Rework the Acct-Session-Id and Acct-Multi-Session-Id implementation to
give better global and temporal uniqueness. Previously, only 32-bits of
the Acct-Session-Id would contain random data, the other 32-bits would
be incremented. Previously, the Acct-Multi-Session-Id would not use
random data. Switch from two u32 variables to a single u64 for the
Acct-Session-Id and Acct-Multi-Session-Id. Do not increment, this serves
no legitimate purpose. Exclusively use os_get_random() to get quality
random numbers, do not use or mix in the time. Inherently take a
dependency on /dev/urandom working properly therefore. Remove the global
Acct-Session-Id and Acct-Multi-Session-Id values that serve no
legitimate purpose.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Event-Timestamp should be sent for all Accounting-Request packets and
only after the system clock has a sane value, not where there's a value
close to the Unix time epoch.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Acct-Authentic is used to indicate how the user was authenticated and as
such, should not be sent in Accounting-On and Accounting-Off.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Per RFC 2866, 5.10, it is invalid to send Acct-Terminate-Cause in
Accounting-On and Accounting-Off (this is included only when
Acct-Status-Type is set to Stop).
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
The recently added ProxyARP support (proxy_arp=1) in hostapd allows a
STA IPv4 address to be learned from DHCP or ARP messages. If that
information is available, add it to Account-Request messages in
Framed-IP-Address attribute.
Signed-off-by: Jouni Malinen <j@w1.fi>
So that systems with bad clocks will send random session IDs,
instead of always ones starting at the same second.
If os_get_random() isn't available, use os_get_time(). But also
mix in now.tv_usec, so that the accounting session ID is more
likely to be globally and temporally unique.
Signed-off-by: Alan DeKok <aland@freeradius.org>
This allows multiple sessions using the same PMKSA cache entry to be
combined more easily at the server side. Acct-Session-Id is still a
unique identifier for each association, while Acct-Multi-Session-Id will
maintain its value for all associations that use the same PMKSA.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 8b24861154 ('Add Acct-Session-Id
into Access-Request messages') added Acct-Session-Id building into the
helper function shared between authentication and accounting messages.
However, it forgot to remove the same code from the generation of
accounting messages and as such, ended up with Accounting-Request
messages containing two copies of this attribute. Fix this by removing
the addition of this attribute from the accounting specific function.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows use of structs (and not only pointers) defined in drivers.h.
Remove also some not needed forward declarations and redundant includes.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
For type-safety, make sta->acct_session_start a struct os_reltime
and then use monotonic time for accounting. For RADIUS reporting,
continue to use wall clock time as specified by RFC 2869, but for
the session time use monotonic time.
Interestingly, RFC 2869 doesn't specify a timezone, so the value
is somewhat arbitrary.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
This optional attribute may make it easier to bind together the
Access-Request and Accounting-Request messages. The accounting session
identifier is now generated when the STA associates instead of waiting
for the actual session to start after successfull authentication.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows User-Name and Chargeable-User-Identity attributes to be
passed from Access-Accept into Accounting messages even when IEEE 802.1X
is not used.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
New configuration parameters radius_auth_req_attr and
radius_acct_req_attr can now be used to add (or override) RADIUS
attributes in Access-Request and Accounting-Request packets.
Signed-hostap: Jouni Malinen <j@w1.fi>
If Access-Accept packet includes the Chargeable-User-Identity attribute,
copy this attribute as-is into accounting messages.
Signed-hostap: Jouni Malinen <j@w1.fi>
send_eapol, set_key, read_sta_data, sta_clear_stats,
set_radius_acl_auth, set_radius_acl_expire, and set_beacon
to use inline functions instead of extra abstraction.
Doxygen and some build tools may get a bit confused about same file
name being used in different directories. Clean this up a bit by
renaming some of the duplicated file names in src/ap.
This code can be shared by both hostapd and wpa_supplicant and this
is an initial step in getting the generic code moved to be under the
src directories. Couple of generic files still remain under the
hostapd directory due to direct dependencies to files there. Once the
dependencies have been removed, they will also be moved to the src/ap
directory to allow wpa_supplicant to be built without requiring anything
from the hostapd directory.
Nick Lowe
Jouni Malinen
Jouni Malinen
Alan T. DeKok
Andrei Otcheretianski
Johannes Berg
Michael Braun
Baruch Siach
Per Ekman
Jouni Malinen