Message ID | CAGnO3drEM10Z=nF-J_TFT387-SazBjrYgj3fvhEDURvxfUiDYg@mail.gmail.com |
---|---|
State | Accepted |
Headers | show |
On Sat, Feb 13, 2016 at 12:26:30PM +0000, Nick Lowe wrote:
> Define and make use of the Service-Type RADIUS attribute with a value of Framed.
Is this the correct value to use for RSN pre-authentication case? What
will the authentication server do with this?
Hi Jouni, The Service-Type attribute allows differentiation when handling auth to occur at a RADIUS server. In most Enterprise-class APs, for 802.1X, a service type of Framed is typically used. For a MAC address authentication those NASes, a service type of Call-Check is typically used. Yes, it is the correct value to use in the RSN pre-authentication case as subsequent service to a client is Framed. We observe other commercial APs using this Service-Type in this case. I did consider this. Regards, Nick
On Feb 18, 2016, at 2:11 PM, Nick Lowe <nick.lowe@lugatech.com> wrote: > > Hi Jouni, > > The Service-Type attribute allows differentiation when handling auth > to occur at a RADIUS server. > > In most Enterprise-class APs, for 802.1X, a service type of Framed is > typically used. Ugh. Framed is supposed to be for PPP. See RFC 2865 Section 5.6. > Yes, it is the correct value to use in the RSN pre-authentication case > as subsequent service to a client is Framed. We observe other > commercial APs using this Service-Type in this case. I did consider > this. The values for Service-Type are assigned by expert review IIRC. That means vendors could have asked for a sane value, and gotten it. Instead, they just picked something random... Alan DeKok.
It's already established precedent in the majority of Enterprise class APs. Also, see RFC 3580: 3.5. Service-Type For use with IEEE 802.1X, the Framed (2), Authenticate Only (8), and Call Check (10) values are most commonly used. Nick
Sorry, in full: 3.5. Service-Type For use with IEEE 802.1X, the Framed (2), Authenticate Only (8), and Call Check (10) values are most commonly used. A Service-Type of Framed indicates that appropriate 802 framing should be used for the connection. A Service-Type of Authenticate Only (8) indicates that no authorization information needs to be returned in the Access-Accept. As described in [RFC2865], a Service-Type of Call Check is included in an Access-Request packet to request that the RADIUS server accept or reject the connection attempt, typically based on the Called-Station-ID (set to the bridge or Access Point MAC address) or Calling-Station-ID attributes (set to the Supplicant MAC address). As noted in [RFC2865], it is recommended that in this case, the User-Name attribute be given the value of Calling-Station-Id.
On Thu, Feb 18, 2016 at 07:11:27PM +0000, Nick Lowe wrote: > The Service-Type attribute allows differentiation when handling auth > to occur at a RADIUS server. > > In most Enterprise-class APs, for 802.1X, a service type of Framed is > typically used. > > For a MAC address authentication those NASes, a service type of > Call-Check is typically used. > > Yes, it is the correct value to use in the RSN pre-authentication case > as subsequent service to a client is Framed. We observe other > commercial APs using this Service-Type in this case. I did consider > this. Thanks, applied.
From db38d26fb771a2d68a2992ad9ee2e9fd3ed32b5f Mon Sep 17 00:00:00 2001 From: Nick Lowe <nick.lowe@lugatech.com> Date: Sat, 13 Feb 2016 12:20:12 +0000 Subject: [PATCH] Define and make use of the Service-Type RADIUS attribute with a value of Framed. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com> --- src/ap/ieee802_1x.c | 7 +++++++ src/radius/radius.h | 4 ++++ wpa_supplicant/eapol_test.c | 7 +++++++ 3 files changed, 18 insertions(+) diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index d399b1e..7e99684 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -405,6 +405,13 @@ static int add_common_radius_sta_attr(struct hostapd_data *hapd, char buf[128]; if (!hostapd_config_get_radius_attr(req_attr, + RADIUS_ATTR_SERVICE_TYPE) && + !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE, RADIUS_SERVICE_TYPE_FRAMED)) { + wpa_printf(MSG_ERROR, "Could not add Service-Type"); + return -1; + } + + if (!hostapd_config_get_radius_attr(req_attr, RADIUS_ATTR_NAS_PORT) && !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { wpa_printf(MSG_ERROR, "Could not add NAS-Port"); diff --git a/src/radius/radius.h b/src/radius/radius.h index 313fc65..e641cfc 100644 --- a/src/radius/radius.h +++ b/src/radius/radius.h @@ -52,6 +52,7 @@ enum { RADIUS_ATTR_USER_NAME = 1, RADIUS_ATTR_USER_PASSWORD = 2, RADIUS_ATTR_NAS_IP_ADDRESS = 4, RADIUS_ATTR_NAS_PORT = 5, + RADIUS_ATTR_SERVICE_TYPE = 6, RADIUS_ATTR_FRAMED_IP_ADDRESS = 8, RADIUS_ATTR_FRAMED_MTU = 12, RADIUS_ATTR_REPLY_MESSAGE = 18, @@ -109,6 +110,9 @@ enum { RADIUS_ATTR_USER_NAME = 1, }; +/* Service-Type */ +#define RADIUS_SERVICE_TYPE_FRAMED 2 + /* Termination-Action */ #define RADIUS_TERMINATION_ACTION_DEFAULT 0 #define RADIUS_TERMINATION_ACTION_RADIUS_REQUEST 1 diff --git a/wpa_supplicant/eapol_test.c b/wpa_supplicant/eapol_test.c index 1aede79..6548bd1 100644 --- a/wpa_supplicant/eapol_test.c +++ b/wpa_supplicant/eapol_test.c @@ -258,6 +258,13 @@ static void ieee802_1x_encapsulate_radius(struct eapol_test_data *e, goto fail; } + if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_SERVICE_TYPE) && + !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE, + RADIUS_SERVICE_TYPE_FRAMED)) { + printf("Could not add Service-Type\n"); + goto fail; + } + os_snprintf(buf, sizeof(buf), "%s", e->connect_info); if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_CONNECT_INFO) && !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, -- 2.5.0
Define and make use of the Service-Type RADIUS attribute with a value of Framed. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com> --- src/ap/ieee802_1x.c | 7 +++++++ src/radius/radius.h | 4 ++++ wpa_supplicant/eapol_test.c | 7 +++++++ 3 files changed, 18 insertions(+) !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,