access-Accept
This extends the design already available for Access-Request packets to the RADIUS server and Access-Accept messages. Each user entry can be configured to add arbitrary RADIUS attributes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
0ac3876627
commit
d0ee16edc8
7 changed files with 68 additions and 9 deletions
|
|
@ -13,6 +13,7 @@
|
|||
#include "radius.h"
|
||||
#include "eloop.h"
|
||||
#include "eap_server/eap.h"
|
||||
#include "ap/ap_config.h"
|
||||
#include "radius_server.h"
|
||||
|
||||
/**
|
||||
|
|
@ -79,6 +80,8 @@ struct radius_session {
|
|||
u8 last_authenticator[16];
|
||||
|
||||
unsigned int remediation:1;
|
||||
|
||||
struct hostapd_radius_attr *accept_attr;
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
@ -483,6 +486,7 @@ radius_server_get_new_session(struct radius_server_data *data,
|
|||
int res;
|
||||
struct radius_session *sess;
|
||||
struct eap_config eap_conf;
|
||||
struct eap_user tmp;
|
||||
|
||||
RADIUS_DEBUG("Creating a new session");
|
||||
|
||||
|
|
@ -499,7 +503,9 @@ radius_server_get_new_session(struct radius_server_data *data,
|
|||
user_len = res;
|
||||
RADIUS_DUMP_ASCII("User-Name", user, user_len);
|
||||
|
||||
res = data->get_eap_user(data->conf_ctx, user, user_len, 0, NULL);
|
||||
os_memset(&tmp, 0, sizeof(tmp));
|
||||
res = data->get_eap_user(data->conf_ctx, user, user_len, 0, &tmp);
|
||||
os_free(tmp.password);
|
||||
os_free(user);
|
||||
|
||||
if (res == 0) {
|
||||
|
|
@ -509,6 +515,7 @@ radius_server_get_new_session(struct radius_server_data *data,
|
|||
RADIUS_DEBUG("Failed to create a new session");
|
||||
return NULL;
|
||||
}
|
||||
sess->accept_attr = tmp.accept_attr;
|
||||
} else {
|
||||
RADIUS_DEBUG("User-Name not found from user database");
|
||||
return NULL;
|
||||
|
|
@ -661,6 +668,19 @@ radius_server_encapsulate_eap(struct radius_server_data *data,
|
|||
return NULL;
|
||||
}
|
||||
|
||||
if (code == RADIUS_CODE_ACCESS_ACCEPT) {
|
||||
struct hostapd_radius_attr *attr;
|
||||
for (attr = sess->accept_attr; attr; attr = attr->next) {
|
||||
if (!radius_msg_add_attr(msg, attr->type,
|
||||
wpabuf_head(attr->val),
|
||||
wpabuf_len(attr->val))) {
|
||||
wpa_printf(MSG_ERROR, "Could not add RADIUS attribute");
|
||||
radius_msg_free(msg);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret,
|
||||
client->shared_secret_len,
|
||||
hdr->authenticator) < 0) {
|
||||
|
|
@ -1725,8 +1745,10 @@ static int radius_server_get_eap_user(void *ctx, const u8 *identity,
|
|||
|
||||
ret = data->get_eap_user(data->conf_ctx, identity, identity_len,
|
||||
phase2, user);
|
||||
if (ret == 0 && user)
|
||||
if (ret == 0 && user) {
|
||||
sess->accept_attr = user->accept_attr;
|
||||
sess->remediation = user->remediation;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue