RADIUS based station ­reauth request

[Jouni Malinen]

On Sun, May 06, 2012 at 06:16:27PM +0400, newuse at qip.ru wrote:
> Thanks, but is there any way to force given station reauth by it's MAC? May be via CLI?
> I need to be able to block authorized station in any time (not by max Session-Timeout), is it possible?

"hostapd_cli deauthenticate <addr>" command can be used to do this
through the control interface. In addition, there is now support for
Disconnect-Request (RFC 5176 - Dynamic Authorization Extensions to
RADIUS) in hostapd, so this can also be initiated by the RADIUS server.
For example, radclient from FreeRADIUS can be used for this:

(echo Calling-Station-Id=<STA MAC address>
echo Event-Timestamp=`date +%s`
echo Message-Authenticator=00) |
radclient -x <NAS/AP IP addr> disconnect secret

This goes bit further than just forcing reauthentication, i.e., the
station is first disconnected. If you want to trigger reauthentication
without disconnection, CoA-Request with small Session-Timeout value
could be added for such operation (hostapd does not yet support
CoA-Request).

-- 
Jouni Malinen                                            PGP id EFC895FA