1 /* 2 * RADIUS client 3 * Copyright (c) 2002-2024, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef RADIUS_CLIENT_H 10 #define RADIUS_CLIENT_H 11 12 #include "ip_addr.h" 13 14 struct radius_msg; 15 16 /** 17 * struct hostapd_radius_server - RADIUS server information for RADIUS client 18 * 19 * This structure contains information about a RADIUS server. The values are 20 * mainly for MIB information. The MIB variable prefix (radiusAuth or 21 * radiusAcc) depends on whether this is an authentication or accounting 22 * server. 23 * 24 * radiusAuthClientPendingRequests (or radiusAccClientPendingRequests) is the 25 * number struct radius_client_data::msgs for matching msg_type. 26 */ 27 struct hostapd_radius_server { 28 /** 29 * addr - radiusAuthServerAddress or radiusAccServerAddress 30 */ 31 struct hostapd_ip_addr addr; 32 33 /** 34 * port - radiusAuthClientServerPortNumber or radiusAccClientServerPortNumber 35 */ 36 int port; 37 38 /** 39 * tls - Whether to use RADIUS/TLS instead of RADIUS/UDP 40 */ 41 bool tls; 42 43 /** 44 * shared_secret - Shared secret for authenticating RADIUS messages 45 */ 46 u8 *shared_secret; 47 48 /** 49 * shared_secret_len - Length of shared_secret in octets 50 */ 51 size_t shared_secret_len; 52 53 /** 54 * ca_cert - Path to trusted CA certificate(s) for RADIUS/TLS 55 */ 56 char *ca_cert; 57 58 /** 59 * client_cert - Path to client certificate for RADIUS/TLS 60 */ 61 char *client_cert; 62 63 /** 64 * private_key - Path to clienbt private key for RADIUS/TLS 65 */ 66 char *private_key; 67 68 /** 69 * private_key_passwd - Password for the private key for RADIUS/TLS 70 */ 71 char *private_key_passwd; 72 73 /* Dynamic (not from configuration file) MIB data */ 74 75 /** 76 * index - radiusAuthServerIndex or radiusAccServerIndex 77 */ 78 int index; 79 80 /** 81 * round_trip_time - radiusAuthClientRoundTripTime or radiusAccClientRoundTripTime 82 * Round-trip time in hundredths of a second. 83 */ 84 int round_trip_time; 85 86 /** 87 * requests - radiusAuthClientAccessRequests or radiusAccClientRequests 88 */ 89 u32 requests; 90 91 /** 92 * retransmissions - radiusAuthClientAccessRetransmissions or radiusAccClientRetransmissions 93 */ 94 u32 retransmissions; 95 96 /** 97 * access_accepts - radiusAuthClientAccessAccepts 98 */ 99 u32 access_accepts; 100 101 /** 102 * access_rejects - radiusAuthClientAccessRejects 103 */ 104 u32 access_rejects; 105 106 /** 107 * access_challenges - radiusAuthClientAccessChallenges 108 */ 109 u32 access_challenges; 110 111 /** 112 * responses - radiusAccClientResponses 113 */ 114 u32 responses; 115 116 /** 117 * malformed_responses - radiusAuthClientMalformedAccessResponses or radiusAccClientMalformedResponses 118 */ 119 u32 malformed_responses; 120 121 /** 122 * bad_authenticators - radiusAuthClientBadAuthenticators or radiusAccClientBadAuthenticators 123 */ 124 u32 bad_authenticators; 125 126 /** 127 * timeouts - radiusAuthClientTimeouts or radiusAccClientTimeouts 128 */ 129 u32 timeouts; 130 131 /** 132 * unknown_types - radiusAuthClientUnknownTypes or radiusAccClientUnknownTypes 133 */ 134 u32 unknown_types; 135 136 /** 137 * packets_dropped - radiusAuthClientPacketsDropped or radiusAccClientPacketsDropped 138 */ 139 u32 packets_dropped; 140 }; 141 142 /** 143 * struct hostapd_radius_servers - RADIUS servers for RADIUS client 144 */ 145 struct hostapd_radius_servers { 146 /** 147 * auth_servers - RADIUS Authentication servers in priority order 148 */ 149 struct hostapd_radius_server *auth_servers; 150 151 /** 152 * num_auth_servers - Number of auth_servers entries 153 */ 154 int num_auth_servers; 155 156 /** 157 * auth_server - The current Authentication server 158 */ 159 struct hostapd_radius_server *auth_server; 160 161 /** 162 * acct_servers - RADIUS Accounting servers in priority order 163 */ 164 struct hostapd_radius_server *acct_servers; 165 166 /** 167 * num_acct_servers - Number of acct_servers entries 168 */ 169 int num_acct_servers; 170 171 /** 172 * acct_server - The current Accounting server 173 */ 174 struct hostapd_radius_server *acct_server; 175 176 /** 177 * retry_primary_interval - Retry interval for trying primary server 178 * 179 * This specifies a retry interval in sexconds for trying to return to 180 * the primary RADIUS server. RADIUS client code will automatically try 181 * to use the next server when the current server is not replying to 182 * requests. If this interval is set (non-zero), the primary server 183 * will be retried after the specified number of seconds has passed 184 * even if the current used secondary server is still working. 185 */ 186 int retry_primary_interval; 187 188 /** 189 * msg_dumps - Whether RADIUS message details are shown in stdout 190 */ 191 int msg_dumps; 192 193 /** 194 * client_addr - Client (local) address to use if force_client_addr 195 */ 196 struct hostapd_ip_addr client_addr; 197 198 /** 199 * force_client_addr - Whether to force client (local) address 200 */ 201 int force_client_addr; 202 203 /** 204 * force_client_dev - Bind the socket to a specified interface, if set 205 */ 206 char *force_client_dev; 207 }; 208 209 210 /** 211 * RadiusType - RADIUS server type for RADIUS client 212 */ 213 typedef enum { 214 /** 215 * RADIUS authentication 216 */ 217 RADIUS_AUTH, 218 219 /** 220 * RADIUS_ACCT - RADIUS accounting 221 */ 222 RADIUS_ACCT, 223 224 /** 225 * RADIUS_ACCT_INTERIM - RADIUS interim accounting message 226 * 227 * Used only with radius_client_send(). This behaves just like 228 * RADIUS_ACCT, but removes any pending interim RADIUS Accounting 229 * messages for the same STA before sending the new interim update. 230 */ 231 RADIUS_ACCT_INTERIM 232 } RadiusType; 233 234 /** 235 * RadiusRxResult - RADIUS client RX handler result 236 */ 237 typedef enum { 238 /** 239 * RADIUS_RX_PROCESSED - Message processed 240 * 241 * This stops handler calls and frees the message. 242 */ 243 RADIUS_RX_PROCESSED, 244 245 /** 246 * RADIUS_RX_QUEUED - Message has been queued 247 * 248 * This stops handler calls, but does not free the message; the handler 249 * that returned this is responsible for eventually freeing the 250 * message. 251 */ 252 RADIUS_RX_QUEUED, 253 254 /** 255 * RADIUS_RX_UNKNOWN - Message is not for this handler 256 */ 257 RADIUS_RX_UNKNOWN, 258 259 /** 260 * RADIUS_RX_INVALID_AUTHENTICATOR - Message has invalid Authenticator 261 */ 262 RADIUS_RX_INVALID_AUTHENTICATOR 263 } RadiusRxResult; 264 265 struct radius_client_data; 266 267 int radius_client_register(struct radius_client_data *radius, 268 RadiusType msg_type, 269 RadiusRxResult (*handler) 270 (struct radius_msg *msg, struct radius_msg *req, 271 const u8 *shared_secret, size_t shared_secret_len, 272 void *data), 273 void *data); 274 void radius_client_set_interim_error_cb(struct radius_client_data *radius, 275 void (*cb)(const u8 *addr, void *ctx), 276 void *ctx); 277 int radius_client_send(struct radius_client_data *radius, 278 struct radius_msg *msg, 279 RadiusType msg_type, const u8 *addr); 280 u8 radius_client_get_id(struct radius_client_data *radius); 281 void radius_client_flush(struct radius_client_data *radius, int only_auth); 282 struct radius_client_data * 283 radius_client_init(void *ctx, struct hostapd_radius_servers *conf); 284 void radius_client_deinit(struct radius_client_data *radius); 285 void radius_client_flush_auth(struct radius_client_data *radius, 286 const u8 *addr); 287 int radius_client_get_mib(struct radius_client_data *radius, char *buf, 288 size_t buflen); 289 void radius_client_reconfig(struct radius_client_data *radius, 290 struct hostapd_radius_servers *conf); 291 292 #endif /* RADIUS_CLIENT_H */ 293