Possible EAP bugs
Matt.Caron at sixnet.com
Fri Oct 1 08:28:00 EDT 2010
I'm a bit new to hostapd/EAP/802.1X/etc. to please bear with me. I'm
asking the list because I'm not certain if these are *actually* bugs or
of I'm wrong. If these are bug, I'm happy to add them, and I have patches.
Most of what I'm speaking about here is in eap_server.c.
This is in a passthrough configuration (authenticator using a separate
(1) I believe that the identity is not being correctly cleared.
Firstly, if you successfully authenticate, but then reject the
certificate, then attempt to reauthenticate, you go into the INITIALIZE
state, sm->currentId is set to -1 (NONE), but sm->identity is left
alone. When getDecision then fires, it leads to a bad decision in a
PASSTHROUGH case, where it should CONTINUE (send an identity request
packet, etc.) rather than just drop to INITIALIZE_PASSTHROUGH. If it
goes to INITIALIZE_PASSTHROUGH, since currentId is NONE (because that
WAS cleared in INITIALIZE), it then goes to AAA_IDLE, but will never get
a response from the AAA sever, because it never saw a packet.
Secondly, if you fail authentication, the same thing happens. You try to
reauthenticate, hit INITIALIZE, sm->currentId is cleared but
sm->identity is left alone, and so you never ask for credentials.
Proposed fix: Clear sm->identity along with sm->currentId in INITIALIZE
(2) Given the above, you can never get out of AAA_IDLE, because
aaaTimeout is never set.
I presume this is a "to be implemented", correct? As in, we need to add
a configuration parameter for timeout values talking to the AAA server,
Sixnet | www.sixnet.com
O +1 518 877 5173 Ext. 138
F +1 518 602 9209
matt.caron at sixnet.com
More information about the HostAP