Hello,<br>My apologies if this is the wrong place for this topic. If
the correct forum is somewhere else please let me know so I don't waste
anyone's time. If this is the correct forum then please continue,
thanks...<br><br>I am looking for some guidance on either, the ability of wpa_supplicant to authenticate in my dot1x configuration ("multi auth"), or where in the code I should look to change the wpa_supplicant behavior to accept unicast responses. I think it is somewhere in "iapp.c" and "driver_wired.c" but since I am new to this code, and don't have any C coding experience, I may be way off. It is also possible that wpa_supplicant can already do what I need and my configuration is lacking the correct settings so please advise if this is the case.<br>
<br>I am using wpa_supplicant on a Linux PC to authenticate on a NAC (Network Access Control) wired ethernet port running dot1x protocol. When I use wpa_supplicant to authenticate on a "single host" or "multi host" ethernet port where the Id Request form the dot1x AP sends on a multicast address (nearest host mcast address) wpa_supplicant continues with the authentication process to success. However, when I have a "multi auth" ethernet port on the dot1x AP and the response's destination unicast address is my host's ethernet port, the message is ignored and authentication halts (never proceeds to RX EAPOL step).<br>
<br>Maybe this topic has been touched on before, any links to this information would also be helpful.<br><br>Thanks in advance.<br><br>Definitions:<br>"single host" AP: A single client machine can authenticate against the AP and only traffic from this client can pass through the port.<br>
"multi host" AP: A single client machine can authenticate against the AP but traffic from multiple clients on this port may pass through the port.<br>"multi auth" AP: Multiple client machines can authenticate against the AP and only traffic from these clients can pass through the port.<br>
<br>Below is my wpa_supplicant configuration file; a debug trace from a failed attempt against a "multi auth" configurted AP and a packet capture of the IdRequest; and a debug trace from a successful attempt against a "single host" configured AP and a packet capture of the IdReqest.<br>
<br>I am running wpa_supplicant version 0.6.10<br><br>:START Contents of wpa_supplicant.conf:<br>#All contents was created using examples and information from 'man wpa_supplicant.conf"<br>ctrl_interface=/var/run/wpa_supplicant<br>
ap_scan=0<br>network={<br> key_mgmt=IEEE8021X<br> eap=MD5<br> identity="andy"<br> password="andy" <br> eapol_flags=0<br>}<br>:END Content<br><br>:START Authentication Failure<br>
root# wpa_supplicant -c wpa_supplicant.conf -i eth1 -Dwired -dd<br>Initializing interface 'eth1' conf 'wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'<br>Configuration file 'wpa_supplicant.conf' -> '/home/andy/wpa_supplicant.conf'<br>
Reading configuration file '/home/andy/wpa_supplicant.conf'<br>ctrl_interface='/var/run/wpa_supplicant'<br>ap_scan=0<br>Line: 6 - start of a new network block<br>key_mgmt: 0x8<br>eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00<br>
identity - hexdump_ascii(len=4):<br> 61 6e 64 79 andy <br>password - hexdump_ascii(len=4): [REMOVED]<br>eapol_flags=0 (0x0)<br>Priority group 0<br> id=0 ssid=''<br>
Initializing interface (2) 'eth1'<br>wpa_driver_wired_init: Added multicast membership with packet socket<br>Own MAC address: 00:d0:b7:25:89:28<br>RSN: flushing PMKID list in the driver<br>Setting scan request: 0 sec 100000 usec<br>
WPS: UUID based on MAC address - hexdump(len=16): 2e e1 c8 ed 86 72 5f 83 97 69 13 a2 ef fa 8d be<br>WPS: Build Beacon and Probe Response IEs<br>WPS: * Version<br>WPS: * Wi-Fi Protected Setup State (0)<br>WPS: * Version<br>
WPS: * Wi-Fi Protected Setup State (0)<br>WPS: * Response Type (2)<br>WPS: * UUID-E<br>WPS: * Manufacturer<br>WPS: * Model Name<br>WPS: * Model Number<br>WPS: * Serial Number<br>WPS: * Primary Device Type<br>WPS: * Device Name<br>
WPS: * Config Methods (0)<br>WPS: * RF Bands (3)<br>EAPOL: SUPP_PAE entering state DISCONNECTED<br>EAPOL: KEY_RX entering state NO_KEY_RECEIVE<br>EAPOL: SUPP_BE entering state INITIALIZE<br>EAP: EAP entering state DISABLED<br>
Added interface eth1<br>EAPOL: External notification - EAP success=0<br>EAPOL: External notification - EAP fail=0<br>EAPOL: External notification - portControl=Auto<br>Already associated with a configured network - generating associated event<br>
Association info event<br>State: DISCONNECTED -> ASSOCIATED<br>Associated to a new BSS: BSSID=01:80:c2:00:00:03<br>No keys have been configured - skip key clearing<br>Select network based on association information<br>
Network configuration found for the current AP<br>WPA: clearing AP WPA IE<br>WPA: clearing AP RSN IE<br>WPA: clearing own WPA/RSN IE<br>EAPOL: External notification - EAP success=0<br>EAPOL: External notification - EAP fail=0<br>
EAPOL: External notification - portControl=Auto<br>Associated with 01:80:c2:00:00:03<br>WPA: Association event - clear replay counter<br>WPA: Clear old PTK<br>EAPOL: External notification - portEnabled=0<br>EAPOL: External notification - portValid=0<br>
EAPOL: External notification - portEnabled=1<br>EAPOL: SUPP_PAE entering state CONNECTING<br>EAPOL: SUPP_BE entering state IDLE<br>EAP: EAP entering state INITIALIZE<br>EAP: EAP entering state IDLE<br>Cancelling scan request<br>
EAPOL: startWhen --> 0<br>EAPOL: SUPP_PAE entering state CONNECTING<br>EAPOL: txStart<br>TX EAPOL: dst=01:80:c2:00:00:03<br>TX EAPOL - hexdump(len=4): 01 01 00 00<br>:END Authentication Failure<br><br>:START ucast IdReqest<br>
No. Time Source Destination Protocol Info<br> 1 0.000000 00:90:db:2d:64:86 Intel_25:89:28 EAP Request, Identity [RFC3748]<br><br>Frame 1 (60 bytes on wire, 60 bytes captured)<br>
Ethernet II, Src:(00:90:db:2d:64:86), Dst: Intel_25:89:28 (00:d0:b7:25:89:28)<br>802.1X Authentication<br><br>0000 00 d0 b7 25 89 28 00 90 db 2d 64 86 88 8e 01 00 ...%.(...-d.....<br>0010 00 05 01 12 00 05 01 00 00 00 00 00 00 00 00 00 ................<br>
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>0030 00 00 00 00 00 00 00 00 00 00 00 00 ............<br>:END ucast IdRequest<br><br><br><br>:START Authentication Success<br>root# wpa_supplicant -c wpa_supplicant.conf -i eth1 -Dwired -dd<br>
Initializing interface 'eth1' conf 'wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'<br>Configuration file 'wpa_supplicant.conf' -> '/home/andy/wpa_supplicant.conf'<br>
Reading configuration file '/home/andy/wpa_supplicant.conf'<br>[Skipped section for size requirement... Same as above...]<br>EAPOL: startWhen --> 0<br>EAPOL: SUPP_PAE entering state CONNECTING<br>EAPOL: txStart<br>
TX EAPOL: dst=01:80:c2:00:00:03<br>TX EAPOL - hexdump(len=4): 01 01 00 00<br>RX EAPOL from 00:90:db:2d:64:86<br>RX EAPOL - hexdump(len=46): 01 00 00 05 01 01 00 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br>
EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_PAE entering state RESTART<br>EAP: EAP entering state INITIALIZE<br>EAP: EAP entering state IDLE<br>EAPOL: SUPP_PAE entering state AUTHENTICATING<br>EAPOL: SUPP_BE entering state REQUEST<br>
EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Request id=1 method=1 vendor=0 vendorMethod=0<br>EAP: EAP entering state IDENTITY<br>CTRL-EVENT-EAP-STARTED EAP authentication started<br>EAP: EAP-Request Identity data - hexdump_ascii(len=0):<br>
EAP: using real identity - hexdump_ascii(len=4):<br> 61 6e 64 79 andy <br>EAP: EAP entering state SEND_RESPONSE<br>EAP: EAP entering state IDLE<br>EAPOL: SUPP_BE entering state RESPONSE<br>
EAPOL: txSuppRsp<br>TX EAPOL: dst=01:80:c2:00:00:03<br>TX EAPOL - hexdump(len=13): 01 00 00 09 02 01 00 09 01 61 6e 64 79<br>EAPOL: SUPP_BE entering state RECEIVE<br>RX EAPOL from 00:90:db:2d:64:86<br>RX EAPOL - hexdump(len=46): 01 00 00 16 01 02 00 16 04 10 f3 97 25 ca f9 ee 2b 67 49 3c 4d 02 c3 24 11 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br>
EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Request id=2 method=4 vendor=0 vendorMethod=0<br>EAP: EAP entering state GET_METHOD<br>
EAP: Initialize selected EAP method: vendor 0 method 4 (MD5)<br>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected<br>EAP: EAP entering state METHOD<br>EAP-MD5: Challenge - hexdump(len=16): f3 97 25 ca f9 ee 2b 67 49 3c 4d 02 c3 24 11 86<br>
EAP-MD5: Generating Challenge Response<br>EAP-MD5: Response - hexdump(len=16): e1 c5 3d 96 b0 a0 4f e7 9e e6 24 b6 ab 7f 7a 18<br>EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC<br>EAP: EAP entering state SEND_RESPONSE<br>
EAP: EAP entering state IDLE<br>EAPOL: SUPP_BE entering state RESPONSE<br>EAPOL: txSuppRsp<br>TX EAPOL: dst=01:80:c2:00:00:03<br>TX EAPOL - hexdump(len=26): 01 00 00 16 02 02 00 16 04 10 e1 c5 3d 96 b0 a0 4f e7 9e e6 24 b6 ab 7f 7a 18<br>
EAPOL: SUPP_BE entering state RECEIVE<br>RX EAPOL from 00:90:db:2d:64:86<br>RX EAPOL - hexdump(len=46): 01 00 00 04 03 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br>
EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Success<br>EAP: EAP entering state SUCCESS<br>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully<br>
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required<br>WPA: EAPOL processing complete<br>Cancelling authentication timeout<br>State: ASSOCIATED -> COMPLETED<br>CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed (auth) [id=0 id_str=]<br>
EAPOL: SUPP_PAE entering state AUTHENTICATED<br>EAPOL: SUPP_BE entering state RECEIVE<br>EAPOL: SUPP_BE entering state SUCCESS<br>EAPOL: SUPP_BE entering state IDLE<br>EAPOL authentication completed successfully<br>:END Authenticatino Success<br>
<br>:START mcast IdRequest<br>No. Time Source Destination Protocol Info<br> 2 0.038832 00:90:db:2d:64:86 Nearest EAP Request, Identity [RFC3748]<br><br>Frame 2 (60 bytes on wire, 60 bytes captured)<br>
Ethernet II, Src: 00:90:db:2d:64:86, Dst: Nearest (01:80:c2:00:00:03)<br>802.1X Authentication<br><br>0000 01 80 c2 00 00 03 00 90 db 2d 64 86 88 8e 01 00 .........-d.....<br>0010 00 05 01 03 00 05 01 00 00 00 00 00 00 00 00 00 ................<br>
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>0030 00 00 00 00 00 00 00 00 00 00 00 00 ............<br>:END mcast IdRequest<br><br>