Copy WLAN-Reason-Code value from Access-Reject to Deauthentication

This makes hostapd use the WLAN-Reason-Code value from Access-Reject
when disconnecting a station due to IEEE 802.1X authentication failure.
If the RADIUS server does not include this attribute, the default value
23 (IEEE 802.1X authentication failed) is used. That value was the
previously hardcoded reason code.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 793d381ed8075f783164690dc6f2f94229ade534..961ed92207dee70c234f4ad961b363fa50da0794 100644 (file)
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -1691,6 +1691,7 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
        struct sta_info *sta;
        u32 session_timeout = 0, termination_action, acct_interim_interval;
        int session_timeout_set;
+       u32 reason_code;
        struct eapol_state_machine *sm;
        int override_eapReq = 0;
        struct radius_hdr *hdr = radius_msg_get_hdr(msg);
@@ -1839,6 +1840,13 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
        case RADIUS_CODE_ACCESS_REJECT:
                sm->eap_if->aaaFail = TRUE;
                override_eapReq = 1;
+               if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE,
+                                             &reason_code) == 0) {
+                       wpa_printf(MSG_DEBUG,
+                                  "RADIUS server indicated WLAN-Reason-Code %u in Access-Reject for "
+                                  MACSTR, reason_code, MAC2STR(sta->addr));
+                       sta->disconnect_reason_code = reason_code;
+               }
                break;
        case RADIUS_CODE_ACCESS_CHALLENGE:
                sm->eap_if->aaaEapReq = TRUE;

diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
index d4f00d1f9ae835e0cff169f614896503cb86c724..49a0dbe852f51600b3c56c1ee686a6cf5775897a 100644 (file)
--- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c
@@ -1379,13 +1379,16 @@ static void ap_sta_delayed_1x_auth_fail_cb(void *eloop_ctx, void *timeout_ctx)
 {
        struct hostapd_data *hapd = eloop_ctx;
        struct sta_info *sta = timeout_ctx;
+       u16 reason;
 
        wpa_dbg(hapd->msg_ctx, MSG_DEBUG,
                "IEEE 802.1X: Scheduled disconnection of " MACSTR
                " after EAP-Failure", MAC2STR(sta->addr));
 
-       ap_sta_disconnect(hapd, sta, sta->addr,
-                         WLAN_REASON_IEEE_802_1X_AUTH_FAILED);
+       reason = sta->disconnect_reason_code;
+       if (!reason)
+               reason = WLAN_REASON_IEEE_802_1X_AUTH_FAILED;
+       ap_sta_disconnect(hapd, sta, sta->addr, reason);
        if (sta->flags & WLAN_STA_WPS)
                hostapd_wps_eap_completed(hapd);
 }

diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index 614d3f448d20157f3f21979cd8e2e56d2f88c52d..b4e7806db1e6adf4bd14a69d4ac3c2eb82ad5dad 100644 (file)
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -67,6 +67,7 @@ struct sta_info {
        be32 ipaddr;
        struct dl_list ip6addr; /* list head for struct ip6addr */
        u16 aid; /* STA's unique AID (1 .. 2007) or 0 if not yet assigned */
+       u16 disconnect_reason_code; /* RADIUS server override */
        u32 flags; /* Bitfield of WLAN_STA_* */
        u16 capability;
        u16 listen_interval; /* or beacon_int for APs */