WPA-Enterprise and wpa_supplicant/hostapd

Jouni Malinen jkmaline at cc.hut.fi
Mon Sep 19 23:27:03 EDT 2005


On Mon, Sep 19, 2005 at 08:22:20PM +0200, Cristian Ionescu-Idbohrn wrote:

> I noticed a simmilar problem with the wired driver.  The senario is like
> this:
> 
> * the wired supplicant connected to a cisco switch
> * wpa_supplicant is started and authenticates

Actually, I would guess that it did not complete authentication.. You
can check this with, e.g., 'wpa_cli sta'.

> * the switch opens the port
> * now I take the supplicant plug out from the switch port
> * wait a second and plug it back in
> * the switch sends a EAP-Request (as it is supposed to)

This part can be replaced with anything that triggers re-authentication
(for people like me who do not happen to have an 802.1X enabled wired
switch at home ;-).

> * the supplicant can't mannage to reauthenticate

I saw this in my own test setup with driver_wired and was somewhat
surprised since re-authentication has worked fine before. This ended up
being a configuration error, though, and taken into account that I
needed to look at the source code to figure this out, I would guess that
this is not very well documented and you are likely to have same reason
for the re-authentication failing..

I would guess that you are leaving eapol_flags to its default value
which is 3, i.e., require that EAPOL-Key are used to send keying
material.. This is not usually used with wired networks and as such,
wpa_supplicant just gets stuck waiting for EAPOL-Key packets. This is
otherwise valid behavior, but I would agree that it is a bug if there is
no timeout on that state..

And to fix this, just set eapol_flags=0 in the network block and
re-authentication should work even with the wired driver.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list