WFA SC PlugFest 1 Results

Jouni Malinen jkmaline at cc.hut.fi
Wed May 3 21:54:05 EDT 2006


On Wed, May 03, 2006 at 10:34:27AM -0700, Wang, Zhu L wrote:
> The images can't be sent. Please respond if you need the pictures.

They would probably help in understanding some of the points here, but
since I've actually seen them, I'll answer anyway and include some
comments on what actually would be visible from the screen snapshots.

> 	Some problems were reported when using Intel's SDK. After
> discussion with peers, it seems like a HostApd problem.

Well, looks like I would need to disagree with that statement..

> 	I summarize my questions about EAP-Request/Identity frame in
> Intel SDK:
> 	Q1. The AP always sends EAP-Request/Identity frame twice with
> different values for the Identifier field(attached file Q1.jpg #Q1).

The attached (well, not this time) file shows following messages:

13.096 AP->STA: 802.11 Assoc Rsp
13.096 AP->STA: 802.1x (EAP-Request/Identity, Id 103)
18.096 STA->AP: EAPOL-Start
18.096 AP->STA: 802.1x (EAP-Request/Identity, Id 198)
18.100 STA->AP: EAPOL-Start
18.103 STA->AP: EAP-Response (likely identity)
18.107 STA->AP: EAP-Response (likely identity)

The first EAP-Request/Identity is triggered by association. However, it
looks like the client does not reply to this for some reason. After five
seconds, client is sending out EAPOL-Start and that triggers the
authenticator to send another EAP-Request/Identity. This is normal and
expected behavior from an IEEE 802.1X authenticator.

The identifier field changes because this is not a retransmission of the
same EAP-Request/Identity packet. EAPOL-Start is forcing the
authenticator to restart EAP authentication.

> 	Q2. The Protocol Version value of 802.1x Authentication always
> is '2' in EAP-Request/Identity(attached file Q2_4.jpg #Q2).

hostapd follows IEEE Std 802.1X-2004 standard and it defines EAPOL
version number as 2. The older version of the standard (-2001) used
version 1. All clients implementing only the older version are required
to interpret the message based on version 1, so the version 2 here is
fine as long as the supplicant implementation is compliant to IEEE
802.1X standard. There are known supplicant implementations that do not
process the version field correctly, though, and they may end up
dropping this frame. If a workaround is needed, hostapd can be
configured (starting with v0.5.3) to use EAPOL version 1.

> 	Q3. The Identifier value of Extensible Authentication Protocol
> always is started from a large number. It is okay, and I just think that
> the value usual is started from 1(attached file Q2_4.jpg #Q3).

It is not always started from a _large_ number, it is started from a
_random_ number as recommended by RFC 3748 section 4.1.

> 	Q4. The Type-Data field of  Extensible Authentication Protocol
> always shows "hello". I think it should be
> "WFA-SimpleConfig-Enrollee-1-0" (attached file Q2_4.jpg #Q3).

Answering this question would require having public access to the
protocol specification, so I'm just quessing that the
WFA-SimpleConfig-Enrollee-1-0 string is not actually used in
EAP-Request/Identity, but in EAP-Response/Identity and the contents of
the extra data in EAP-Response/Identity is not really used in the SC
protocol. If it were, I would suggest the protocol to be modified not to
require this string to be included in EAP-Request/Identity since I don't
think the authenticator should be required to know about SC at this
point of the negotiation. Anyway, this string can be set with
eap_message parameter in hostapd configuration file and based on the
capture log, someone seem to have set it to "hello".

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list