Radius DAS won't work

Jouni Malinen j at w1.fi
Wed Feb 19 06:58:29 EST 2014


On Fri, Feb 07, 2014 at 12:44:34PM +0100, Robert Plestenjak wrote:
> DAS: Received 52 bytes from 172.16.93.117:41409
> RADIUS message: code=40 (Disconnect-Request) identifier=40 length=52
>    Attribute 44 (Acct-Session-Id) length=19
>       Value: '52F4B5D1-00000000'
>    Attribute 1 (User-Name) length=7
>       Value: 'janez'
>    Attribute 4 (NAS-IP-Address) length=6
>       Value: 172.16.117.235
> DAS: Unsupported attribute 4 in Disconnect-Request from 172.16.93.117:41409


> Now, if I get this right, NAS receives Disconnect-Request and it complains that it doesn't support attribute 4 (Accounting-Request). Then it sends response NAK and error, attribute 101 with value 401 (unsuported attribute).

That's an attribute, not code.. In other words, attribute 4 is
NAS-IP-Address. hostapd does not currently support identification of the
NAS based on attributes (it doesn't make much sense to do that since
hostapd is not a proxy and Disconnect-Request sent to its IP address is
already identifying the target). Based on RFC 5176, any unsupported
attribute in the request will result in Disconnect-NAK with error code
401. In other words, you would need to drop that NAS-IP-Address from the
Disconnect-Request for now.

I understand that the RADIUS proxy would likely end up forwarding all
the attributes, so it would make sense to add support in hostapd at
least for NAS-IP-Address (and NAS-IPv6-Address) and maybe NAS-Identifier
as well, since it is also mentioned in the RFC, so that the proxy case
would work as well.

> rad_verify: Received packet from 172.16.117.235 with invalid Message-Authenticator!  (Shared secret is incorrect.)
> radclient: no response from server for ID 40 socket 3
> 
> 
> On Freeradius side we see that disconnect requst was send, NAK received and after that it fails verifying Message-Authenticator response.

I don't remember in which version this was fixed, but I'd assume you'll
see this go away by updating to the latest FreeRADIUS release.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list