Re: [PATCH] ap/drv_callbacks: in hostapd_notif_assoc, !ACCEPT ≠ REJECT

michael-dev michael-dev at fami-braun.de
Wed Nov 2 13:36:25 PDT 2016 

Hi,

> This commit fixes the issue in our automated
> test, for both the positive case and the negative case.

could you share what is needed to reproduce these?

Thanks,
M. Braun

> On Tue, Oct 25, 2016 at 8:20 AM, M. Braun <mbrrc at fami-braun.de> wrote:
>> Hi,
>> 
>> hostapd_check_acl can only return PENDING if macaddr_acl ==
>> USE_EXTERNAL_RADIUS_AUTH.
>> 
>> In that case, either
>> a) hostapd_allowed_address is used before and so the RADIUS reply came 
>> in
>> before
>>    association is completed and hostapd_notif_assoc is called or
>> b) hostapd_allowed_address is not called (e.g. SME in driver) and so
>>    macaddr_acl == USE_EXTERNAL_RADIUS_AUTH is not implemented.
>> 
>> In case b) this change would accept a station bypassing RADIUS, while
>> currently
>> admin would need to choose a different macaddr_acl value to disable 
>> RADIUS
>> withmacaddr_acl
>> when using SME in driver.
>> 
>> Right?
>> 
>> Regards,
>> M. Braun
>> 
>> 
>> 
>> Am 25.10.2016 02:05, schrieb Derrick Pallas:
>>> 
>>> The commit
>>> 
>>>         hostapd: Process MAC ACLs on a station association event (SME 
>>> in
>>> driver)
>>> 
>>> added a MAC ACL check to hostapd_notif_assoc.  This check disconnects 
>>> the
>>> client if the response is not ACCEPT, but the function can actually 
>>> return
>>> PENDING too, as in the case of 802.1x MAC-based auth.  It feels like 
>>> the
>>> author probably meant to disconnect the client if the response is 
>>> REJECT,
>>> but not ACCEPT or PENDING instead.
>>> 
>>> Signed-off-by: Derrick Pallas <pallas at meraki.com>
>>> ---
>>>  src/ap/drv_callbacks.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>> 
>>> diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
>>> index 3552b3e..f065995 100644
>>> --- a/src/ap/drv_callbacks.c
>>> +++ b/src/ap/drv_callbacks.c
>>> @@ -124,7 +124,7 @@ int hostapd_notif_assoc(struct hostapd_data 
>>> *hapd,
>>> const u8 *addr,
>>>          * conflicting ACL rules.
>>>          */
>>>         if (hapd->iface->drv_max_acl_mac_addrs == 0 &&
>>> -           hostapd_check_acl(hapd, addr, NULL) != 
>>> HOSTAPD_ACL_ACCEPT) {
>>> +           hostapd_check_acl(hapd, addr, NULL) == 
>>> HOSTAPD_ACL_REJECT) {
>>>                 wpa_printf(MSG_INFO, "STA " MACSTR " not allowed to
>>> connect",
>>>                            MAC2STR(addr));
>>>                 reason = WLAN_REASON_UNSPECIFIED;
> 
> _______________________________________________
> Hostap mailing list
> Hostap at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap

More information about the Hostap mailing list