[PATCH] Allow Session-Timeout with PSK RADIUS during 4 Way Handshake

Lee Harding somerandomstring at gmail.com
Tue Apr 9 15:06:38 PDT 2024

I've been reading the code and testing the PSK via RADIUS
functionality in hostap and discovered what I believe to be a bug.
When the RADIUS response includes a Session-Timeout and is otherwise
valid (an Access-Accept with a valid Tunnel-Password) the association
still fails due to the strict comparison of the accepted value with
HOSTAPD_ACL_ACCEPT.  Apparently this wasn't previously tested.

The patch below allows a packet containing a valid Session-Timeout
attribute to be accepted by extending the "success" comparison to

Signed-off-by: Lee Harding <somerandomstring at gmail.com>

Diff inline below:

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index e723ae74b..7b3b0137f 100644
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -596,7 +596,8 @@ hostapd_acl_recv_radius(struct radius_msg *msg,
struct radius_msg *req,

        if (query->radius_psk) {
                struct sta_info *sta;
-               bool success = cache->accepted == HOSTAPD_ACL_ACCEPT;
+               bool success = cache->accepted == HOSTAPD_ACL_ACCEPT
+                       || cache->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT;

                sta = ap_get_sta(hapd, query->addr);
                if (!sta || !sta->wpa_sm) {

More information about the Hostap mailing list