[PATCH] Set supplicant port unauthorized during EAP reauthentication
Jouni Malinen
j
Thu Apr 9 13:59:24 PDT 2015
On Thu, Apr 09, 2015 at 01:50:16PM +0200, Mikael Kanstrup wrote:
> When authenticator initiates an EAP reauthentication port should be
> set unauthorized until EAP negotiation completes. This prevents
> sending data frames when not being authenticated.
Why? The device is authenticated (the old authentication is still valid)
during reauthentication.
> The patch solves the following scenario:
> - STA connected to AP with EAP based authentication
> - iperf (or other traffic) active
> - AP (authenticator) initiates EAP reauthentication
> (eap_reauth_period times out)
> - During EAP negotiation data continue to flow
That all sounds correct to me..
> - AP deauthenticates STA with reason 2 "Previous authentication
> no longer valid" or reason 7 "Class 3 frame received
> from nonassociated station"
But this does not. Which AP shows such behavior?
> diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
> @@ -312,6 +312,7 @@ SM_STATE(SUPP_PAE, AUTHENTICATED)
> SM_STATE(SUPP_PAE, RESTART)
> {
> SM_ENTRY(SUPP_PAE, RESTART);
> + eapol_sm_set_port_unauthorized(sm);
> sm->eapRestart = TRUE;
This looks quite undesirable. The existing connection is supposed to
remain usable during reauthentication. That's the main point for an AP
to trigger reauthentication in time to complete this before the previous
session times out.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list