Hostapd didn't ACK fragmented EAP-TLS frame

Jouni Malinen j at w1.fi
Wed Jan 21 10:15:17 EST 2015


On Wed, Jan 21, 2015 at 03:36:28PM +0100, Olivier Cochard-Labbé wrote:
> I've uploaded the log here:
> http://dev.bsdrp.net/FreeBSD/logs/hostapd.log

hostapd is not used as the EAP server in this case, i.e., the code you
were looking at does not get executed. You'll need to check the RADIUS
server (10.239.142.33) to see why it does not reply to the messages:

wlan0: STA 20:10:7a:35:8c:70 IEEE 802.1X: received EAP packet (code=2 id=230 len=1492) from STA: EAP Response-TLS (13)
IEEE 802.1X: 20:10:7a:35:8c:70 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED2
EAP: parseEapResp: rxResp=1 respId=230 respMethod=13 respVendor=0 respVendorMethod=0
EAP: EAP entering state AAA_REQUEST
EAP: EAP entering state AAA_IDLE
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
wlan0: RADIUS Sending RADIUS message to authentication server
wlan0: RADIUS Next RADIUS client retransmit in 3 seconds
wlan0: STA 20:10:7a:35:8c:70 RADIUS: Resending RADIUS message (id=6)
wlan0: RADIUS Next RADIUS client retransmit in 6 seconds
wlan0: STA 20:10:7a:35:8c:70 RADIUS: Resending RADIUS message (id=6)
wlan0: RADIUS Next RADIUS client retransmit in 12 seconds


Please note that this EAP message is quite long (1492 octets) and the
resulting RADIUS message will exceed 1500 octets which may be the MTU
used on the connection with the RADIUS server. If that is the case,
there better be functional UDP fragmentation between the AP and RADIUS
server or that message may not get through.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list