[STDS-802-11-TGBH] access control implemantation in wpa_supplicant

["Yang, Zhijie (NSB - CN/Shanghai)" <zhijie.yang@xxxxxxxxxxxxxxx>]

Hi Jarkko, Jouni,

 

If I remember correctly, you said you don’t clear how the access control user case works based on the STA’s MAC address. There is an open source code website: https://w1.fi/wpa_supplicant/ , and Jouni is the mainly contribution and the author of this website.

The following highlight source code is very clear to describe how the AP decide to allow STA access or not based on the specified STA’s MAC address.

If the STA uses a RMA in each authentication, the following code will be broken as well. If so, it will be a tricky as wpa_supplicant is already widely used in WIFI industry.

Maybe I’m totally wrong, hope the author Jouni can help clarification.

 

 

static void handle_auth(struct hostapd_data *hapd,

                                           const struct ieee80211_mgmt *mgmt, size_t len,

                                           int rssi, int from_queue)

{

              res = ieee802_11_allowed_address(hapd, mgmt->sa, (const u8 *) mgmt, len,

                                                                        &rad_info);

              if (res == HOSTAPD_ACL_REJECT) {

                             wpa_msg(hapd->msg_ctx, MSG_DEBUG,

                                           "Ignore Authentication frame from " MACSTR

                                           " due to ACL reject", MAC2STR(mgmt->sa));

                             resp = WLAN_STATUS_UNSPECIFIED_FAILURE;

                             goto fail;

              }

}

 

/**

* hostapd_allowed_address - Check whether a specified STA can be authenticated

* @hapd: hostapd BSS data

* @addr: MAC address of the STA

* @msg: Authentication message

* @len: Length of msg in octets

* @out.session_timeout: Buffer for returning session timeout (from RADIUS)

* @out.acct_interim_interval: Buffer for returning account interval (from

*           RADIUS)

* @out.vlan_id: Buffer for returning VLAN ID

* @out.psk: Linked list buffer for returning WPA PSK

* @out.identity: Buffer for returning identity (from RADIUS)

* @out.radius_cui: Buffer for returning CUI (from RADIUS)

* @is_probe_req: Whether this query for a Probe Request frame

* Returns: HOSTAPD_ACL_ACCEPT, HOSTAPD_ACL_REJECT, or HOSTAPD_ACL_PENDING

*

* The caller is responsible for properly cloning the returned out->identity and

* out->radius_cui and out->psk values.

*/

int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr,

                                               const u8 *msg, size_t len, struct radius_sta *out,

                                               int is_probe_req)

{

 

 

}

 

Thanks

 

Best Regards

 

Jay Yang

 

---

To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1