Adding VSA to hostapd AAA server

Jouni Malinen j at
Fri Jun 17 13:36:21 PDT 2016

On Fri, Jun 17, 2016 at 06:33:04PM +0000, Rajesh K wrote:
>     I am using hostapd as a AAA server in my lab. I want to add some additional RADIUS attributes in the RADIUS Access Accept. Can anyone point me on how to do the same?

See hostapd/hostapd.eap_user and hostapd/hostapd.conf for

# Arbitrary RADIUS attributes can be added into Access-Accept packets similarly
# to the way radius_auth_req_attr is used for Access-Request packet in
# hostapd.conf. For EAP server, this is configured separately for each user
# entry with radius_accept_attr=<value> line(s) following the main user entry
# line.

# Arbitrary RADIUS attributes can be added into Access-Request and
# Accounting-Request packets by specifying the contents of the attributes with
# the following configuration parameters. There can be multiple of these to
# add multiple attributes. These parameters can also be used to override some
# of the attributes added automatically by hostapd.
# Format: <attr_id>[:<syntax:value>]
# attr_id: RADIUS attribute type (e.g., 26 = Vendor-Specific)
# syntax: s = string (UTF-8), d = integer, x = octet string
# value: attribute value in format indicated by the syntax
# If syntax and value parts are omitted, a null value (single 0x00 octet) is
# used.
# Additional Access-Request attributes
# radius_auth_req_attr=<attr_id>[:<syntax:value>]
# Examples:
# Operator-Name = "Operator"
# Service-Type = Framed (2)
# Connect-Info = "testing" (this overrides the automatically generated value)
# Same Connect-Info value set as a hexdump

In other words, you could use something like this in the eap_user_file
to add a VSA:

"hs20-deauth-test"	TTLS-MSCHAPV2	"password"	[2]

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list