EAP-TLS works but is reset by Hostap

Atif Ikram Atif.Ikram at jdsu.com
Mon Sep 11 15:58:18 EDT 2006


Hello Jouni,

Thanks for your response and good to hear back from you !

Here is the log. I couldn't get the entire log in this email, hopefully
you can find out the issue.  Basically, the xsupplicant is running on a
machine with MAC=00:40:4d:d0:9f:71.  Hostap and freeRADIUS are running
on machine with MAC=00:14:22:43:42:2F

You can check hostap is receiving DHCP broadcast packet from some other
machine with MAC=00:08:e5:11:32:33 which doesn't have any supplicant
running but this causes xsupplicant at MAC=00:40:4d:d0:9f:71 to restart.
Also, you can notice hostap not processing xsupplicant's messages
because of a mismatch of Response-Identity with xsupplicant.

>From now on xsupplicant never gets autheniticated.

Regards,


IEEE 802.1X: 515 bytes from 00:40:4d:d0:9f:71
   IEEE 802.1X: version=2 type=0 length=511
   EAP: code=2 identifier=5 length=511 (response)
eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: received EAP packet (code=2
id=5 len=511) from STA: EAP Response-TLS (13)
IEEE 802.1X: 00:40:4d:d0:9f:71 BE_AUTH entering state RESPONSE
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
eth0: RADIUS Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=5 length=686
   Attribute 1 (User-Name) length=10
      Value: 'testuser'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 32 (NAS-Identifier) length=16
      Value: 'ap.example.com'
   Attribute 5 (NAS-Port) length=6
      Value: 0
   Attribute 30 (Called-Station-Id) length=20
      Value: '00-14-22-43-42-2F:'
   Attribute 31 (Calling-Station-Id) length=19
      Value: '00-40-4D-D0-9F-71'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=255
      Value: 02 05 01 ff 0d 00 d4 2e b7 e7 de a1 7d 30 0c 06 03 55 1d 13
04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81
81 00 38 c2 34 a6 6c 92 01 4b e2 8c 6a b9 eb 62 e4 5c 44 6e 10 9e f8 0d
df 3d f1 eb a8 16 83 7c 01 2a b1 0c 12 5c d2 4b 12 64 1a 25 01 27 d8 bf
e1 f9 f2 e2 a4 a1 e0 47 ee 5b b2 c9 17 c5 c4 d2 71 04 bf 4b 6e e1 e6 ef
d0 41 f3 7f 39 d4 85 8a 3d 1c 8b d5 18 52 55 75 67 05 fa dd 79 64 3d 6e
c6 dd f4 c7 ee 09 cb 81 fe 03 38 2d dd 11 b1 24 f5 24 76 0c 96 af 00 5b
bd 95 56 12 34 c4 d6 0a f0 20 16 03 01 00 86 10 00 00 82 00 80 14 26 ba
67 4d 9e 0a af e1 58 19 6f a5 9e 75 cb b4 bd 85 42 ed 2c 59 74 a9 c5 88
e9 0a 5b 52 dd f3 d1 32 e9 43 c3 1f 5c ff ae 2a 5f 97 19 8d e3 35 86 04
4d 2b c7 fe 09 39 62 f3 af fc 79 8f bf 33 b1 33 fd
   Attribute 79 (EAP-Message) length=255
      Value: 63 5b d1 d7 a8 bc 47 0e a4 26 f8 bd d4 5a d5 4a f3 35 2a 22
fe 0c c0 3d 60 8c 79 6c d5 68 f2 d5 0e 16 e7 0e 6e 6c 6c da 71 a4 24 01
7e 30 22 a5 8a b2 45 68 82 80 6f d5 0c aa 41 95 16 03 01 00 86 0f 00 00
82 00 80 52 a1 83 e3 38 b0 ed 16 08 32 f2 3c 0c 7b b5 01 78 33 4b ef 93
b9 4e 67 fd 4b a9 59 71 cb d8 02 c0 7b 18 23 f9 70 ee 67 1f 6d 4d 76 6f
85 7b 10 9c 22 c0 0c a3 78 fe 94 ec 3b d4 95 99 11 8b 3b e0 5e f8 a3 92
41 c9 c6 1c 6d ab cc 90 0b 08 ca 14 a5 ed 62 cd 03 d5 3c b8 33 c2 34 0d
bd 27 05 03 9e a2 73 45 34 ed 6a 4b f6 90 ab 13 fc 20 5f 91 db 83 f7 e3
f6 e2 78 dd 75 c4 65 01 c9 7a 4e 14 03 01 00 01 01 16 03 01 00 30 26 84
be a1 c9 d5 5e b0 cf b5 44 dd 07 4b 19 cb df 52 c8 09 a0 30 53 ab 5c 06
23 7f 73 57 9c b7 39 07 9d ae d2 38 37 ea 7a b3 e8
   Attribute 79 (EAP-Message) length=7
      Value: 8a a4 98 13 8d
   Attribute 24 (State) length=18
      Value: a8 0f 6e 0f 24 3f fe 74 4e 12 91 ab 2c 9e 0a 22
   Attribute 80 (Message-Authenticator) length=18
      Value: a0 97 1b 69 49 31 5b 70 d5 61 79 fc 61 02 b0 28
eth0: RADIUS Next RADIUS client retransmit in 3 seconds
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
eth0: RADIUS Received 127 bytes from RADIUS server
eth0: RADIUS Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=5 length=127
   Attribute 79 (EAP-Message) length=71
      Value: 01 06 00 45 0d 80 00 00 00 3b 14 03 01 00 01 01 16 03 01 00
30 e2 7f 1c d9 0e 2c ca 5c 15 07 b3 f8 3a 2d 43 a2 e7 6b 32 a4 4f 8f 1f
13 af 80 42 d3 d9 61 c9 20 a1 d7 1c d7 ff ad 06 b4 31 02 b0 4c d9 b9 75
3d
   Attribute 80 (Message-Authenticator) length=18
      Value: 58 47 b7 ac b3 6c d5 94 ab 2c d1 c8 f1 76 5f d6
   Attribute 24 (State) length=18
      Value: e0 bd 99 d4 ac c5 3f 2e c8 5f aa 15 69 e5 f6 ec
eth0: STA 00:40:4d:d0:9f:71 RADIUS: Received RADIUS packet matched with
a pending request, round trip time 0.16 sec
RADIUS packet matching with station 00:40:4d:d0:9f:71
eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: using EAP timeout of 30 seconds
eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: decapsulated EAP packet (code=1
id=6 len=69) from RADIUS server: EAP-Request-TLS (13)
IEEE 802.1X: 00:40:4d:d0:9f:71 BE_AUTH entering state REQUEST
IEEE 802.1X: Sending EAP Packet to 00:40:4d:d0:9f:71 (identifier 6)
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
Received EAPOL packet
IEEE 802.1X: 46 bytes from 00:40:4d:d0:9f:71
   IEEE 802.1X: version=2 type=0 length=6
   ignoring 36 extra octets after IEEE 802.1X packet
   EAP: code=2 identifier=6 length=6 (response)
eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: received EAP packet (code=2
id=6 len=6) from STA: EAP Response-TLS (13)
IEEE 802.1X: 00:40:4d:d0:9f:71 BE_AUTH entering state RESPONSE
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
eth0: RADIUS Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=6 length=177
   Attribute 1 (User-Name) length=10
      Value: 'testuser'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 32 (NAS-Identifier) length=16
      Value: 'ap.example.com'
   Attribute 5 (NAS-Port) length=6
      Value: 0
   Attribute 30 (Called-Station-Id) length=20
      Value: '00-14-22-43-42-2F:'
   Attribute 31 (Calling-Station-Id) length=19
      Value: '00-40-4D-D0-9F-71'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=8
      Value: 02 06 00 06 0d 00
   Attribute 24 (State) length=18
      Value: e0 bd 99 d4 ac c5 3f 2e c8 5f aa 15 69 e5 f6 ec
   Attribute 80 (Message-Authenticator) length=18
      Value: b4 9e aa 43 1f c9 28 86 07 05 d0 39 46 a3 c8 f2
eth0: RADIUS Next RADIUS client retransmit in 3 seconds
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
eth0: RADIUS Received 170 bytes from RADIUS server
eth0: RADIUS Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=6 length=170
   Attribute 26 (Vendor-Specific) length=58
      Value: 00 00 01 37 11 34 87 6a b7 a0 8b 22 78 ea bd 18 d7 72 16 e6
56 9d d8 50 24 93 20 cf a5 f1 39 e3 ba 66 6c b5 35 53 21 a6 be 5c f1 5e
41 6b f9 05 57 dd e9 f1 7d cd 28 e8
   Attribute 26 (Vendor-Specific) length=58
      Value: 00 00 01 37 10 34 8b 49 db 4b bc 6b 4a 95 8d 71 90 df ae 88
92 a9 32 0c 57 4c 6a 88 7f 4c 06 f7 5b df 62 95 16 5f f3 61 35 fb 4b 73
45 d8 aa 77 1a f9 5a 2e 82 9c 57 8e
   Attribute 79 (EAP-Message) length=6
      Value: 03 06 00 04
   Attribute 80 (Message-Authenticator) length=18
      Value: 74 12 ab 6d 51 a1 71 07 24 c4 2b b0 5e a2 63 c5
   Attribute 1 (User-Name) length=10
      Value: 'testuser'
eth0: STA 00:40:4d:d0:9f:71 RADIUS: Received RADIUS packet matched with
a pending request, round trip time 0.18 sec
RADIUS packet matching with station 00:40:4d:d0:9f:71
MS-MPPE-Send-Key (len=32): 61 7f 8c de 6a f5 2c 6c 80 e7 a7 fd d1 ad 2c
b8 58 3c b1 bd 6c 9b c7 f2 fa 43 46 54 6c 13 22 8a
MS-MPPE-Recv-Key (len=32): e7 7e fe 45 71 25 9c 0e b0 7f b5 65 6d 70 90
e2 7c 0f f9 45 e1 0d 6d 2c 5e f0 a6 82 98 08 68 34
eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: old identity 'testuser' updated
with User-Name from Access-Accept 'testuser'
eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: decapsulated EAP packet (code=3
id=6 len=4) from RADIUS server: EAP Success
IEEE 802.1X: 00:40:4d:d0:9f:71 BE_AUTH entering state SUCCESS
IEEE 802.1X: Sending EAP Packet to 00:40:4d:d0:9f:71 (identifier 6)
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:4d:d0:9f:71 AUTH_PAE entering state AUTHENTICATED
eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: authorizing port
eth0: RADIUS Sending RADIUS message to accounting server
RADIUS message: code=4 (Accounting-Request) identifier=7 length=158
   Attribute 44 (Acct-Session-Id) length=19
      Value: '4505BA0A-00000000'
   Attribute 40 (Acct-Status-Type) length=6
      Value: 1
   Attribute 45 (Acct-Authentic) length=6
      Value: 1
   Attribute 1 (User-Name) length=10
      Value: 'testuser'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 32 (NAS-Identifier) length=16
      Value: 'ap.example.com'
   Attribute 5 (NAS-Port) length=6
      Value: 0
   Attribute 30 (Called-Station-Id) length=20
      Value: '00-14-22-43-42-2F:'
   Attribute 31 (Calling-Station-Id) length=19
      Value: '00-40-4D-D0-9F-71'
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
eth0: RADIUS Next RADIUS client retransmit in 3 seconds
eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: authenticated
IEEE 802.1X: 00:40:4d:d0:9f:71 BE_AUTH entering state IDLE
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
eth0: RADIUS Received 20 bytes from RADIUS server
eth0: RADIUS Received RADIUS message
RADIUS message: code=5 (Accounting-Response) identifier=7 length=20
eth0: STA 00:40:4d:d0:9f:71 RADIUS: Received RADIUS packet matched with
a pending request, round trip time 0.01 sec
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
........
...........
******UP UNTIL HERE THE SUPPLICANT WAS AUTHENTICATED *******
***********HERE IS THE START OF ISSUE*******************

Got DHCP broadcast packet from 00:08:e5:11:32:33
Data frame from unknown STA 00:08:e5:11:32:33 - adding a new STA
  New STA
eth0: STA 00:08:e5:11:32:33 IEEE 802.1X: start authentication
IEEE 802.1X: 00:08:e5:11:32:33 AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 BE_AUTH entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 AUTH_KEY_TX entering state
NO_KEY_TRANSMIT
IEEE 802.1X: 00:08:e5:11:32:33 KEY_RX entering state NO_KEY_RECEIVE
IEEE 802.1X: 00:08:e5:11:32:33 CTRL_DIR entering state IN_OR_BOTH
IEEE 802.1X: 00:08:e5:11:32:33 AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 BE_AUTH entering state IDLE
IEEE 802.1X: 00:08:e5:11:32:33 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 KEY_RX entering state NO_KEY_RECEIVE
IEEE 802.1X: 00:08:e5:11:32:33 CTRL_DIR entering state FORCE_BOTH
IEEE 802.1X: 00:08:e5:11:32:33 AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 KEY_RX entering state NO_KEY_RECEIVE
IEEE 802.1X: 00:08:e5:11:32:33 AUTH_PAE entering state DISCONNECTED
eth0: STA 00:08:e5:11:32:33 IEEE 802.1X: unauthorizing port
IEEE 802.1X: 00:08:e5:11:32:33 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 AUTH_PAE entering state RESTART
IEEE 802.1X: station 00:08:e5:11:32:33 - new auth session, clearing
State
IEEE 802.1X: Generated EAP Request-Identity for 00:08:e5:11:32:33
(identifier 0, timeout 30)
IEEE 802.1X: 00:08:e5:11:32:33 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 AUTH_PAE entering state CONNECTING
IEEE 802.1X: 00:08:e5:11:32:33 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 AUTH_PAE entering state AUTHENTICATING
IEEE 802.1X: 00:08:e5:11:32:33 BE_AUTH entering state REQUEST
IEEE 802.1X: Sending EAP Packet to 00:08:e5:11:32:33 (identifier 0)
IEEE 802.1X: 00:08:e5:11:32:33 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 REAUTH_TIMER entering state INITIALIZE
Got DHCP broadcast packet from 00:08:e5:11:32:33
Received EAPOL packet
IEEE 802.1X: 46 bytes from 00:40:4d:d0:9f:71
   IEEE 802.1X: version=2 type=0 length=13
   ignoring 29 extra octets after IEEE 802.1X packet
   EAP: code=2 identifier=0 length=13 (response)
eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: EAP Identifier of the
Response-Identity does not match (was 0, expected 6) - ignored
IEEE 802.1X: 00:40:4d:d0:9f:71 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:08:e5:11:32:33 REAUTH_TIMER entering state INITIALIZE
....
.......
Signal 2 received - terminating
Removing station 00:08:e5:11:32:33
Removing station 00:40:4d:d0:9f:71
eth0: RADIUS Sending RADIUS message to accounting server
RADIUS message: code=4 (Accounting-Request) identifier=8 length=176
   Attribute 44 (Acct-Session-Id) length=19
      Value: '4505BA0A-00000000'
   Attribute 40 (Acct-Status-Type) length=6
      Value: 2
   Attribute 45 (Acct-Authentic) length=6
      Value: 1
   Attribute 1 (User-Name) length=10
      Value: 'testuser'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 32 (NAS-Identifier) length=16
      Value: 'ap.example.com'
   Attribute 5 (NAS-Port) length=6
      Value: 0
   Attribute 30 (Called-Station-Id) length=20
      Value: '00-14-22-43-42-2F:'
   Attribute 31 (Calling-Station-Id) length=19
      Value: '00-40-4D-D0-9F-71'
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 46 (Acct-Session-Time) length=6
      Value: 80
   Attribute 55 (Event-Timestamp) length=6
      Value: 1158003321
   Attribute 49 (Acct-Terminate-Cause) length=6
      Value: 7
Flushing old station entries
Deauthenticate all stations
eth0: RADIUS Sending RADIUS message to accounting server
RADIUS message: code=4 (Accounting-Request) identifier=9 length=80
   Attribute 40 (Acct-Status-Type) length=6
      Value: 8
   Attribute 45 (Acct-Authentic) length=6
      Value: 1
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 32 (NAS-Identifier) length=16
      Value: 'ap.example.com'
   Attribute 30 (Called-Station-Id) length=20
      Value: '00-14-22-43-42-2F:'
   Attribute 49 (Acct-Terminate-Cause) length=6
      Value: 11
]0;ikr46256 at sal-ikr46256-linux-1:~/hostapd/hostapd-0.4.9
[ikr46256 at sal-ikr46256-linux-1 hostapd-0.4.9]$ exit
exit
Script done on Mon 11 Sep 2006 03:35:30 PM EDT

-----Original Message-----
From: hostap-bounces+atif.ikram=jdsu.com at shmoo.com
[mailto:hostap-bounces+atif.ikram=jdsu.com at shmoo.com] On Behalf Of Jouni
Malinen
Sent: Sunday, September 10, 2006 11:03 PM
To: hostap at shmoo.com
Subject: Re: EAP-TLS works but is reset by Hostap

On Wed, Sep 06, 2006 at 12:26:47PM -0700, Atif Ikram wrote:
> I have gotten xsupplicant to work with hostap using EAP-TLS, however,
> after 10 to 15 seconds (on average) it receives
> EAP-Request-Identification from hostap which causes the xsupplicant to
> restart.  From the logs of Hostap it looks like that it is sending id
> request messages (to authenticated ports) when it receives a broadcast
> message from other MAC address.  My question is it is true and why.
> Also, how can I stop HostAp to re-request the Id request message to
> authenticated client(s).

Can you please send a hostapd debug log showing this behavior and more
details on your configuration? You can control re-authentication with
eap_reauth_period parameter.

-- 
Jouni Malinen                                            PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP at shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap



More information about the HostAP mailing list