From patchwork Sun Dec 11 11:13:18 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jouni Malinen <j@w1.fi>
X-Patchwork-Id: 130600
Return-Path: <hostap-bounces@lists.shmoo.com>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from maxx.maxx.shmoo.com (maxx.shmoo.com [205.134.188.171])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "maxx.shmoo.com",
	Issuer "CA Cert Signing Authority" (not verified))
	by ozlabs.org (Postfix) with ESMTPS id 9AAC0B6F18
	for <patchwork-incoming@ozlabs.org>;
	Sun, 11 Dec 2011 22:13:35 +1100 (EST)
Received: from localhost (localhost [127.0.0.1])
	by maxx.maxx.shmoo.com (Postfix) with ESMTP id 97E9A9C182;
	Sun, 11 Dec 2011 06:13:31 -0500 (EST)
X-Virus-Scanned: amavisd-new at maxx.shmoo.com
Received: from maxx.maxx.shmoo.com ([127.0.0.1])
	by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id zXyIDYRkFRFO; Sun, 11 Dec 2011 06:13:31 -0500 (EST)
Received: from maxx.shmoo.com (localhost [127.0.0.1])
	by maxx.maxx.shmoo.com (Postfix) with ESMTP id 69E829C18F;
	Sun, 11 Dec 2011 06:13:27 -0500 (EST)
X-Original-To: mailman-post+hostap@maxx.shmoo.com
Delivered-To: mailman-post+hostap@maxx.shmoo.com
Received: from localhost (localhost [127.0.0.1])
	by maxx.maxx.shmoo.com (Postfix) with ESMTP id CE9B19C18F
	for <mailman-post+hostap@maxx.shmoo.com>;
	Sun, 11 Dec 2011 06:13:26 -0500 (EST)
X-Virus-Scanned: amavisd-new at maxx.shmoo.com
Received: from maxx.maxx.shmoo.com ([127.0.0.1])
	by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id P-yen+7ZuIgi for <mailman-post+hostap@maxx.shmoo.com>;
	Sun, 11 Dec 2011 06:13:23 -0500 (EST)
Received: from jmalinen.user.openhosting.com (w1.fi [128.177.27.249])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by maxx.maxx.shmoo.com (Postfix) with ESMTPS id 2D04A9C182
	for <hostap@lists.shmoo.com>; Sun, 11 Dec 2011 06:13:23 -0500 (EST)
Received: from jm (a88-112-106-116.elisa-laajakaista.fi [88.112.106.116])
	(authenticated bits=0)
	by jmalinen.user.openhosting.com (8.13.8/8.13.8) with ESMTP id
	pBBBDKh7017737
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <hostap@lists.shmoo.com>; Sun, 11 Dec 2011 06:13:21 -0500
Received: by jm (sSMTP sendmail emulation); Sun, 11 Dec 2011 13:13:18 +0200
Date: Sun, 11 Dec 2011 13:13:18 +0200
From: Jouni Malinen <j@w1.fi>
To: hostap@lists.shmoo.com
Subject: Re: [PATCHv10] Use radius supplied Passphrase for WPA-PSK
Message-ID: <20111211111318.GB4567@w1.fi>
Mail-Followup-To: hostap@lists.shmoo.com
References: <20111208100432.GA3700@dynamic.fami-braun.de>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20111208100432.GA3700@dynamic.fami-braun.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-BeenThere: hostap@lists.shmoo.com
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HostAP Project <hostap.lists.shmoo.com>
List-Unsubscribe: <http://lists.shmoo.com/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.shmoo.com?subject=unsubscribe>
List-Archive: <http://lists.shmoo.com/pipermail/hostap>
List-Post: <mailto:hostap@lists.shmoo.com>
List-Help: <mailto:hostap-request@lists.shmoo.com?subject=help>
List-Subscribe: <http://lists.shmoo.com/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.shmoo.com?subject=subscribe>
Sender: hostap-bounces@lists.shmoo.com
Errors-To: hostap-bounces@lists.shmoo.com

On Thu, Dec 08, 2011 at 11:04:32AM +0100, michael-dev@fami-braun.de wrote:
> please find attached a new revision of the patch. I made the radius function to read the tunneled password
> respect the tag attribute and return the tunneled password with the lowest tag just as get_vlanid does.

Thanks. I applied the Tunnel-Password/PSK parts, but left Service-Type
addition out for now (see below for the part that did not get
committed). Could you please clarify the need for this? It looks a bit
odd to use different service types for EAP and MAC ACL since both of
these are for the same purpose of getting connectivity to the network.
Is Service-Type = Outgoing really used in IEEE 802.1X/IEEE 802.11 use
cases? Or could it cause problems if the RADIUS server validates this
somehow?

It should be possible to distinguish the different RADIUS use cases
already by checking whether EAP-Message attribute is included.

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index f3f313d..0c03bbb 100644
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -192,6 +192,12 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr,
 		goto fail;
 	}
 
+	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE,
+				       RADIUS_SERVICE_TYPE_OUTBOUND)) {
+		wpa_printf(MSG_DEBUG, "Could not add Service-Type");
+		goto fail;
+	}
+
 	os_snprintf(buf, sizeof(buf), "CONNECT 11Mbps 802.11b");
 	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
 				 (u8 *) buf, os_strlen(buf))) {
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 153b271..0f3b716 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -509,6 +509,12 @@ static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
 		goto fail;
 	}
 
+	if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE,
+				       RADIUS_SERVICE_TYPE_FRAMED)) {
+		printf("Could not add Service-Type\n");
+		goto fail;
+	}
+
 	if (sta->flags & WLAN_STA_PREAUTH) {
 		os_strlcpy(buf, "IEEE 802.11i Pre-Authentication",
 			   sizeof(buf));
diff --git a/src/radius/radius.c b/src/radius/radius.c
index 3ead847..651b76f 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -173,6 +173,7 @@ static struct radius_attr_type radius_attrs[] =
 	{ RADIUS_ATTR_USER_PASSWORD, "User-Password", RADIUS_ATTR_UNDIST },
 	{ RADIUS_ATTR_NAS_IP_ADDRESS, "NAS-IP-Address", RADIUS_ATTR_IP },
 	{ RADIUS_ATTR_NAS_PORT, "NAS-Port", RADIUS_ATTR_INT32 },
+	{ RADIUS_ATTR_SERVICE_TYPE, "Service-Type", RADIUS_ATTR_INT32 },
 	{ RADIUS_ATTR_FRAMED_MTU, "Framed-MTU", RADIUS_ATTR_INT32 },
 	{ RADIUS_ATTR_REPLY_MESSAGE, "Reply-Message", RADIUS_ATTR_TEXT },
 	{ RADIUS_ATTR_STATE, "State", RADIUS_ATTR_UNDIST },
diff --git a/src/radius/radius.h b/src/radius/radius.h
index e69a047..ec688ea 100644
--- a/src/radius/radius.h
+++ b/src/radius/radius.h
@@ -52,6 +52,7 @@ enum { RADIUS_ATTR_USER_NAME = 1,
        RADIUS_ATTR_USER_PASSWORD = 2,
        RADIUS_ATTR_NAS_IP_ADDRESS = 4,
        RADIUS_ATTR_NAS_PORT = 5,
+       RADIUS_ATTR_SERVICE_TYPE = 6,
        RADIUS_ATTR_FRAMED_MTU = 12,
        RADIUS_ATTR_REPLY_MESSAGE = 18,
        RADIUS_ATTR_STATE = 24,
@@ -146,6 +147,19 @@ enum { RADIUS_ATTR_USER_NAME = 1,
 #define RADIUS_TUNNEL_MEDIUM_TYPE_IPV6 2
 #define RADIUS_TUNNEL_MEDIUM_TYPE_802 6
 
+/* Service-Type */
+#define RADIUS_SERVICE_TYPE_LOGIN 1
+#define RADIUS_SERVICE_TYPE_FRAMED 2
+#define RADIUS_SERVICE_TYPE_CALLBACK_LOGIN 3
+#define RADIUS_SERVICE_TYPE_CALLBACK_FRAMED 4
+#define RADIUS_SERVICE_TYPE_OUTBOUND 5
+#define RADIUS_SERVICE_TYPE_ADMINISTRATIVE 6
+#define RADIUS_SERVICE_TYPE_NAS_PROMPT 7
+#define RADIUS_SERVICE_TYPE_AUTHENTICATE_ONLY 8
+#define RADIUS_SERVICE_TYPE_CALLBACK_NAS_PROMPT 9
+#define RADIUS_SERVICE_TYPE_CALL_CHECK 10
+#define RADIUS_SERVICE_TYPE_CALLBACK ADMINISTRATIVE 11
+
 
 struct radius_attr_vendor {
 	u8 vendor_type;