Radius DAS won't work

Robert Plestenjak robert.plestenjak at xlab.si
Thu Feb 20 04:43:29 EST 2014


PMKSA cache may not be acting properly. After it receives disconnect-message, connection is broken but then it accepts client by authenticating it with data from cache.


wlan0: AP-STA-DISCONNECTED 20:64:32:52:53:bb
wlan0: STA 20:64:32:52:53:bb RADIUS: stopped accounting session 5305C7A0-00000002
wlan0: STA 20:64:32:52:53:bb IEEE 802.11: authenticated
wlan0: STA 20:64:32:52:53:bb IEEE 802.11: associated (aid 1)
wlan0: STA 20:64:32:52:53:bb WPA: pairwise key handshake completed (RSN)
wlan0: AP-STA-CONNECTED 20:64:32:52:53:bb
wlan0: STA 20:64:32:52:53:bb RADIUS: starting accounting session 5305C7A0-00000002
wlan0: STA 20:64:32:52:53:bb IEEE 802.1X: authenticated - EAP type: 25 (PEAP) (PMKSA cache)


You can disable PMKSA cache with 'disable_pmksa_caching=1', then access will be properly denied to client (if account is disabled on Radius server).


wlan0: AP-STA-DISCONNECTED 20:64:32:52:53:bb
wlan0: STA 20:64:32:52:53:bb RADIUS: stopped accounting session 5305C89C-00000003
wlan0: STA 20:64:32:52:53:bb IEEE 802.11: authenticated
wlan0: STA 20:64:32:52:53:bb IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED 20:64:32:52:53:bb
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: STA 20:64:32:52:53:bb IEEE 802.1X: could not extract EAP-Message from RADIUS message
wlan0: STA 20:64:32:52:53:bb IEEE 802.1X: authentication failed - EAP type: 0 ((null))
wlan0: STA 20:64:32:52:53:bb IEEE 802.1X: Supplicant used different EAP type: 1 (Identity)
wlan0: STA 20:64:32:52:53:bb IEEE 802.11: deauthenticated due to local deauth request


Hostapd should probably ignore cached identity data in case of disconnect-message?

- Robert


----- Original Message -----
From: "Robert Plestenjak" <robert.plestenjak at xlab.si>
To: "Jouni Malinen" <j at w1.fi>
Cc: hostap at lists.shmoo.com
Sent: Thursday, February 20, 2014 8:43:53 AM
Subject: Re: Radius DAS won't work

Yes! That was it, I had to remove 'NAS-IP-Address = 172.16.117.235' from disconnect request.

Proper Disconnect-request package (package.txt):

Acct-Session-Id = "5305B0C7-00000001"
User-Name = "janez"


And you send it like:

cat ~/packet.txt | radclient -r 1 -x 172.16.117.235:3799 disconnect supersecret


Thanks for help.

- Robert


----- Original Message -----
From: "Jouni Malinen" <j at w1.fi>
To: hostap at lists.shmoo.com
Sent: Wednesday, February 19, 2014 12:58:29 PM
Subject: Re: Radius DAS won't work

On Fri, Feb 07, 2014 at 12:44:34PM +0100, Robert Plestenjak wrote:
> DAS: Received 52 bytes from 172.16.93.117:41409
> RADIUS message: code=40 (Disconnect-Request) identifier=40 length=52
>    Attribute 44 (Acct-Session-Id) length=19
>       Value: '52F4B5D1-00000000'
>    Attribute 1 (User-Name) length=7
>       Value: 'janez'
>    Attribute 4 (NAS-IP-Address) length=6
>       Value: 172.16.117.235
> DAS: Unsupported attribute 4 in Disconnect-Request from 172.16.93.117:41409


> Now, if I get this right, NAS receives Disconnect-Request and it complains that it doesn't support attribute 4 (Accounting-Request). Then it sends response NAK and error, attribute 101 with value 401 (unsuported attribute).

That's an attribute, not code.. In other words, attribute 4 is
NAS-IP-Address. hostapd does not currently support identification of the
NAS based on attributes (it doesn't make much sense to do that since
hostapd is not a proxy and Disconnect-Request sent to its IP address is
already identifying the target). Based on RFC 5176, any unsupported
attribute in the request will result in Disconnect-NAK with error code
401. In other words, you would need to drop that NAS-IP-Address from the
Disconnect-Request for now.

I understand that the RADIUS proxy would likely end up forwarding all
the attributes, so it would make sense to add support in hostapd at
least for NAS-IP-Address (and NAS-IPv6-Address) and maybe NAS-Identifier
as well, since it is also mentioned in the RFC, so that the proxy case
would work as well.

> rad_verify: Received packet from 172.16.117.235 with invalid Message-Authenticator!  (Shared secret is incorrect.)
> radclient: no response from server for ID 40 socket 3
> 
> 
> On Freeradius side we see that disconnect requst was send, NAK received and after that it fails verifying Message-Authenticator response.

I don't remember in which version this was fixed, but I'd assume you'll
see this go away by updating to the latest FreeRADIUS release.

-- 
Jouni Malinen                                            PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
_______________________________________________
HostAP mailing list
HostAP at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap


More information about the HostAP mailing list