Problem with reauthentication

Jouni Malinen jkmaline at cc.hut.fi
Fri Apr 4 23:20:09 EST 2003 

On Sat, Mar 22, 2003 at 08:44:49PM -0000, Ken Wolstencroft wrote:

> On the station side I am using windows XP with a Dlink DWL-520+.

> The problem occurs every hour during the "REAUTH_TIMER entering state
> REAUTHENTICATE" process. This process seems to break the network connection
> and then takes a long time to reauthenticate, occasionally reauthentication
> does not occur.

I tried to duplicate the same problem, but wasn't able to. I was using
Lucent WaveLAN card as the client. In addition, I modified 802.1X reauth
timer to be 30 seconds instead of 3600 seconds to save time in testing
this.

> Can anyone give any pointers to what might be causing this problem, or how
> to disable reauthentication.

You can disable IEEE 802.1X reauthentication by changing definition of
REAUTH_TIMER_DEFAULT_reAuthEnabled from TRUE to FALSE in eapol_sm.h.

> IEEE 802.1X: 00:40:05:c7:73:06 REAUTH_TIMER entering state REAUTHENTICATE
> IEEE 802.1X: 00:40:05:c7:73:06 AUTH_PAE entering state CONNECTING
> IEEE 802.1X: Sending EAP Request-Identity to 00:40:05:c7:73:06 (identifier
> 16)

This packet is send unencrypted. It might be possible that your client
is dropping unencrypted frames at this point even though they are EAPOL
frames.

> IEEE 802.1X: 00:40:05:c7:73:06 REAUTH_TIMER entering state INITIALIZE
> DATA (TX callback) ACK

At least the client ACKed that frame; but anyway, it could have dropped
it at higher layer. In my tests with Lucent card as station, I do
receive an EAP Response-Identity from the client for this message and
reauthentication is completed successfully without breaking the
connection.

> IEEE 802.1X: 00:40:05:c7:73:06 AUTH_PAE entering state CONNECTING
> IEEE 802.1X: Sending EAP Request-Identity to 00:40:05:c7:73:06 (identifier
> 16)
> DATA (TX callback) ACK
> IEEE 802.1X: 00:40:05:c7:73:06 AUTH_PAE entering state CONNECTING
> IEEE 802.1X: Sending EAP Request-Identity to 00:40:05:c7:73:06 (identifier
> 16)
> DATA (TX callback) ACK
> IEEE 802.1X: 00:40:05:c7:73:06 AUTH_PAE entering state DISCONNECTED
> IEEE 802.1X: Unauthorizing station 00:40:05:c7:73:06
> IEEE 802.1X: Sending canned EAP packet FAILURE to 00:40:05:c7:73:06
> (identifier 16)

After few more failed retries, state machine unauthorizes this
connection and notifies station about this with an EAP failure. I would
guess that in your case even that frame is dropped at the client.
Current version of the hostapd does not disassociate/deauthenticate
(802.11 mgmt) station at this point, but maybe it could try this. It
should be enough to cause complete reauthentication and at least the
connection could be automatically recovered after short break.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list