[patch] bind to own_ip_addr for RADIUS communications
Jouni Malinen
jkmaline
Sat Dec 30 19:54:53 PST 2006
On Tue, Dec 19, 2006 at 03:55:54PM +1300, Matt Brown wrote:
> The attached patch forces hostapd to bind to the own_ip_addr specified
> in the configuration file for all RADIUS auth and acct traffic. This is
> desirable as many RADIUS servers authenticate clients based on an (ip,
> shared secret) tuple. If the hostapd machine has multiple interfaces
> with redundant connections to the RADIUS server it is possible that
> source IP address that the RADIUS server sees will not be consistent.
Hmm.. own_ip_addr has potentially been used with incorrect values (e.g.,
127.0.0.1 if the AS is remote) and this change would break this kind of
(admittedly incorrect) configuration..
Do you happen to know how different RADIUS servers select which shared
secret to use? Based on the source IP address or would NAS-IP-Address
override this?
I like the possibility of binding the sockets into a specific address,
but I'm not sure I would like to do this unconditionally..
> The patch also fixes what appeared to be a minor bug with v6 in
> radius_client_init_acct. The v6 socket was never opened, but code later
> in the function tried to use it regardless.
Thanks! It looks like I just forgot to copy the socket opening and error
checking code from the authentication case. My testing for the IPv6
version has been very limited and likely only for authentication, since
hostapd-as-radius-server does not support accounting.
> I had to rearrange where the own_ip_addr parameter is stored in the
> config structures so that it was available to the radius_init routines.
That's ok. It would also be worth considering to move the code that is
adding NAS-IP-Address attribute into the RADIUS client code with this
kind of change in where the IP address is stored (and same for
NAS-Identifier for that matter).. That would remove some duplicated code
since this is done in three different files at the moment.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list