RADIUS: Require Message-Authenticator attribute in MAC ACL cases

hostapd required Message-Authenticator attribute to be included in EAP
authentication cases, but that requirement was not in place for MAC ACL
cases. Start requiring Message-Authenticator attribute for MAC ACL by
default. Unlike the EAP case, this can still be disabled with
radius_require_message_authenticator=1 to maintain compatibility with
some RADIUS servers when used in a network where the connection to such
a server is secure.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 96c28aea277c9ea9f25906cc7919f12aea95bd27..3fb059770d49fd3d3867cd53014aa9258479e1b7 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2988,6 +2988,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 #endif /* CONFIG_RADIUS_TLS */
        } else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) {
                bss->radius->retry_primary_interval = atoi(pos);
+       } else if (os_strcmp(buf,
+                            "radius_require_message_authenticator") == 0) {
+               bss->radius_require_message_authenticator = atoi(pos);
        } else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) {
                bss->acct_interim_interval = atoi(pos);
        } else if (os_strcmp(buf, "radius_request_cui") == 0) {

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index e3367b708ecbc6d38cffe31cff50961538ab22b3..3f0e66beb566c6f64a8cc0c2cebde5833d311bf0 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1620,6 +1620,17 @@ own_ip_addr=127.0.0.1
 # currently used secondary server is still working.
 #radius_retry_primary_interval=600
 
+# Message-Authenticator attribute requirement for non-EAP cases
+# hostapd requires Message-Authenticator attribute to be included in all cases
+# where RADIUS is used for EAP authentication. This is also required for cases
+# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case
+# can be configured to not require this for compatibility with RADIUS servers
+# that do not include the attribute. This is not recommended due to potential
+# security concerns, but can be used as a temporary workaround in networks where
+# the connection to the RADIUS server is secure.
+# 0 = Do not require Message-Authenticator in MAC ACL response
+# 1 = Require Message-Authenticator in all authentication cases (default)
+#radius_require_message_authenticator=1
 
 # Interim accounting update interval
 # If this is set (larger than 0) and acct_server is configured, hostapd will

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 32b04ab353c4174b715896f7c9d2ebf5a534eb23..0b5a16ef9f82763ada8b2143c57e5e3c59f83539 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -122,6 +122,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 #endif /* CONFIG_IEEE80211R_AP */
 
        bss->radius_das_time_window = 300;
+       bss->radius_require_message_authenticator = 1;
 
        bss->anti_clogging_threshold = 5;
        bss->sae_sync = 5;

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index fda937ecf534692e525f55d2614ca5e08753449a..ced2181ab8aebb846a79bab352a636157cdf7426 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -309,6 +309,7 @@ struct hostapd_bss_config {
        struct hostapd_ip_addr own_ip_addr;
        char *nas_identifier;
        struct hostapd_radius_servers *radius;
+       int radius_require_message_authenticator;
        int acct_interim_interval;
        int radius_request_cui;
        struct hostapd_radius_attr *radius_auth_req_attr;

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index cc38044d8952f4884c956d163a630123e973fa72..913a995978a04abf747c774cf024d2382be631d0 100644 (file)
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -508,7 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
                   "Found matching Access-Request for RADIUS message (id=%d)",
                   query->radius_id);
 
-       if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {
+       if (radius_msg_verify(
+                   msg, shared_secret, shared_secret_len, req,
+                   hapd->conf->radius_require_message_authenticator)) {
                wpa_printf(MSG_INFO,
                           "Incoming RADIUS packet did not have correct authenticator - dropped");
                return RADIUS_RX_INVALID_AUTHENTICATOR;