aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server/eap.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2008-12-26 18:22:12 (GMT)
committerJouni Malinen <j@w1.fi>2008-12-26 18:22:12 (GMT)
commit65d50f0ac63b6c7831cc0b04bbd476dd48b0991b (patch)
treeab84a109e64d312e5363fb4b8a3c4c8ca1c63a44 /src/eap_server/eap.c
parentd9f56262938e155cd1f13da485e83ef6a23751f5 (diff)
downloadhostap-06-65d50f0ac63b6c7831cc0b04bbd476dd48b0991b.zip
hostap-06-65d50f0ac63b6c7831cc0b04bbd476dd48b0991b.tar.gz
hostap-06-65d50f0ac63b6c7831cc0b04bbd476dd48b0991b.tar.bz2
Add RADIUS server support for identity selection hint (RFC 4284)
Previously, only the delivery option 1 from RFC 4284 (EAP-Request/Identity from the AP) was supported. Now option 3 (subsequent EAP-Request/Identity from RADIUS server) can also be used when hostapd is used as a RADIUS server. The eap_user file will need to have a Phase 1 user entry pointing to Identity method in order for this to happen (e.g., "* Identity" in the end of the file). The identity hint is configured in the same was as for AP/Authenticator case (eap_message in hostapd.conf).
Diffstat (limited to 'src/eap_server/eap.c')
-rw-r--r--src/eap_server/eap.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/src/eap_server/eap.c b/src/eap_server/eap.c
index f3f81f3..289337f 100644
--- a/src/eap_server/eap.c
+++ b/src/eap_server/eap.c
@@ -1051,11 +1051,30 @@ static int eap_sm_Policy_getDecision(struct eap_sm *sm)
}
if ((sm->user == NULL || sm->update_user) && sm->identity) {
+ /*
+ * Allow Identity method to be started once to allow identity
+ * selection hint to be sent from the authentication server,
+ * but prevent a loop of Identity requests by only allowing
+ * this to happen once.
+ */
+ int id_req = 0;
+ if (sm->user && sm->currentMethod == EAP_TYPE_IDENTITY &&
+ sm->user->methods[0].vendor == EAP_VENDOR_IETF &&
+ sm->user->methods[0].method == EAP_TYPE_IDENTITY)
+ id_req = 1;
if (eap_user_get(sm, sm->identity, sm->identity_len, 0) != 0) {
wpa_printf(MSG_DEBUG, "EAP: getDecision: user not "
"found from database -> FAILURE");
return DECISION_FAILURE;
}
+ if (id_req && sm->user &&
+ sm->user->methods[0].vendor == EAP_VENDOR_IETF &&
+ sm->user->methods[0].method == EAP_TYPE_IDENTITY) {
+ wpa_printf(MSG_DEBUG, "EAP: getDecision: stop "
+ "identity request loop -> FAILURE");
+ sm->update_user = TRUE;
+ return DECISION_FAILURE;
+ }
sm->update_user = FALSE;
}