From f75ed556c8d7d41447b87045211e3a75fa00577f Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 12 Jan 2018 20:45:12 +0200 Subject: [PATCH] RADIUS: Add WLAN-Reason-Code attribute to Access-Reject Make the RADIUS server in hostapd add WLAN-Reason-Code attribute to all Access-Reject messages generated based on EAP-Failure from the EAP server. For now, the reason code value is set to 23 (IEEE 802.1X authentication failed). This can be extending in future commits to cover addition failure reasons. Signed-off-by: Jouni Malinen --- src/radius/radius.c | 2 ++ src/radius/radius.h | 1 + src/radius/radius_server.c | 10 ++++++++++ 3 files changed, 13 insertions(+) diff --git a/src/radius/radius.c b/src/radius/radius.c index fc98ad69f..07240ea22 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -250,6 +250,8 @@ static const struct radius_attr_type radius_attrs[] = { RADIUS_ATTR_MOBILITY_DOMAIN_ID, "Mobility-Domain-Id", RADIUS_ATTR_INT32 }, { RADIUS_ATTR_WLAN_HESSID, "WLAN-HESSID", RADIUS_ATTR_TEXT }, + { RADIUS_ATTR_WLAN_REASON_CODE, "WLAN-Reason-Code", + RADIUS_ATTR_INT32 }, { RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, "WLAN-Pairwise-Cipher", RADIUS_ATTR_HEXDUMP }, { RADIUS_ATTR_WLAN_GROUP_CIPHER, "WLAN-Group-Cipher", diff --git a/src/radius/radius.h b/src/radius/radius.h index cd510d2c8..96551c62e 100644 --- a/src/radius/radius.h +++ b/src/radius/radius.h @@ -104,6 +104,7 @@ enum { RADIUS_ATTR_USER_NAME = 1, RADIUS_ATTR_REQUESTED_LOCATION_INFO = 132, RADIUS_ATTR_MOBILITY_DOMAIN_ID = 177, RADIUS_ATTR_WLAN_HESSID = 181, + RADIUS_ATTR_WLAN_REASON_CODE = 185, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER = 186, RADIUS_ATTR_WLAN_GROUP_CIPHER = 187, RADIUS_ATTR_WLAN_AKM_SUITE = 188, diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c index c76bb2226..0a8f448e7 100644 --- a/src/radius/radius_server.c +++ b/src/radius/radius_server.c @@ -728,6 +728,7 @@ radius_server_encapsulate_eap(struct radius_server_data *data, int code; unsigned int sess_id; struct radius_hdr *hdr = radius_msg_get_hdr(request); + u16 reason = WLAN_REASON_IEEE_802_1X_AUTH_FAILED; if (sess->eap_if->eapFail) { sess->eap_if->eapFail = FALSE; @@ -841,6 +842,15 @@ radius_server_encapsulate_eap(struct radius_server_data *data, } } + if (code == RADIUS_CODE_ACCESS_REJECT) { + if (radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE, + reason) < 0) { + RADIUS_DEBUG("Failed to add WLAN-Reason-Code attribute"); + radius_msg_free(msg); + return NULL; + } + } + if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret, client->shared_secret_len, hdr->authenticator) < 0) {