Re: [PATCH] ap/drv_callbacks: in hostapd_notif_assoc, !ACCEPT ≠ REJECT

[M. Braun]

Hi,

hostapd_check_acl can only return PENDING if macaddr_acl == 
USE_EXTERNAL_RADIUS_AUTH.

In that case, either
a) hostapd_allowed_address is used before and so the RADIUS reply came 
in before
    association is completed and hostapd_notif_assoc is called or
b) hostapd_allowed_address is not called (e.g. SME in driver) and so
    macaddr_acl == USE_EXTERNAL_RADIUS_AUTH is not implemented.

In case b) this change would accept a station bypassing RADIUS, while 
currently
admin would need to choose a different macaddr_acl value to disable 
RADIUS withmacaddr_acl
when using SME in driver.

Right?

Regards,
M. Braun


Am 25.10.2016 02:05, schrieb Derrick Pallas:
> The commit
> 
> 	hostapd: Process MAC ACLs on a station association event (SME in 
> driver)
> 
> added a MAC ACL check to hostapd_notif_assoc.  This check disconnects 
> the
> client if the response is not ACCEPT, but the function can actually 
> return
> PENDING too, as in the case of 802.1x MAC-based auth.  It feels like 
> the
> author probably meant to disconnect the client if the response is 
> REJECT,
> but not ACCEPT or PENDING instead.
> 
> Signed-off-by: Derrick Pallas <pallas at meraki.com>
> ---
>  src/ap/drv_callbacks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
> index 3552b3e..f065995 100644
> --- a/src/ap/drv_callbacks.c
> +++ b/src/ap/drv_callbacks.c
> @@ -124,7 +124,7 @@ int hostapd_notif_assoc(struct hostapd_data *hapd,
> const u8 *addr,
>  	 * conflicting ACL rules.
>  	 */
>  	if (hapd->iface->drv_max_acl_mac_addrs == 0 &&
> -	    hostapd_check_acl(hapd, addr, NULL) != HOSTAPD_ACL_ACCEPT) {
> +	    hostapd_check_acl(hapd, addr, NULL) == HOSTAPD_ACL_REJECT) {
>  		wpa_printf(MSG_INFO, "STA " MACSTR " not allowed to connect",
>  			   MAC2STR(addr));
>  		reason = WLAN_REASON_UNSPECIFIED;