[PATCH 39/44] start radius accounting after FT and PREauth

[Jouni Malinen]

On Wed, Feb 24, 2016 at 12:53:45PM +0100, michael-dev at fami-braun.de wrote:
> eapol_sm_set_port_authorized is not called as eapol state machine
> is set directly to authorized. Thus accounting was not started.

Would you be able to share a hostapd debug log showing such cases (both
FT and PMKSA caching)? I cannot reproduce this at least with the PMKSA
caching case.

> diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
> @@ -1139,7 +1139,8 @@ void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
> -		/* TODO: get vlan_id from R0KH using RRB message */
> +		ap_sta_bind_vlan(hapd, sta);

This looks independent change and should be in a separate commit. In any
case, I could not apply that part before the open items in RRB message
extensions have been resolved.

> @@ -1161,6 +1162,7 @@ void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
>  			eap_sm_notify_cached(sta->eapol_sm->eap);
>  		pmksa_cache_to_eapol_data(hapd, pmksa, sta->eapol_sm);
>  		ap_sta_bind_vlan(hapd, sta);
> +		ieee802_1x_set_sta_authorized(hapd, sta, 1);

This does not look correct. ieee802_1x_new_station() is called before
the 4-way handshake has completed. The port should not be marked
authorized before that. And in any case, accounting session is already
starting at that point without this patch, so I'm not sure why this
change would be needed here.

The FT case may be more applicable since FT protocol does not include
4-way handshake. That said, maybe it would be better to replace the
ap_sta_set_authorized() call in handle_assoc_cb() with
ieee802_1x_set_sta_authorized() for this case to have a single place to
take all the needed steps.

-- 
Jouni Malinen                                            PGP id EFC895FA