EAP-TLS works but is reset by Hostap

Atif Ikram Atif.Ikram at jdsu.com
Tue Sep 12 11:09:51 EDT 2006


Yes the setting of use_pae_group_addr=1 was the issue.  I have commented
that out from the configuration and now xsupplicant is not going through
restart.  Thanks !


-----Original Message-----
From: hostap-bounces+atif.ikram=jdsu.com at shmoo.com
[mailto:hostap-bounces+atif.ikram=jdsu.com at shmoo.com] On Behalf Of Jouni
Malinen
Sent: Monday, September 11, 2006 10:48 PM
To: hostap at shmoo.com
Subject: Re: EAP-TLS works but is reset by Hostap

On Mon, Sep 11, 2006 at 12:58:18PM -0700, Atif Ikram wrote:

> Here is the log. I couldn't get the entire log in this email,
hopefully
> you can find out the issue.  Basically, the xsupplicant is running on
a
> machine with MAC=00:40:4d:d0:9f:71.  Hostap and freeRADIUS are running
> on machine with MAC=00:14:22:43:42:2F
> 
> You can check hostap is receiving DHCP broadcast packet from some
other
> machine with MAC=00:08:e5:11:32:33 which doesn't have any supplicant
> running but this causes xsupplicant at MAC=00:40:4d:d0:9f:71 to
restart.
> Also, you can notice hostap not processing xsupplicant's messages
> because of a mismatch of Response-Identity with xsupplicant.

Do you use use_pae_group_addr=1 in hostapd.conf? If yes, that would be
enough to explain this issue. The group PAE address can only be used if
there is only going to be one device behind the ethernet port (e.g., a
switch using IEEE 802.1X to authenticate each port separately). If not,
it would sound like xsupplicant would be ignoring the target address of
the EAPOL frame. Taken into account that IEEE 802.1X could be
interpreted to require group PAE address to be used for wired ethernet,
this kind of case where multiple wired clients are using the same port
is not really very well supported..

Could you please capture the frames exchanged during such an
authentication (e.g., with tcpdump or wireshark) and verify that hostapd
is indeed sending out the frames into two different MAC addresses?

-- 
Jouni Malinen                                            PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP at shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap



More information about the HostAP mailing list