Lines Matching refs:radius
2 * RADIUS client
12 #include "radius.h"
16 /* Defaults for RADIUS retransmit values (exponential backoff) */
19 * RADIUS_CLIENT_FIRST_WAIT - RADIUS client timeout for first retry in seconds
24 * RADIUS_CLIENT_MAX_WAIT - RADIUS client maximum retry timeout in seconds
29 * RADIUS_CLIENT_MAX_RETRIES - RADIUS client maximum retries
37 * RADIUS_CLIENT_MAX_ENTRIES - RADIUS client maximum pending messages
45 * RADIUS_CLIENT_NUM_FAILOVER - RADIUS client failover point
47 * The number of failed retry attempts after which the RADIUS server will be
54 * struct radius_rx_handler - RADIUS client RX handler
56 * This data structure is used internally inside the RADIUS client module to
58 * radius_client_register() and unregistered when the RADIUS client is
63 * handler - Received RADIUS message handler
79 * struct radius_msg_list - RADIUS client message retransmit list
81 * This data structure is used internally inside the RADIUS client module to
82 * store pending RADIUS requests that may still need to be retransmitted.
88 * This is used to find RADIUS messages for the same STA.
93 * msg - RADIUS message
128 * shared_secret - Shared secret with the target RADIUS server
147 * struct radius_client_data - Internal RADIUS client data
149 * This data structure is used internally inside the RADIUS client module.
152 * calls to other functions as an identifier for the RADIUS client instance.
161 * conf - RADIUS client configuration (list of RADIUS servers to use)
166 * auth_serv_sock - IPv4 socket for RADIUS authentication messages
171 * acct_serv_sock - IPv4 socket for RADIUS accounting messages
176 * auth_serv_sock6 - IPv6 socket for RADIUS authentication messages
181 * acct_serv_sock6 - IPv6 socket for RADIUS accounting messages
186 * auth_sock - Currently used socket for RADIUS authentication server
191 * acct_sock - Currently used socket for RADIUS accounting server
216 * msgs - Pending outgoing RADIUS messages
226 * next_radius_identifier - Next RADIUS message identifier to use
243 radius_change_server(struct radius_client_data *radius,
247 static int radius_client_init_acct(struct radius_client_data *radius);
248 static int radius_client_init_auth(struct radius_client_data *radius);
249 static void radius_client_auth_failover(struct radius_client_data *radius);
250 static void radius_client_acct_failover(struct radius_client_data *radius);
261 * radius_client_register - Register a RADIUS client RX handler
262 * @radius: RADIUS client context from radius_client_init()
263 * @msg_type: RADIUS client type (RADIUS_AUTH or RADIUS_ACCT)
264 * @handler: Handler for received RADIUS messages
268 * This function is used to register a handler for processing received RADIUS
270 * be called whenever a RADIUS message is received from the active server.
272 * There can be multiple registered RADIUS message handlers. The handlers will
276 int radius_client_register(struct radius_client_data *radius,
289 handlers = &radius->acct_handlers;
290 num = &radius->num_acct_handlers;
292 handlers = &radius->auth_handlers;
293 num = &radius->num_auth_handlers;
312 * @radius: RADIUS client context from radius_client_init()
320 void radius_client_set_interim_error_cb(struct radius_client_data *radius,
324 radius->interim_error_cb = cb;
325 radius->interim_error_cb_ctx = ctx;
333 static int radius_client_handle_send_error(struct radius_client_data *radius,
338 wpa_printf(MSG_INFO, "send[RADIUS,s=%d]: %s", s, strerror(errno));
341 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
347 radius_client_init_acct(radius);
350 radius_client_init_auth(radius);
360 static int radius_client_retransmit(struct radius_client_data *radius,
364 struct hostapd_radius_servers *conf = radius->conf;
373 if (radius->acct_sock < 0)
374 radius_client_init_acct(radius);
375 if (radius->acct_sock < 0 && conf->num_acct_servers > 1) {
376 prev_num_msgs = radius->num_msgs;
377 radius_client_acct_failover(radius);
378 if (prev_num_msgs != radius->num_msgs)
381 s = radius->acct_sock;
389 if (radius->auth_sock < 0)
390 radius_client_init_auth(radius);
391 if (radius->auth_sock < 0 && conf->num_auth_servers > 1) {
392 prev_num_msgs = radius->num_msgs;
393 radius_client_auth_failover(radius);
394 if (prev_num_msgs != radius->num_msgs)
397 s = radius->auth_sock;
408 "RADIUS: Failed to transmit interim accounting update to "
411 if (radius->interim_error_cb)
412 radius->interim_error_cb(entry->addr,
413 radius->interim_error_cb_ctx);
419 "RADIUS: No valid socket for retransmission");
436 hdr->identifier = radius_client_get_id(radius);
443 "RADIUS: Updated Acct-Delay-Time to %u for retransmission",
447 if (radius->conf->msg_dumps)
453 hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS,
454 HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)",
460 if (radius_client_handle_send_error(radius, s, entry->msg_type)
470 wpa_printf(MSG_INFO, "RADIUS: Removing un-ACKed message due to too many failed retransmit attempts");
480 struct radius_client_data *radius = eloop_ctx;
488 entry = radius->msgs;
497 prev_num_msgs = radius->num_msgs;
499 radius_client_retransmit(radius, entry, now.sec)) {
503 radius->msgs = entry->next;
508 radius->num_msgs--;
512 if (prev_num_msgs != radius->num_msgs) {
514 "RADIUS: Message removed from queue - restart from beginning");
515 entry = radius->msgs;
520 s = entry->msg_type == RADIUS_AUTH ? radius->auth_sock :
521 radius->acct_sock;
538 if (radius->msgs) {
542 radius_client_timer, radius, NULL);
543 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
544 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client "
550 radius_client_auth_failover(radius);
553 radius_client_acct_failover(radius);
557 static void radius_client_auth_failover(struct radius_client_data *radius)
559 struct hostapd_radius_servers *conf = radius->conf;
565 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
571 for (entry = radius->msgs; entry; entry = entry->next) {
580 radius_change_server(radius, next, old,
581 radius->auth_serv_sock,
582 radius->auth_serv_sock6, 1);
586 static void radius_client_acct_failover(struct radius_client_data *radius)
588 struct hostapd_radius_servers *conf = radius->conf;
594 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
600 for (entry = radius->msgs; entry; entry = entry->next) {
610 radius_change_server(radius, next, old,
611 radius->acct_serv_sock,
612 radius->acct_serv_sock6, 0);
616 static void radius_client_update_timeout(struct radius_client_data *radius)
622 eloop_cancel_timeout(radius_client_timer, radius, NULL);
624 if (radius->msgs == NULL) {
629 for (entry = radius->msgs; entry; entry = entry->next) {
637 eloop_register_timeout(first - now.sec, 0, radius_client_timer, radius,
639 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
640 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client retransmit in"
645 static void radius_client_list_add(struct radius_client_data *radius,
662 wpa_printf(MSG_INFO, "RADIUS: Failed to add packet into retransmit list");
678 entry->next = radius->msgs;
679 radius->msgs = entry;
680 radius_client_update_timeout(radius);
682 if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) {
683 wpa_printf(MSG_INFO, "RADIUS: Removing the oldest un-ACKed packet due to retransmit list limits");
694 radius->num_msgs++;
699 * radius_client_send - Send a RADIUS request
700 * @radius: RADIUS client context from radius_client_init()
701 * @msg: RADIUS message to be sent
706 * This function is used to transmit a RADIUS authentication (RADIUS_AUTH) or
723 int radius_client_send(struct radius_client_data *radius,
727 struct hostapd_radius_servers *conf = radius->conf;
735 if (conf->acct_server && radius->acct_sock < 0)
736 radius_client_init_acct(radius);
738 if (conf->acct_server == NULL || radius->acct_sock < 0 ||
740 hostapd_logger(radius->ctx, NULL,
750 s = radius->acct_sock;
753 if (conf->auth_server && radius->auth_sock < 0)
754 radius_client_init_auth(radius);
756 if (conf->auth_server == NULL || radius->auth_sock < 0 ||
758 hostapd_logger(radius->ctx, NULL,
768 s = radius->auth_sock;
772 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
773 HOSTAPD_LEVEL_DEBUG, "Sending RADIUS message to %s "
781 radius_client_handle_send_error(radius, s, msg_type);
783 radius_client_list_add(radius, msg, msg_type, shared_secret,
792 struct radius_client_data *radius = eloop_ctx;
793 struct hostapd_radius_servers *conf = radius->conf;
807 handlers = radius->acct_handlers;
808 num_handlers = radius->num_acct_handlers;
811 handlers = radius->auth_handlers;
812 num_handlers = radius->num_auth_handlers;
818 wpa_printf(MSG_INFO, "recv[RADIUS]: %s", strerror(errno));
821 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
822 HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS "
825 wpa_printf(MSG_INFO, "RADIUS: Possibly too long UDP frame for our buffer - dropping it");
831 wpa_printf(MSG_INFO, "RADIUS: Parsing incoming frame failed");
837 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
838 HOSTAPD_LEVEL_DEBUG, "Received RADIUS message");
858 req = radius->msgs;
861 * alternative RADIUS servers (?) */
874 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
876 "No matching RADIUS request found (type=%d "
885 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
887 "Received RADIUS packet matched with a pending "
892 /* Remove ACKed RADIUS packet from retransmit list */
896 radius->msgs = req->next;
897 radius->num_msgs--;
924 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
925 HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
938 * radius_client_get_id - Get an identifier for a new RADIUS message
939 * @radius: RADIUS client context from radius_client_init()
943 * for a new RADIUS message.
945 u8 radius_client_get_id(struct radius_client_data *radius)
948 u8 id = radius->next_radius_identifier++;
951 * using new reply from the RADIUS server with an old request */
952 entry = radius->msgs;
956 hostapd_logger(radius->ctx, entry->addr,
959 "Removing pending RADIUS message, "
964 radius->msgs = entry->next;
981 * radius_client_flush - Flush all pending RADIUS client messages
982 * @radius: RADIUS client context from radius_client_init()
985 void radius_client_flush(struct radius_client_data *radius, int only_auth)
989 if (!radius)
993 entry = radius->msgs;
1000 radius->msgs = entry->next;
1005 radius->num_msgs--;
1012 if (radius->msgs == NULL)
1013 eloop_cancel_timeout(radius_client_timer, radius, NULL);
1017 static void radius_client_update_acct_msgs(struct radius_client_data *radius,
1023 if (!radius)
1026 for (entry = radius->msgs; entry; entry = entry->next) {
1038 radius_change_server(struct radius_client_data *radius,
1052 struct hostapd_radius_servers *conf = radius->conf;
1057 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
1067 radius_client_flush(radius, 1);
1074 /* Pending RADIUS packets used different shared secret, so
1077 * since they would require more changes and the new RADIUS
1082 radius_client_flush(radius, 1);
1085 radius, nserv->shared_secret,
1091 for (entry = radius->msgs; oserv && oserv != nserv && entry;
1101 if (radius->msgs) {
1102 eloop_cancel_timeout(radius_client_timer, radius, NULL);
1104 radius_client_timer, radius, NULL);
1135 "RADIUS: No server socket available (af=%d sock=%d sock6=%d auth=%d",
1166 wpa_printf(MSG_INFO, "bind[radius]: %s",
1175 wpa_printf(MSG_INFO, "disconnect[radius]: %s", strerror(errno));
1178 wpa_printf(MSG_INFO, "connect[radius]: %s", strerror(errno));
1188 wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1198 wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1210 radius->auth_sock = sel_sock;
1212 radius->acct_sock = sel_sock;
1220 struct radius_client_data *radius = eloop_ctx;
1221 struct hostapd_radius_servers *conf = radius->conf;
1224 if (radius->auth_sock >= 0 && conf->auth_servers &&
1228 if (radius_change_server(radius, conf->auth_server, oserv,
1229 radius->auth_serv_sock,
1230 radius->auth_serv_sock6, 1) < 0) {
1232 radius_change_server(radius, oserv, conf->auth_server,
1233 radius->auth_serv_sock,
1234 radius->auth_serv_sock6, 1);
1238 if (radius->acct_sock >= 0 && conf->acct_servers &&
1242 if (radius_change_server(radius, conf->acct_server, oserv,
1243 radius->acct_serv_sock,
1244 radius->acct_serv_sock6, 0) < 0) {
1246 radius_change_server(radius, oserv, conf->acct_server,
1247 radius->acct_serv_sock,
1248 radius->acct_serv_sock6, 0);
1254 radius_retry_primary_timer, radius,
1268 wpa_printf(MSG_ERROR, "RADIUS: Failed to set IP_MTU_DISCOVER: %s",
1275 static void radius_close_auth_sockets(struct radius_client_data *radius)
1277 radius->auth_sock = -1;
1279 if (radius->auth_serv_sock >= 0) {
1280 eloop_unregister_read_sock(radius->auth_serv_sock);
1281 close(radius->auth_serv_sock);
1282 radius->auth_serv_sock = -1;
1285 if (radius->auth_serv_sock6 >= 0) {
1286 eloop_unregister_read_sock(radius->auth_serv_sock6);
1287 close(radius->auth_serv_sock6);
1288 radius->auth_serv_sock6 = -1;
1294 static void radius_close_acct_sockets(struct radius_client_data *radius)
1296 radius->acct_sock = -1;
1298 if (radius->acct_serv_sock >= 0) {
1299 eloop_unregister_read_sock(radius->acct_serv_sock);
1300 close(radius->acct_serv_sock);
1301 radius->acct_serv_sock = -1;
1304 if (radius->acct_serv_sock6 >= 0) {
1305 eloop_unregister_read_sock(radius->acct_serv_sock6);
1306 close(radius->acct_serv_sock6);
1307 radius->acct_serv_sock6 = -1;
1313 static int radius_client_init_auth(struct radius_client_data *radius)
1315 struct hostapd_radius_servers *conf = radius->conf;
1318 radius_close_auth_sockets(radius);
1320 radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1321 if (radius->auth_serv_sock < 0)
1322 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1325 radius_client_disable_pmtu_discovery(radius->auth_serv_sock);
1330 radius->auth_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1331 if (radius->auth_serv_sock6 < 0)
1332 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1341 radius_change_server(radius, conf->auth_server, NULL,
1342 radius->auth_serv_sock, radius->auth_serv_sock6,
1345 if (radius->auth_serv_sock >= 0 &&
1346 eloop_register_read_sock(radius->auth_serv_sock,
1347 radius_client_receive, radius,
1349 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
1350 radius_close_auth_sockets(radius);
1355 if (radius->auth_serv_sock6 >= 0 &&
1356 eloop_register_read_sock(radius->auth_serv_sock6,
1357 radius_client_receive, radius,
1359 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
1360 radius_close_auth_sockets(radius);
1369 static int radius_client_init_acct(struct radius_client_data *radius)
1371 struct hostapd_radius_servers *conf = radius->conf;
1374 radius_close_acct_sockets(radius);
1376 radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1377 if (radius->acct_serv_sock < 0)
1378 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1381 radius_client_disable_pmtu_discovery(radius->acct_serv_sock);
1386 radius->acct_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1387 if (radius->acct_serv_sock6 < 0)
1388 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1397 radius_change_server(radius, conf->acct_server, NULL,
1398 radius->acct_serv_sock, radius->acct_serv_sock6,
1401 if (radius->acct_serv_sock >= 0 &&
1402 eloop_register_read_sock(radius->acct_serv_sock,
1403 radius_client_receive, radius,
1405 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
1406 radius_close_acct_sockets(radius);
1411 if (radius->acct_serv_sock6 >= 0 &&
1412 eloop_register_read_sock(radius->acct_serv_sock6,
1413 radius_client_receive, radius,
1415 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
1416 radius_close_acct_sockets(radius);
1426 * radius_client_init - Initialize RADIUS client
1428 * @conf: RADIUS client configuration (RADIUS servers)
1429 * Returns: Pointer to private RADIUS client context or %NULL on failure
1432 * the lifetime of the RADIUS client, i.e., until radius_client_deinit() is
1438 struct radius_client_data *radius;
1440 radius = os_zalloc(sizeof(struct radius_client_data));
1441 if (radius == NULL)
1444 radius->ctx = ctx;
1445 radius->conf = conf;
1446 radius->auth_serv_sock = radius->acct_serv_sock =
1447 radius->auth_serv_sock6 = radius->acct_serv_sock6 =
1448 radius->auth_sock = radius->acct_sock = -1;
1450 if (conf->auth_server && radius_client_init_auth(radius)) {
1451 radius_client_deinit(radius);
1455 if (conf->acct_server && radius_client_init_acct(radius)) {
1456 radius_client_deinit(radius);
1462 radius_retry_primary_timer, radius,
1465 return radius;
1470 * radius_client_deinit - Deinitialize RADIUS client
1471 * @radius: RADIUS client context from radius_client_init()
1473 void radius_client_deinit(struct radius_client_data *radius)
1475 if (!radius)
1478 radius_close_auth_sockets(radius);
1479 radius_close_acct_sockets(radius);
1481 eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL);
1483 radius_client_flush(radius, 0);
1484 os_free(radius->auth_handlers);
1485 os_free(radius->acct_handlers);
1486 os_free(radius);
1491 * radius_client_flush_auth - Flush pending RADIUS messages for an address
1492 * @radius: RADIUS client context from radius_client_init()
1495 * This function can be used to remove pending RADIUS authentication messages
1500 void radius_client_flush_auth(struct radius_client_data *radius,
1506 entry = radius->msgs;
1510 hostapd_logger(radius->ctx, addr,
1513 "Removing pending RADIUS authentication"
1519 radius->msgs = entry->next;
1524 radius->num_msgs--;
1630 * radius_client_get_mib - Get RADIUS client MIB information
1631 * @radius: RADIUS client context from radius_client_init()
1636 int radius_client_get_mib(struct radius_client_data *radius, char *buf,
1644 if (!radius)
1647 conf = radius->conf;
1655 radius : NULL);
1665 radius : NULL);
1673 void radius_client_reconfig(struct radius_client_data *radius,
1676 if (radius)
1677 radius->conf = conf;
