[PATCH] Set supplicant port unauthorized during EAP reauthentication

Mikael Kanstrup mikael.kanstrup
Fri Apr 10 00:50:55 PDT 2015 

Hi Jouni,

Thanks for your review! I agree with the comments you gave and realize
that this patch just cure the symptoms.
These setups we've experienced this with:

Setup 1
AP runs latest hostapd from master
STA runs latest wpa_supplicant from master
Both ends use D-Link DWA-160 USB dongle (rt2800usb driver)

Setup 2
AP runs latest hostapd from master
STA runs latest wpa_supplicant from master
STA use D-Link DWA-160 USB dongle
AP use Intel Wireless 7260

With both setups I get deauth with reason 2.

My hostapd test configuration looks like this:
eap_server=1
eap_user_file=peap-mschapv2.eap_user
eap_reauth_period=60
interface=wlan8
driver=nl80211
ssid=Kanstrups AP
hw_mode=g
channel=1
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
wpa_gmk_rekey=600
wpa_group_rekey=300
ieee8021x=1
server_cert=server.pem
private_key=server.key

Hostapd logs shows this
...
wlan8: CTRL-EVENT-EAP-SUCCESS 9c:d6:43:e7:bb:65
wlan8: STA 9c:d6:43:e7:bb:65 RADIUS: starting accounting session
55277781-00000001
wlan8: STA 9c:d6:43:e7:bb:65 IEEE 802.1X: authenticated - EAP type: 0
(unknown) (PMKSA cache)
wlan8: AP-STA-DISCONNECTED 9c:d6:43:e7:bb:65
WPA: wpa_sm_step() called recursively
wlan8: STA 9c:d6:43:e7:bb:65 IEEE 802.11: deauthenticated due to local
deauth request


wpa_supplicant logs shows this
...
wlan5: WPA: Key negotiation completed with 9c:d6:43:e7:bb:a4 [PTK=CCMP GTK=CCMP]
CTRL_IFACE monitor sent successfully to /tmp/wpa_ctrl_17034-2\x00
wlan5: Cancelling authentication timeout
wlan5: State: GROUP_HANDSHAKE -> COMPLETED
EAPOL: External notification - portValid=1
RTM_NEWLINK: ifi_index=5 ifname=wlan5 operstate=2 linkmode=1
ifi_family=0 ifi_flags=0x1003 ([UP])
nl80211: Drv Event 20 (NL80211_CMD_DEL_STATION) received for wlan5
nl80211: Delete station 9c:d6:43:e7:bb:a4
nl80211: Drv Event 39 (NL80211_CMD_DEAUTHENTICATE) received for wlan5
nl80211: Deauthenticate event
wlan5: Event DEAUTH (12) received
wlan5: Deauthentication notification
wlan5:  * reason 2
wlan5:  * address 9c:d6:43:e7:bb:a4
Deauthentication frame IE(s) - hexdump(len=0): [NULL]
wlan5: CTRL-EVENT-DISCONNECTED bssid=9c:d6:43:e7:bb:a4 reason=2

/Mikael

2015-04-09 22:59 GMT+02:00 Jouni Malinen <j at w1.fi>:
> On Thu, Apr 09, 2015 at 01:50:16PM +0200, Mikael Kanstrup wrote:
>> When authenticator initiates an EAP reauthentication port should be
>> set unauthorized until EAP negotiation completes. This prevents
>> sending data frames when not being authenticated.
>
> Why? The device is authenticated (the old authentication is still valid)
> during reauthentication.
>
>> The patch solves the following scenario:
>> - STA connected to AP with EAP based authentication
>> - iperf (or other traffic) active
>> - AP (authenticator) initiates EAP reauthentication
>>   (eap_reauth_period times out)
>> - During EAP negotiation data continue to flow
>
> That all sounds correct to me..
>
>> - AP deauthenticates STA with reason 2 "Previous authentication
>>   no longer valid" or reason 7 "Class 3 frame received
>>   from nonassociated station"
>
> But this does not. Which AP shows such behavior?
>
>> diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
>> @@ -312,6 +312,7 @@ SM_STATE(SUPP_PAE, AUTHENTICATED)
>>  SM_STATE(SUPP_PAE, RESTART)
>>  {
>>       SM_ENTRY(SUPP_PAE, RESTART);
>> +     eapol_sm_set_port_unauthorized(sm);
>>       sm->eapRestart = TRUE;
>
> This looks quite undesirable. The existing connection is supposed to
> remain usable during reauthentication. That's the main point for an AP
> to trigger reauthentication in time to complete this before the previous
> session times out.
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

More information about the Hostap mailing list