RADIUS: Add WLAN-Reason-Code attribute to Access-Reject

Make the RADIUS server in hostapd add WLAN-Reason-Code attribute to all
Access-Reject messages generated based on EAP-Failure from the EAP
server. For now, the reason code value is set to 23 (IEEE 802.1X
authentication failed). This can be extending in future commits to cover
addition failure reasons.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/radius/radius.c b/src/radius/radius.c
index fc98ad69fdf3be67c9a9a3bf887c868a959b78c7..07240ea2243d926f025a610ff06a9adb41ecfc1f 100644 (file)
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -250,6 +250,8 @@ static const struct radius_attr_type radius_attrs[] =
        { RADIUS_ATTR_MOBILITY_DOMAIN_ID, "Mobility-Domain-Id",
          RADIUS_ATTR_INT32 },
        { RADIUS_ATTR_WLAN_HESSID, "WLAN-HESSID", RADIUS_ATTR_TEXT },
+       { RADIUS_ATTR_WLAN_REASON_CODE, "WLAN-Reason-Code",
+         RADIUS_ATTR_INT32 },
        { RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, "WLAN-Pairwise-Cipher",
          RADIUS_ATTR_HEXDUMP },
        { RADIUS_ATTR_WLAN_GROUP_CIPHER, "WLAN-Group-Cipher",

diff --git a/src/radius/radius.h b/src/radius/radius.h
index cd510d2c88e22a3b7a84f421982adb52f1d2014f..96551c62e4de4376a22b33574acdb58c11b82cc4 100644 (file)
--- a/src/radius/radius.h
+++ b/src/radius/radius.h
@@ -104,6 +104,7 @@ enum { RADIUS_ATTR_USER_NAME = 1,
        RADIUS_ATTR_REQUESTED_LOCATION_INFO = 132,
        RADIUS_ATTR_MOBILITY_DOMAIN_ID = 177,
        RADIUS_ATTR_WLAN_HESSID = 181,
+       RADIUS_ATTR_WLAN_REASON_CODE = 185,
        RADIUS_ATTR_WLAN_PAIRWISE_CIPHER = 186,
        RADIUS_ATTR_WLAN_GROUP_CIPHER = 187,
        RADIUS_ATTR_WLAN_AKM_SUITE = 188,

diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index c76bb222651f137f0b3077380af7b87a55e215ce..0a8f448e7558e20387817aaaede9661bb8b97cd0 100644 (file)
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -728,6 +728,7 @@ radius_server_encapsulate_eap(struct radius_server_data *data,
        int code;
        unsigned int sess_id;
        struct radius_hdr *hdr = radius_msg_get_hdr(request);
+       u16 reason = WLAN_REASON_IEEE_802_1X_AUTH_FAILED;
 
        if (sess->eap_if->eapFail) {
                sess->eap_if->eapFail = FALSE;
@@ -841,6 +842,15 @@ radius_server_encapsulate_eap(struct radius_server_data *data,
                }
        }
 
+       if (code == RADIUS_CODE_ACCESS_REJECT) {
+               if (radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE,
+                                             reason) < 0) {
+                       RADIUS_DEBUG("Failed to add WLAN-Reason-Code attribute");
+                       radius_msg_free(msg);
+                       return NULL;
+               }
+       }
+
        if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret,
                                  client->shared_secret_len,
                                  hdr->authenticator) < 0) {