Backend Authentication SM problem?

Jouni Malinen jkmaline at cc.hut.fi
Mon Apr 7 22:54:01 EDT 2003


On Tue, Apr 08, 2003 at 09:34:07AM +0800, Teresa wrote:

> According to the Backend Authentication state machine,
> An "Access-Reject" packet received from Authentication server,
> so the state machine should jump to "FAIL" status....

Yes, that is correct.

> Here is a problem.....once I input the wrong identity (wrong user name or
> password),
> the state machine jump to "TIMEOUT" instead of "FAIL"...which is odd.
> AP did receive reject packet from RADIUS, how come enter into TIMEOUT
> stage????
> 
> Here is the debug message:
> Incoming RADIUS packet did not have correct Message-Authenticator - dropped

hostapd received the frame, but decided to drop it since there was no
way of verifying the authenticity of the packet. Which RADIUS server are
you using? Can you configure it to send Message-Authenticator attribute
in all packets, even Access-Rejects? I think I have seen Access-Rejects
with Message-Authenticator attribute at least from FreeRADIUS and
Microsoft IAS. If

Another alternative would be to change hostapd to allow Access-Rejects
without authentication. However, this would allow number of
denial-of-service attacks if the AP(Authenticator) <-> Authentication
Server connection is not protected by an external mechanism, like IPSec.
I would rather not make this default behavior, but I could consider
making it a configurable option that could then be used if IPSec is used
between Authenticator and Authentication Server.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list