Radius DAS won't work
robert.plestenjak at xlab.si
Thu Feb 20 02:43:53 EST 2014
Yes! That was it, I had to remove 'NAS-IP-Address = 172.16.117.235' from disconnect request.
Proper Disconnect-request package (package.txt):
Acct-Session-Id = "5305B0C7-00000001"
User-Name = "janez"
And you send it like:
cat ~/packet.txt | radclient -r 1 -x 172.16.117.235:3799 disconnect supersecret
Thanks for help.
----- Original Message -----
From: "Jouni Malinen" <j at w1.fi>
To: hostap at lists.shmoo.com
Sent: Wednesday, February 19, 2014 12:58:29 PM
Subject: Re: Radius DAS won't work
On Fri, Feb 07, 2014 at 12:44:34PM +0100, Robert Plestenjak wrote:
> DAS: Received 52 bytes from 172.16.93.117:41409
> RADIUS message: code=40 (Disconnect-Request) identifier=40 length=52
> Attribute 44 (Acct-Session-Id) length=19
> Value: '52F4B5D1-00000000'
> Attribute 1 (User-Name) length=7
> Value: 'janez'
> Attribute 4 (NAS-IP-Address) length=6
> Value: 172.16.117.235
> DAS: Unsupported attribute 4 in Disconnect-Request from 172.16.93.117:41409
> Now, if I get this right, NAS receives Disconnect-Request and it complains that it doesn't support attribute 4 (Accounting-Request). Then it sends response NAK and error, attribute 101 with value 401 (unsuported attribute).
That's an attribute, not code.. In other words, attribute 4 is
NAS-IP-Address. hostapd does not currently support identification of the
NAS based on attributes (it doesn't make much sense to do that since
hostapd is not a proxy and Disconnect-Request sent to its IP address is
already identifying the target). Based on RFC 5176, any unsupported
attribute in the request will result in Disconnect-NAK with error code
401. In other words, you would need to drop that NAS-IP-Address from the
Disconnect-Request for now.
I understand that the RADIUS proxy would likely end up forwarding all
the attributes, so it would make sense to add support in hostapd at
least for NAS-IP-Address (and NAS-IPv6-Address) and maybe NAS-Identifier
as well, since it is also mentioned in the RFC, so that the proxy case
would work as well.
> rad_verify: Received packet from 172.16.117.235 with invalid Message-Authenticator! (Shared secret is incorrect.)
> radclient: no response from server for ID 40 socket 3
> On Freeradius side we see that disconnect requst was send, NAK received and after that it fails verifying Message-Authenticator response.
I don't remember in which version this was fixed, but I'd assume you'll
see this go away by updating to the latest FreeRADIUS release.
Jouni Malinen PGP id EFC895FA
HostAP mailing list
HostAP at lists.shmoo.com
More information about the HostAP