RADIUS: Add WLAN-Reason-Code attribute to Access-Reject

Make the RADIUS server in hostapd add WLAN-Reason-Code attribute to all Access-Reject messages generated based on EAP-Failure from the EAP server. For now, the reason code value is set to 23 (IEEE 802.1X authentication failed). This can be extending in future commits to cover addition failure reasons. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-01-12 20:45:12 +02:00 · 2018-01-12 20:45:12 +02:00 · f75ed556c8
commit f75ed556c8
parent 9ec824b9c1
3 changed files with 13 additions and 0 deletions
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@ -250,6 +250,8 @@ static const struct radius_attr_type radius_attrs[] =
 	{ RADIUS_ATTR_MOBILITY_DOMAIN_ID, "Mobility-Domain-Id",
 	  RADIUS_ATTR_INT32 },
 	{ RADIUS_ATTR_WLAN_HESSID, "WLAN-HESSID", RADIUS_ATTR_TEXT },
+	{ RADIUS_ATTR_WLAN_REASON_CODE, "WLAN-Reason-Code",
+	  RADIUS_ATTR_INT32 },
 	{ RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, "WLAN-Pairwise-Cipher",
 	  RADIUS_ATTR_HEXDUMP },
 	{ RADIUS_ATTR_WLAN_GROUP_CIPHER, "WLAN-Group-Cipher",
--- a/src/radius/radius.h
+++ b/src/radius/radius.h
@ -104,6 +104,7 @@ enum { RADIUS_ATTR_USER_NAME = 1,
       RADIUS_ATTR_REQUESTED_LOCATION_INFO = 132,
       RADIUS_ATTR_MOBILITY_DOMAIN_ID = 177,
       RADIUS_ATTR_WLAN_HESSID = 181,
+       RADIUS_ATTR_WLAN_REASON_CODE = 185,
       RADIUS_ATTR_WLAN_PAIRWISE_CIPHER = 186,
       RADIUS_ATTR_WLAN_GROUP_CIPHER = 187,
       RADIUS_ATTR_WLAN_AKM_SUITE = 188,
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@ -728,6 +728,7 @@ radius_server_encapsulate_eap(struct radius_server_data *data,
 	int code;
 	unsigned int sess_id;
 	struct radius_hdr *hdr = radius_msg_get_hdr(request);
+	u16 reason = WLAN_REASON_IEEE_802_1X_AUTH_FAILED;

 	if (sess->eap_if->eapFail) {
 		sess->eap_if->eapFail = FALSE;
@ -841,6 +842,15 @@ radius_server_encapsulate_eap(struct radius_server_data *data,
 		}
 	}

+	if (code == RADIUS_CODE_ACCESS_REJECT) {
+		if (radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE,
+					      reason) < 0) {
+			RADIUS_DEBUG("Failed to add WLAN-Reason-Code attribute");
+			radius_msg_free(msg);
+			return NULL;
+		}
+	}
+
 	if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret,
 				  client->shared_secret_len,
 				  hdr->authenticator) < 0) {