]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_radius.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: RADIUS server connect() failing during startup
[thirdparty/hostap.git] / tests / hwsim / test_radius.py
1 # RADIUS tests
2 # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 import hashlib
8 import hmac
9 import logging
10 logger = logging.getLogger()
11 import select
12 import struct
13 import subprocess
14 import threading
15 import time
16
17 import hostapd
18 from utils import HwsimSkip
19
20 def connect(dev, ssid, wait_connect=True):
21 dev.connect(ssid, key_mgmt="WPA-EAP", scan_freq="2412",
22 eap="PSK", identity="psk.user@example.com",
23 password_hex="0123456789abcdef0123456789abcdef",
24 wait_connect=wait_connect)
25
26 def test_radius_auth_unreachable(dev, apdev):
27 """RADIUS Authentication server unreachable"""
28 params = hostapd.wpa2_eap_params(ssid="radius-auth")
29 params['auth_server_port'] = "18139"
30 hostapd.add_ap(apdev[0]['ifname'], params)
31 hapd = hostapd.Hostapd(apdev[0]['ifname'])
32 connect(dev[0], "radius-auth", wait_connect=False)
33 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"])
34 if ev is None:
35 raise Exception("Timeout on EAP start")
36 logger.info("Checking for RADIUS retries")
37 time.sleep(4)
38 mib = hapd.get_mib()
39 if "radiusAuthClientAccessRequests" not in mib:
40 raise Exception("Missing MIB fields")
41 if int(mib["radiusAuthClientAccessRetransmissions"]) < 1:
42 raise Exception("Missing RADIUS Authentication retransmission")
43 if int(mib["radiusAuthClientPendingRequests"]) < 1:
44 raise Exception("Missing pending RADIUS Authentication request")
45
46 def test_radius_auth_unreachable2(dev, apdev):
47 """RADIUS Authentication server unreachable (2)"""
48 subprocess.call(['ip', 'ro', 'replace', '192.168.213.17', 'dev', 'lo'])
49 params = hostapd.wpa2_eap_params(ssid="radius-auth")
50 params['auth_server_addr'] = "192.168.213.17"
51 params['auth_server_port'] = "18139"
52 hostapd.add_ap(apdev[0]['ifname'], params)
53 hapd = hostapd.Hostapd(apdev[0]['ifname'])
54 subprocess.call(['ip', 'ro', 'del', '192.168.213.17', 'dev', 'lo'])
55 connect(dev[0], "radius-auth", wait_connect=False)
56 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"])
57 if ev is None:
58 raise Exception("Timeout on EAP start")
59 logger.info("Checking for RADIUS retries")
60 time.sleep(4)
61 mib = hapd.get_mib()
62 if "radiusAuthClientAccessRequests" not in mib:
63 raise Exception("Missing MIB fields")
64 if int(mib["radiusAuthClientAccessRetransmissions"]) < 1:
65 raise Exception("Missing RADIUS Authentication retransmission")
66
67 def test_radius_auth_unreachable3(dev, apdev):
68 """RADIUS Authentication server initially unreachable, but then available"""
69 subprocess.call(['ip', 'ro', 'replace', 'blackhole', '192.168.213.18'])
70 params = hostapd.wpa2_eap_params(ssid="radius-auth")
71 params['auth_server_addr'] = "192.168.213.18"
72 hostapd.add_ap(apdev[0]['ifname'], params)
73 hapd = hostapd.Hostapd(apdev[0]['ifname'])
74 connect(dev[0], "radius-auth", wait_connect=False)
75 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"])
76 if ev is None:
77 raise Exception("Timeout on EAP start")
78 subprocess.call(['ip', 'ro', 'del', 'blackhole', '192.168.213.18'])
79 time.sleep(0.1)
80 dev[0].request("DISCONNECT")
81 hapd.set('auth_server_addr_replace', '127.0.0.1')
82 dev[0].request("RECONNECT")
83
84 dev[0].wait_connected()
85
86 def test_radius_acct_unreachable(dev, apdev):
87 """RADIUS Accounting server unreachable"""
88 params = hostapd.wpa2_eap_params(ssid="radius-acct")
89 params['acct_server_addr'] = "127.0.0.1"
90 params['acct_server_port'] = "18139"
91 params['acct_server_shared_secret'] = "radius"
92 hostapd.add_ap(apdev[0]['ifname'], params)
93 hapd = hostapd.Hostapd(apdev[0]['ifname'])
94 connect(dev[0], "radius-acct")
95 logger.info("Checking for RADIUS retries")
96 time.sleep(4)
97 mib = hapd.get_mib()
98 if "radiusAccClientRetransmissions" not in mib:
99 raise Exception("Missing MIB fields")
100 if int(mib["radiusAccClientRetransmissions"]) < 2:
101 raise Exception("Missing RADIUS Accounting retransmissions")
102 if int(mib["radiusAccClientPendingRequests"]) < 2:
103 raise Exception("Missing pending RADIUS Accounting requests")
104
105 def test_radius_acct_unreachable2(dev, apdev):
106 """RADIUS Accounting server unreachable(2)"""
107 subprocess.call(['ip', 'ro', 'replace', '192.168.213.17', 'dev', 'lo'])
108 params = hostapd.wpa2_eap_params(ssid="radius-acct")
109 params['acct_server_addr'] = "192.168.213.17"
110 params['acct_server_port'] = "18139"
111 params['acct_server_shared_secret'] = "radius"
112 hostapd.add_ap(apdev[0]['ifname'], params)
113 hapd = hostapd.Hostapd(apdev[0]['ifname'])
114 subprocess.call(['ip', 'ro', 'del', '192.168.213.17', 'dev', 'lo'])
115 connect(dev[0], "radius-acct")
116 logger.info("Checking for RADIUS retries")
117 time.sleep(4)
118 mib = hapd.get_mib()
119 if "radiusAccClientRetransmissions" not in mib:
120 raise Exception("Missing MIB fields")
121 if int(mib["radiusAccClientRetransmissions"]) < 1 and int(mib["radiusAccClientPendingRequests"]) < 1:
122 raise Exception("Missing pending or retransmitted RADIUS Accounting requests")
123
124 def test_radius_acct(dev, apdev):
125 """RADIUS Accounting"""
126 as_hapd = hostapd.Hostapd("as")
127 as_mib_start = as_hapd.get_mib(param="radius_server")
128 params = hostapd.wpa2_eap_params(ssid="radius-acct")
129 params['acct_server_addr'] = "127.0.0.1"
130 params['acct_server_port'] = "1813"
131 params['acct_server_shared_secret'] = "radius"
132 params['radius_auth_req_attr'] = [ "126:s:Operator", "77:s:testing" ]
133 params['radius_acct_req_attr'] = [ "126:s:Operator", "77:s:testing" ]
134 hostapd.add_ap(apdev[0]['ifname'], params)
135 hapd = hostapd.Hostapd(apdev[0]['ifname'])
136 connect(dev[0], "radius-acct")
137 dev[1].connect("radius-acct", key_mgmt="WPA-EAP", scan_freq="2412",
138 eap="PAX", identity="test-class",
139 password_hex="0123456789abcdef0123456789abcdef")
140 dev[2].connect("radius-acct", key_mgmt="WPA-EAP",
141 eap="GPSK", identity="gpsk-cui",
142 password="abcdefghijklmnop0123456789abcdef",
143 scan_freq="2412")
144 logger.info("Checking for RADIUS counters")
145 count = 0
146 while True:
147 mib = hapd.get_mib()
148 if int(mib['radiusAccClientResponses']) >= 3:
149 break
150 time.sleep(0.1)
151 count += 1
152 if count > 10:
153 raise Exception("Did not receive Accounting-Response packets")
154
155 if int(mib['radiusAccClientRetransmissions']) > 0:
156 raise Exception("Unexpected Accounting-Request retransmission")
157
158 as_mib_end = as_hapd.get_mib(param="radius_server")
159
160 req_s = int(as_mib_start['radiusAccServTotalRequests'])
161 req_e = int(as_mib_end['radiusAccServTotalRequests'])
162 if req_e < req_s + 2:
163 raise Exception("Unexpected RADIUS server acct MIB value")
164
165 acc_s = int(as_mib_start['radiusAuthServAccessAccepts'])
166 acc_e = int(as_mib_end['radiusAuthServAccessAccepts'])
167 if acc_e < acc_s + 1:
168 raise Exception("Unexpected RADIUS server auth MIB value")
169
170 def test_radius_acct_pmksa_caching(dev, apdev):
171 """RADIUS Accounting with PMKSA caching"""
172 as_hapd = hostapd.Hostapd("as")
173 as_mib_start = as_hapd.get_mib(param="radius_server")
174 params = hostapd.wpa2_eap_params(ssid="radius-acct")
175 params['acct_server_addr'] = "127.0.0.1"
176 params['acct_server_port'] = "1813"
177 params['acct_server_shared_secret'] = "radius"
178 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
179 connect(dev[0], "radius-acct")
180 dev[1].connect("radius-acct", key_mgmt="WPA-EAP", scan_freq="2412",
181 eap="PAX", identity="test-class",
182 password_hex="0123456789abcdef0123456789abcdef")
183 for d in [ dev[0], dev[1] ]:
184 d.request("REASSOCIATE")
185 d.wait_connected(timeout=15, error="Reassociation timed out")
186
187 count = 0
188 while True:
189 mib = hapd.get_mib()
190 if int(mib['radiusAccClientResponses']) >= 4:
191 break
192 time.sleep(0.1)
193 count += 1
194 if count > 10:
195 raise Exception("Did not receive Accounting-Response packets")
196
197 if int(mib['radiusAccClientRetransmissions']) > 0:
198 raise Exception("Unexpected Accounting-Request retransmission")
199
200 as_mib_end = as_hapd.get_mib(param="radius_server")
201
202 req_s = int(as_mib_start['radiusAccServTotalRequests'])
203 req_e = int(as_mib_end['radiusAccServTotalRequests'])
204 if req_e < req_s + 2:
205 raise Exception("Unexpected RADIUS server acct MIB value")
206
207 acc_s = int(as_mib_start['radiusAuthServAccessAccepts'])
208 acc_e = int(as_mib_end['radiusAuthServAccessAccepts'])
209 if acc_e < acc_s + 1:
210 raise Exception("Unexpected RADIUS server auth MIB value")
211
212 def test_radius_acct_interim(dev, apdev):
213 """RADIUS Accounting interim update"""
214 as_hapd = hostapd.Hostapd("as")
215 params = hostapd.wpa2_eap_params(ssid="radius-acct")
216 params['acct_server_addr'] = "127.0.0.1"
217 params['acct_server_port'] = "1813"
218 params['acct_server_shared_secret'] = "radius"
219 params['radius_acct_interim_interval'] = "1"
220 hostapd.add_ap(apdev[0]['ifname'], params)
221 hapd = hostapd.Hostapd(apdev[0]['ifname'])
222 connect(dev[0], "radius-acct")
223 logger.info("Checking for RADIUS counters")
224 as_mib_start = as_hapd.get_mib(param="radius_server")
225 time.sleep(3.1)
226 as_mib_end = as_hapd.get_mib(param="radius_server")
227 req_s = int(as_mib_start['radiusAccServTotalRequests'])
228 req_e = int(as_mib_end['radiusAccServTotalRequests'])
229 if req_e < req_s + 3:
230 raise Exception("Unexpected RADIUS server acct MIB value")
231
232 def test_radius_acct_interim_unreachable(dev, apdev):
233 """RADIUS Accounting interim update with unreachable server"""
234 params = hostapd.wpa2_eap_params(ssid="radius-acct")
235 params['acct_server_addr'] = "127.0.0.1"
236 params['acct_server_port'] = "18139"
237 params['acct_server_shared_secret'] = "radius"
238 params['radius_acct_interim_interval'] = "1"
239 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
240 start = hapd.get_mib()
241 connect(dev[0], "radius-acct")
242 logger.info("Waiting for interium accounting updates")
243 time.sleep(3.1)
244 end = hapd.get_mib()
245 req_s = int(start['radiusAccClientTimeouts'])
246 req_e = int(end['radiusAccClientTimeouts'])
247 if req_e < req_s + 2:
248 raise Exception("Unexpected RADIUS server acct MIB value")
249
250 def send_and_check_reply(srv, req, code, error_cause=0):
251 reply = srv.SendPacket(req)
252 logger.debug("RADIUS response from hostapd")
253 for i in reply.keys():
254 logger.debug("%s: %s" % (i, reply[i]))
255 if reply.code != code:
256 raise Exception("Unexpected response code")
257 if error_cause:
258 if 'Error-Cause' not in reply:
259 raise Exception("Missing Error-Cause")
260 if reply['Error-Cause'][0] != error_cause:
261 raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause']))
262
263 def test_radius_das_disconnect(dev, apdev):
264 """RADIUS Dynamic Authorization Extensions - Disconnect"""
265 try:
266 import pyrad.client
267 import pyrad.packet
268 import pyrad.dictionary
269 import radius_das
270 except ImportError:
271 raise HwsimSkip("No pyrad modules available")
272
273 params = hostapd.wpa2_eap_params(ssid="radius-das")
274 params['radius_das_port'] = "3799"
275 params['radius_das_client'] = "127.0.0.1 secret"
276 params['radius_das_require_event_timestamp'] = "1"
277 params['own_ip_addr'] = "127.0.0.1"
278 params['nas_identifier'] = "nas.example.com"
279 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
280 connect(dev[0], "radius-das")
281 addr = dev[0].p2p_interface_addr()
282 sta = hapd.get_sta(addr)
283 id = sta['dot1xAuthSessionId']
284
285 dict = pyrad.dictionary.Dictionary("dictionary.radius")
286
287 srv = pyrad.client.Client(server="127.0.0.1", acctport=3799,
288 secret="secret", dict=dict)
289 srv.retries = 1
290 srv.timeout = 1
291
292 logger.info("Disconnect-Request with incorrect secret")
293 req = radius_das.DisconnectPacket(dict=dict, secret="incorrect",
294 User_Name="foo",
295 NAS_Identifier="localhost",
296 Event_Timestamp=int(time.time()))
297 logger.debug(req)
298 try:
299 reply = srv.SendPacket(req)
300 raise Exception("Unexpected response to Disconnect-Request")
301 except pyrad.client.Timeout:
302 logger.info("Disconnect-Request with incorrect secret properly ignored")
303
304 logger.info("Disconnect-Request without Event-Timestamp")
305 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
306 User_Name="psk.user@example.com")
307 logger.debug(req)
308 try:
309 reply = srv.SendPacket(req)
310 raise Exception("Unexpected response to Disconnect-Request")
311 except pyrad.client.Timeout:
312 logger.info("Disconnect-Request without Event-Timestamp properly ignored")
313
314 logger.info("Disconnect-Request with non-matching Event-Timestamp")
315 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
316 User_Name="psk.user@example.com",
317 Event_Timestamp=123456789)
318 logger.debug(req)
319 try:
320 reply = srv.SendPacket(req)
321 raise Exception("Unexpected response to Disconnect-Request")
322 except pyrad.client.Timeout:
323 logger.info("Disconnect-Request with non-matching Event-Timestamp properly ignored")
324
325 logger.info("Disconnect-Request with unsupported attribute")
326 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
327 User_Name="foo",
328 User_Password="foo",
329 Event_Timestamp=int(time.time()))
330 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 401)
331
332 logger.info("Disconnect-Request with invalid Calling-Station-Id")
333 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
334 User_Name="foo",
335 Calling_Station_Id="foo",
336 Event_Timestamp=int(time.time()))
337 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 407)
338
339 logger.info("Disconnect-Request with mismatching User-Name")
340 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
341 User_Name="foo",
342 Event_Timestamp=int(time.time()))
343 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 503)
344
345 logger.info("Disconnect-Request with mismatching Calling-Station-Id")
346 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
347 Calling_Station_Id="12:34:56:78:90:aa",
348 Event_Timestamp=int(time.time()))
349 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 503)
350
351 logger.info("Disconnect-Request with mismatching Acct-Session-Id")
352 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
353 Acct_Session_Id="12345678-87654321",
354 Event_Timestamp=int(time.time()))
355 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 503)
356
357 logger.info("Disconnect-Request with mismatching Acct-Session-Id (len)")
358 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
359 Acct_Session_Id="12345678",
360 Event_Timestamp=int(time.time()))
361 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 503)
362
363 logger.info("Disconnect-Request with mismatching Acct-Multi-Session-Id")
364 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
365 Acct_Multi_Session_Id="12345678+87654321",
366 Event_Timestamp=int(time.time()))
367 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 503)
368
369 logger.info("Disconnect-Request with mismatching Acct-Multi-Session-Id (len)")
370 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
371 Acct_Multi_Session_Id="12345678",
372 Event_Timestamp=int(time.time()))
373 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 503)
374
375 logger.info("Disconnect-Request with no session identification attributes")
376 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
377 Event_Timestamp=int(time.time()))
378 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 503)
379
380 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
381 if ev is not None:
382 raise Exception("Unexpected disconnection")
383
384 logger.info("Disconnect-Request with mismatching NAS-IP-Address")
385 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
386 NAS_IP_Address="192.168.3.4",
387 Acct_Session_Id=id,
388 Event_Timestamp=int(time.time()))
389 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 403)
390
391 logger.info("Disconnect-Request with mismatching NAS-Identifier")
392 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
393 NAS_Identifier="unknown.example.com",
394 Acct_Session_Id=id,
395 Event_Timestamp=int(time.time()))
396 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, 403)
397
398 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
399 if ev is not None:
400 raise Exception("Unexpected disconnection")
401
402 logger.info("Disconnect-Request with matching Acct-Session-Id")
403 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
404 NAS_IP_Address="127.0.0.1",
405 NAS_Identifier="nas.example.com",
406 Acct_Session_Id=id,
407 Event_Timestamp=int(time.time()))
408 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
409
410 dev[0].wait_disconnected(timeout=10)
411 dev[0].wait_connected(timeout=10, error="Re-connection timed out")
412
413 logger.info("Disconnect-Request with matching Acct-Multi-Session-Id")
414 sta = hapd.get_sta(addr)
415 multi_sess_id = sta['authMultiSessionId']
416 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
417 NAS_IP_Address="127.0.0.1",
418 NAS_Identifier="nas.example.com",
419 Acct_Multi_Session_Id=multi_sess_id,
420 Event_Timestamp=int(time.time()))
421 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
422
423 dev[0].wait_disconnected(timeout=10)
424 dev[0].wait_connected(timeout=10, error="Re-connection timed out")
425
426 logger.info("Disconnect-Request with matching User-Name")
427 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
428 NAS_Identifier="nas.example.com",
429 User_Name="psk.user@example.com",
430 Event_Timestamp=int(time.time()))
431 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
432
433 dev[0].wait_disconnected(timeout=10)
434 dev[0].wait_connected(timeout=10, error="Re-connection timed out")
435
436 logger.info("Disconnect-Request with matching Calling-Station-Id")
437 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
438 NAS_IP_Address="127.0.0.1",
439 Calling_Station_Id=addr,
440 Event_Timestamp=int(time.time()))
441 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
442
443 dev[0].wait_disconnected(timeout=10)
444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED", "CTRL-EVENT-CONNECTED"])
445 if ev is None:
446 raise Exception("Timeout while waiting for re-connection")
447 if "CTRL-EVENT-EAP-STARTED" not in ev:
448 raise Exception("Unexpected skipping of EAP authentication in reconnection")
449 dev[0].wait_connected(timeout=10, error="Re-connection timed out")
450
451 logger.info("Disconnect-Request with matching Calling-Station-Id and non-matching CUI")
452 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
453 Calling_Station_Id=addr,
454 Chargeable_User_Identity="foo@example.com",
455 Event_Timestamp=int(time.time()))
456 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, error_cause=503)
457
458 logger.info("Disconnect-Request with matching CUI")
459 dev[1].connect("radius-das", key_mgmt="WPA-EAP",
460 eap="GPSK", identity="gpsk-cui",
461 password="abcdefghijklmnop0123456789abcdef",
462 scan_freq="2412")
463 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
464 Chargeable_User_Identity="gpsk-chargeable-user-identity",
465 Event_Timestamp=int(time.time()))
466 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
467
468 dev[1].wait_disconnected(timeout=10)
469 dev[1].wait_connected(timeout=10, error="Re-connection timed out")
470
471 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
472 if ev is not None:
473 raise Exception("Unexpected disconnection")
474
475 connect(dev[2], "radius-das")
476
477 logger.info("Disconnect-Request with matching User-Name - multiple sessions matching")
478 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
479 NAS_Identifier="nas.example.com",
480 User_Name="psk.user@example.com",
481 Event_Timestamp=int(time.time()))
482 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, error_cause=508)
483
484 logger.info("Disconnect-Request with User-Name matching multiple sessions, Calling-Station-Id only one")
485 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
486 NAS_Identifier="nas.example.com",
487 Calling_Station_Id=addr,
488 User_Name="psk.user@example.com",
489 Event_Timestamp=int(time.time()))
490 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
491
492 dev[0].wait_disconnected(timeout=10)
493 dev[0].wait_connected(timeout=10, error="Re-connection timed out")
494
495 ev = dev[2].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
496 if ev is not None:
497 raise Exception("Unexpected disconnection")
498
499 logger.info("Disconnect-Request with matching Acct-Multi-Session-Id after disassociation")
500 sta = hapd.get_sta(addr)
501 multi_sess_id = sta['authMultiSessionId']
502 dev[0].request("DISCONNECT")
503 dev[0].wait_disconnected(timeout=10)
504 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
505 NAS_IP_Address="127.0.0.1",
506 NAS_Identifier="nas.example.com",
507 Acct_Multi_Session_Id=multi_sess_id,
508 Event_Timestamp=int(time.time()))
509 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
510
511 dev[0].request("RECONNECT")
512 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=15)
513 if ev is None:
514 raise Exception("Timeout on EAP start")
515 dev[0].wait_connected(timeout=15)
516
517 logger.info("Disconnect-Request with matching User-Name after disassociation")
518 dev[0].request("DISCONNECT")
519 dev[0].wait_disconnected(timeout=10)
520 dev[2].request("DISCONNECT")
521 dev[2].wait_disconnected(timeout=10)
522 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
523 NAS_IP_Address="127.0.0.1",
524 NAS_Identifier="nas.example.com",
525 User_Name="psk.user@example.com",
526 Event_Timestamp=int(time.time()))
527 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
528
529 logger.info("Disconnect-Request with matching CUI after disassociation")
530 dev[1].request("DISCONNECT")
531 dev[1].wait_disconnected(timeout=10)
532 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
533 NAS_IP_Address="127.0.0.1",
534 NAS_Identifier="nas.example.com",
535 Chargeable_User_Identity="gpsk-chargeable-user-identity",
536 Event_Timestamp=int(time.time()))
537 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
538
539 logger.info("Disconnect-Request with matching Calling-Station-Id after disassociation")
540 dev[0].request("RECONNECT")
541 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=15)
542 if ev is None:
543 raise Exception("Timeout on EAP start")
544 dev[0].wait_connected(timeout=15)
545 dev[0].request("DISCONNECT")
546 dev[0].wait_disconnected(timeout=10)
547 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
548 NAS_IP_Address="127.0.0.1",
549 NAS_Identifier="nas.example.com",
550 Calling_Station_Id=addr,
551 Event_Timestamp=int(time.time()))
552 send_and_check_reply(srv, req, pyrad.packet.DisconnectACK)
553
554 logger.info("Disconnect-Request with mismatching Calling-Station-Id after disassociation")
555 req = radius_das.DisconnectPacket(dict=dict, secret="secret",
556 NAS_IP_Address="127.0.0.1",
557 NAS_Identifier="nas.example.com",
558 Calling_Station_Id=addr,
559 Event_Timestamp=int(time.time()))
560 send_and_check_reply(srv, req, pyrad.packet.DisconnectNAK, error_cause=503)
561
562 def test_radius_das_coa(dev, apdev):
563 """RADIUS Dynamic Authorization Extensions - CoA"""
564 try:
565 import pyrad.client
566 import pyrad.packet
567 import pyrad.dictionary
568 import radius_das
569 except ImportError:
570 raise HwsimSkip("No pyrad modules available")
571
572 params = hostapd.wpa2_eap_params(ssid="radius-das")
573 params['radius_das_port'] = "3799"
574 params['radius_das_client'] = "127.0.0.1 secret"
575 params['radius_das_require_event_timestamp'] = "1"
576 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
577 connect(dev[0], "radius-das")
578 addr = dev[0].p2p_interface_addr()
579 sta = hapd.get_sta(addr)
580 id = sta['dot1xAuthSessionId']
581
582 dict = pyrad.dictionary.Dictionary("dictionary.radius")
583
584 srv = pyrad.client.Client(server="127.0.0.1", acctport=3799,
585 secret="secret", dict=dict)
586 srv.retries = 1
587 srv.timeout = 1
588
589 # hostapd does not currently support CoA-Request, so NAK is expected
590 logger.info("CoA-Request with matching Acct-Session-Id")
591 req = radius_das.CoAPacket(dict=dict, secret="secret",
592 Acct_Session_Id=id,
593 Event_Timestamp=int(time.time()))
594 send_and_check_reply(srv, req, pyrad.packet.CoANAK, error_cause=405)
595
596 def test_radius_ipv6(dev, apdev):
597 """RADIUS connection over IPv6"""
598 params = {}
599 params['ssid'] = 'as'
600 params['beacon_int'] = '2000'
601 params['radius_server_clients'] = 'auth_serv/radius_clients_ipv6.conf'
602 params['radius_server_ipv6'] = '1'
603 params['radius_server_auth_port'] = '18129'
604 params['radius_server_acct_port'] = '18139'
605 params['eap_server'] = '1'
606 params['eap_user_file'] = 'auth_serv/eap_user.conf'
607 params['ca_cert'] = 'auth_serv/ca.pem'
608 params['server_cert'] = 'auth_serv/server.pem'
609 params['private_key'] = 'auth_serv/server.key'
610 hostapd.add_ap(apdev[1]['ifname'], params)
611
612 params = hostapd.wpa2_eap_params(ssid="radius-ipv6")
613 params['auth_server_addr'] = "::0"
614 params['auth_server_port'] = "18129"
615 params['acct_server_addr'] = "::0"
616 params['acct_server_port'] = "18139"
617 params['acct_server_shared_secret'] = "radius"
618 params['own_ip_addr'] = "::0"
619 hostapd.add_ap(apdev[0]['ifname'], params)
620 connect(dev[0], "radius-ipv6")
621
622 def test_radius_macacl(dev, apdev):
623 """RADIUS MAC ACL"""
624 params = hostapd.radius_params()
625 params["ssid"] = "radius"
626 params["macaddr_acl"] = "2"
627 hostapd.add_ap(apdev[0]['ifname'], params)
628 dev[0].connect("radius", key_mgmt="NONE", scan_freq="2412")
629
630 def test_radius_macacl_acct(dev, apdev):
631 """RADIUS MAC ACL and accounting enabled"""
632 params = hostapd.radius_params()
633 params["ssid"] = "radius"
634 params["macaddr_acl"] = "2"
635 params['acct_server_addr'] = "127.0.0.1"
636 params['acct_server_port'] = "1813"
637 params['acct_server_shared_secret'] = "radius"
638 hostapd.add_ap(apdev[0]['ifname'], params)
639 dev[0].connect("radius", key_mgmt="NONE", scan_freq="2412")
640 dev[1].connect("radius", key_mgmt="NONE", scan_freq="2412")
641 dev[1].request("DISCONNECT")
642 dev[1].wait_disconnected()
643 dev[1].request("RECONNECT")
644
645 def test_radius_failover(dev, apdev):
646 """RADIUS Authentication and Accounting server failover"""
647 subprocess.call(['ip', 'ro', 'replace', '192.168.213.17', 'dev', 'lo'])
648 as_hapd = hostapd.Hostapd("as")
649 as_mib_start = as_hapd.get_mib(param="radius_server")
650 params = hostapd.wpa2_eap_params(ssid="radius-failover")
651 params["auth_server_addr"] = "192.168.213.17"
652 params["auth_server_port"] = "1812"
653 params["auth_server_shared_secret"] = "testing"
654 params['acct_server_addr'] = "192.168.213.17"
655 params['acct_server_port'] = "1813"
656 params['acct_server_shared_secret'] = "testing"
657 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
658 hapd.set("auth_server_addr", "127.0.0.1")
659 hapd.set("auth_server_port", "1812")
660 hapd.set("auth_server_shared_secret", "radius")
661 hapd.set('acct_server_addr', "127.0.0.1")
662 hapd.set('acct_server_port', "1813")
663 hapd.set('acct_server_shared_secret', "radius")
664 hapd.enable()
665 ev = hapd.wait_event(["AP-ENABLED", "AP-DISABLED"], timeout=30)
666 if ev is None:
667 raise Exception("AP startup timed out")
668 if "AP-ENABLED" not in ev:
669 raise Exception("AP startup failed")
670
671 try:
672 subprocess.call(['ip', 'ro', 'replace', 'prohibit', '192.168.213.17'])
673 dev[0].request("SET EAPOL::authPeriod 5")
674 connect(dev[0], "radius-failover", wait_connect=False)
675 dev[0].wait_connected(timeout=60)
676 finally:
677 dev[0].request("SET EAPOL::authPeriod 30")
678 subprocess.call(['ip', 'ro', 'del', '192.168.213.17'])
679
680 as_mib_end = as_hapd.get_mib(param="radius_server")
681 req_s = int(as_mib_start['radiusAccServTotalRequests'])
682 req_e = int(as_mib_end['radiusAccServTotalRequests'])
683 if req_e <= req_s:
684 raise Exception("Unexpected RADIUS server acct MIB value")
685
686 def run_pyrad_server(srv, t_events):
687 srv.RunWithStop(t_events)
688
689 def test_radius_protocol(dev, apdev):
690 """RADIUS Authentication protocol tests with a fake server"""
691 try:
692 import pyrad.server
693 import pyrad.packet
694 import pyrad.dictionary
695 except ImportError:
696 raise HwsimSkip("No pyrad modules available")
697
698 class TestServer(pyrad.server.Server):
699 def _HandleAuthPacket(self, pkt):
700 pyrad.server.Server._HandleAuthPacket(self, pkt)
701 logger.info("Received authentication request")
702 reply = self.CreateReplyPacket(pkt)
703 reply.code = pyrad.packet.AccessAccept
704 if self.t_events['msg_auth'].is_set():
705 logger.info("Add Message-Authenticator")
706 if self.t_events['wrong_secret'].is_set():
707 logger.info("Use incorrect RADIUS shared secret")
708 pw = "incorrect"
709 else:
710 pw = reply.secret
711 hmac_obj = hmac.new(pw)
712 hmac_obj.update(struct.pack("B", reply.code))
713 hmac_obj.update(struct.pack("B", reply.id))
714
715 # reply attributes
716 reply.AddAttribute("Message-Authenticator",
717 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
718 attrs = reply._PktEncodeAttributes()
719
720 # Length
721 flen = 4 + 16 + len(attrs)
722 hmac_obj.update(struct.pack(">H", flen))
723 hmac_obj.update(pkt.authenticator)
724 hmac_obj.update(attrs)
725 if self.t_events['double_msg_auth'].is_set():
726 logger.info("Include two Message-Authenticator attributes")
727 else:
728 del reply[80]
729 reply.AddAttribute("Message-Authenticator", hmac_obj.digest())
730 self.SendReplyPacket(pkt.fd, reply)
731
732 def RunWithStop(self, t_events):
733 self._poll = select.poll()
734 self._fdmap = {}
735 self._PrepareSockets()
736 self.t_events = t_events
737
738 while not t_events['stop'].is_set():
739 for (fd, event) in self._poll.poll(1000):
740 if event == select.POLLIN:
741 try:
742 fdo = self._fdmap[fd]
743 self._ProcessInput(fdo)
744 except ServerPacketError as err:
745 logger.info("pyrad server dropping packet: " + str(err))
746 except pyrad.packet.PacketError as err:
747 logger.info("pyrad server received invalid packet: " + str(err))
748 else:
749 logger.error("Unexpected event in pyrad server main loop")
750
751 srv = TestServer(dict=pyrad.dictionary.Dictionary("dictionary.radius"),
752 authport=18138, acctport=18139)
753 srv.hosts["127.0.0.1"] = pyrad.server.RemoteHost("127.0.0.1",
754 "radius",
755 "localhost")
756 srv.BindToAddress("")
757 t_events = {}
758 t_events['stop'] = threading.Event()
759 t_events['msg_auth'] = threading.Event()
760 t_events['wrong_secret'] = threading.Event()
761 t_events['double_msg_auth'] = threading.Event()
762 t = threading.Thread(target=run_pyrad_server, args=(srv, t_events))
763 t.start()
764
765 try:
766 params = hostapd.wpa2_eap_params(ssid="radius-test")
767 params['auth_server_port'] = "18138"
768 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
769 connect(dev[0], "radius-test", wait_connect=False)
770 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=15)
771 if ev is None:
772 raise Exception("Timeout on EAP start")
773 time.sleep(1)
774 dev[0].request("REMOVE_NETWORK all")
775 time.sleep(0.1)
776 dev[0].dump_monitor()
777 t_events['msg_auth'].set()
778 t_events['wrong_secret'].set()
779 connect(dev[0], "radius-test", wait_connect=False)
780 time.sleep(1)
781 dev[0].request("REMOVE_NETWORK all")
782 time.sleep(0.1)
783 dev[0].dump_monitor()
784 t_events['wrong_secret'].clear()
785 connect(dev[0], "radius-test", wait_connect=False)
786 time.sleep(1)
787 dev[0].request("REMOVE_NETWORK all")
788 time.sleep(0.1)
789 dev[0].dump_monitor()
790 t_events['double_msg_auth'].set()
791 connect(dev[0], "radius-test", wait_connect=False)
792 time.sleep(1)
793 finally:
794 t_events['stop'].set()
795 t.join()
796
797 def test_radius_psk(dev, apdev):
798 """WPA2 with PSK from RADIUS"""
799 try:
800 import pyrad.server
801 import pyrad.packet
802 import pyrad.dictionary
803 except ImportError:
804 raise HwsimSkip("No pyrad modules available")
805
806 class TestServer(pyrad.server.Server):
807 def _HandleAuthPacket(self, pkt):
808 pyrad.server.Server._HandleAuthPacket(self, pkt)
809 logger.info("Received authentication request")
810 reply = self.CreateReplyPacket(pkt)
811 reply.code = pyrad.packet.AccessAccept
812 a = "\xab\xcd"
813 secret = reply.secret
814 if self.t_events['long'].is_set():
815 p = b'\x10' + "0123456789abcdef" + 15 * b'\x00'
816 b = hashlib.md5(secret + pkt.authenticator + a).digest()
817 pp = bytearray(p[0:16])
818 bb = bytearray(b)
819 cc = bytearray(pp[i] ^ bb[i] for i in range(len(bb)))
820
821 b = hashlib.md5(reply.secret + bytes(cc)).digest()
822 pp = bytearray(p[16:32])
823 bb = bytearray(b)
824 cc += bytearray(pp[i] ^ bb[i] for i in range(len(bb)))
825
826 data = '\x00' + a + bytes(cc)
827 else:
828 p = b'\x08' + "12345678" + 7 * b'\x00'
829 b = hashlib.md5(secret + pkt.authenticator + a).digest()
830 pp = bytearray(p)
831 bb = bytearray(b)
832 cc = bytearray(pp[i] ^ bb[i] for i in range(len(bb)))
833 data = '\x00' + a + bytes(cc)
834 reply.AddAttribute("Tunnel-Password", data)
835 self.SendReplyPacket(pkt.fd, reply)
836
837 def RunWithStop(self, t_events):
838 self._poll = select.poll()
839 self._fdmap = {}
840 self._PrepareSockets()
841 self.t_events = t_events
842
843 while not t_events['stop'].is_set():
844 for (fd, event) in self._poll.poll(1000):
845 if event == select.POLLIN:
846 try:
847 fdo = self._fdmap[fd]
848 self._ProcessInput(fdo)
849 except ServerPacketError as err:
850 logger.info("pyrad server dropping packet: " + str(err))
851 except pyrad.packet.PacketError as err:
852 logger.info("pyrad server received invalid packet: " + str(err))
853 else:
854 logger.error("Unexpected event in pyrad server main loop")
855
856 srv = TestServer(dict=pyrad.dictionary.Dictionary("dictionary.radius"),
857 authport=18138, acctport=18139)
858 srv.hosts["127.0.0.1"] = pyrad.server.RemoteHost("127.0.0.1",
859 "radius",
860 "localhost")
861 srv.BindToAddress("")
862 t_events = {}
863 t_events['stop'] = threading.Event()
864 t_events['long'] = threading.Event()
865 t = threading.Thread(target=run_pyrad_server, args=(srv, t_events))
866 t.start()
867
868 try:
869 ssid = "test-wpa2-psk"
870 params = hostapd.radius_params()
871 params['ssid'] = ssid
872 params["wpa"] = "2"
873 params["wpa_key_mgmt"] = "WPA-PSK"
874 params["rsn_pairwise"] = "CCMP"
875 params['macaddr_acl'] = '2'
876 params['wpa_psk_radius'] = '2'
877 params['auth_server_port'] = "18138"
878 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
879 dev[0].connect(ssid, psk="12345678", scan_freq="2412")
880 t_events['long'].set()
881 dev[1].connect(ssid, psk="0123456789abcdef", scan_freq="2412")
882 finally:
883 t_events['stop'].set()
884 t.join()
Unnamed repository; edit this file 'description' to name the repository.