Radius DAS won't work

Robert Plestenjak robert.plestenjak at xlab.si
Thu Feb 20 02:43:53 EST 2014


Yes! That was it, I had to remove 'NAS-IP-Address = 172.16.117.235' from disconnect request.

Proper Disconnect-request package (package.txt):

Acct-Session-Id = "5305B0C7-00000001"
User-Name = "janez"


And you send it like:

cat ~/packet.txt | radclient -r 1 -x 172.16.117.235:3799 disconnect supersecret


Thanks for help.

- Robert


----- Original Message -----
From: "Jouni Malinen" <j at w1.fi>
To: hostap at lists.shmoo.com
Sent: Wednesday, February 19, 2014 12:58:29 PM
Subject: Re: Radius DAS won't work

On Fri, Feb 07, 2014 at 12:44:34PM +0100, Robert Plestenjak wrote:
> DAS: Received 52 bytes from 172.16.93.117:41409
> RADIUS message: code=40 (Disconnect-Request) identifier=40 length=52
>    Attribute 44 (Acct-Session-Id) length=19
>       Value: '52F4B5D1-00000000'
>    Attribute 1 (User-Name) length=7
>       Value: 'janez'
>    Attribute 4 (NAS-IP-Address) length=6
>       Value: 172.16.117.235
> DAS: Unsupported attribute 4 in Disconnect-Request from 172.16.93.117:41409


> Now, if I get this right, NAS receives Disconnect-Request and it complains that it doesn't support attribute 4 (Accounting-Request). Then it sends response NAK and error, attribute 101 with value 401 (unsuported attribute).

That's an attribute, not code.. In other words, attribute 4 is
NAS-IP-Address. hostapd does not currently support identification of the
NAS based on attributes (it doesn't make much sense to do that since
hostapd is not a proxy and Disconnect-Request sent to its IP address is
already identifying the target). Based on RFC 5176, any unsupported
attribute in the request will result in Disconnect-NAK with error code
401. In other words, you would need to drop that NAS-IP-Address from the
Disconnect-Request for now.

I understand that the RADIUS proxy would likely end up forwarding all
the attributes, so it would make sense to add support in hostapd at
least for NAS-IP-Address (and NAS-IPv6-Address) and maybe NAS-Identifier
as well, since it is also mentioned in the RFC, so that the proxy case
would work as well.

> rad_verify: Received packet from 172.16.117.235 with invalid Message-Authenticator!  (Shared secret is incorrect.)
> radclient: no response from server for ID 40 socket 3
> 
> 
> On Freeradius side we see that disconnect requst was send, NAK received and after that it fails verifying Message-Authenticator response.

I don't remember in which version this was fixed, but I'd assume you'll
see this go away by updating to the latest FreeRADIUS release.

-- 
Jouni Malinen                                            PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap


More information about the HostAP mailing list