[patch] bind to own_ip_addr for RADIUS communications

Chris Zimmermann cbzimmermann
Sun Dec 31 14:25:53 PST 2006 

While it's true that most times a machine acting as a wireless access  
point would either use static addressing or get a DHCP address from a  
DHCP server based on it's MAC, own_ip_address is a potential problem  
for RADIUS server communication.  Some RADIUS servers, such as  
Elektron, allow any machine with a valid shared secret to communicate  
with it.  I ran into a problem where the machine running hostapd was  
using DHCP, got a different address, and hostapd did not know about  
the change to own_ip_address; causing RADIUS to no longer work.  It  
may be worthwhile to configure hostapd's RADIUS server communications  
via a specific interface and address types (a combination of one or  
more of the following; IPv4 routable, IPv4 link local, IPv6 routable,  
IPv6 link local, etc) and use routing socket notifications (or the  
equivalent on the OS) to enable hostapd to be aware of changes to the  
interface's address(es) and not require a SIGHUP when the situation  
occurs.

On Dec 30, 2006, at 7:54 PM, Jouni Malinen wrote:

> On Tue, Dec 19, 2006 at 03:55:54PM +1300, Matt Brown wrote:
>
>> The attached patch forces hostapd to bind to the own_ip_addr  
>> specified
>> in the configuration file for all RADIUS auth and acct traffic.  
>> This is
>> desirable as many RADIUS servers authenticate clients based on an  
>> (ip,
>> shared secret) tuple. If the hostapd machine has multiple interfaces
>> with redundant connections to the RADIUS server it is possible that
>> source IP address that the RADIUS server sees will not be consistent.
>
> Hmm.. own_ip_addr has potentially been used with incorrect values  
> (e.g.,
> 127.0.0.1 if the AS is remote) and this change would break this  
> kind of
> (admittedly incorrect) configuration..
>
> Do you happen to know how different RADIUS servers select which shared
> secret to use? Based on the source IP address or would NAS-IP-Address
> override this?
>
> I like the possibility of binding the sockets into a specific address,
> but I'm not sure I would like to do this unconditionally..
>
>> The patch also fixes what appeared to be a minor bug with v6 in
>> radius_client_init_acct. The v6 socket was never opened, but code  
>> later
>> in the function tried to use it regardless.
>
> Thanks! It looks like I just forgot to copy the socket opening and  
> error
> checking code from the authentication case. My testing for the IPv6
> version has been very limited and likely only for authentication,  
> since
> hostapd-as-radius-server does not support accounting.
>
>> I had to rearrange where the own_ip_addr parameter is stored in the
>> config structures so that it was available to the radius_init  
>> routines.
>
> That's ok. It would also be worth considering to move the code that is
> adding NAS-IP-Address attribute into the RADIUS client code with this
> kind of change in where the IP address is stored (and same for
> NAS-Identifier for that matter).. That would remove some duplicated  
> code
> since this is done in three different files at the moment.
>
> -- 
> Jouni Malinen                                            PGP id  
> EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

Thanks,
Chris

-- 
Chris Zimmermann
cbzimmermann at mac.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20061231/516f13a3/attachment.htm

More information about the Hostap mailing list