Radius server reject invaild request from authenticator

Jouni Malinen j at w1.fi
Sun Jan 30 14:00:24 EST 2011


On Sun, Jan 30, 2011 at 06:21:36AM +0000, 彦 张 wrote:
> But now I have aquestion:  If hostapd as radius server has some requirements for authenticator?

Well, it assumes that the authenticator/RADIUS client actually complies
with the RADIUS specification..

> I tried two authenticators, one is ok, but radius server received the
> first message from another authenticator, I attached the log:

> RADIUS message: code=1 (Access-Request) identifier=0 length=141

>    Attribute 12 (Framed-MTU) length=4
>       Invalid INT32 length 2

That RADIUS client is quite broken... Framed-MTU is defined to use a
32-bit field, but it tries to use a 16-bit value.

>    Attribute 24 (State) length=18
>       Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

And where did it get this State variable from? hostapd as RADIUS
authentication server is using a 32-bit State value and the RADIUS
client should not send any random value it feels like here..

> RADIUS SRV: State attribute included but no session found
> RADIUS SRV: Reject invalid request from 192.168.3.99:1024
> RADIUS message: code=3 (Access-Reject) identifier=0 length=44

This happens because of that unexpected State variable. In theory, that
could be assumed to be something bogus and the AS could force a new
session, but the current approach in hostapd AS is to refuse to continue
the authentication if an unrecognized State attribute is received since
that would normally indicate something having gone quite wrong.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list