Issues with long connection time with 802.1x on cable

dennis knorr dennis.knorr at
Sat Jan 14 16:14:04 PST 2017

i work for a city administration in the south of germany and we want to
migrate to 802.1x for client authentication via cable and wireless LAN.
Therefore we created a networkmanager profile with 802.1x with
certificates to authenticate to the switch (we use a different profile
for wirelesslan). so far so good.

Now we noticed that if the switch is not already set for 802.1x client
authentication, wpasupplicant tries for over a minute establishing the
connection (3 tries), after that, i stops and networkmanager falls back
to a non-802.1x connection. (802.1x authentication and fallback to
MacByPass with ACLs if there's no certificate, at least during the
migration time). It is even worse, because of PXE-delay, because we
provision clients via PXE.

This looks quite bad to Windows in comparison. First the retries occur
much faster and it is less of them. Secondly, even with the
eapol-request, there is already a dhcp-request to the network if there's
a link with resulting in a quicker network connection, even if there's
no valid 802.1x connection.

So i looked in networkmanager and wpa_supplicant if i could configure
the timeout and retries and did not find anything, where i could
configure eapol timeouts and retries. Is it possible that this would be
implemented? Should i open a ticket? I will ask the networkmanager devs,
too, but i thought asking would not hurt.

Any opinions or information on the matter? The Linuxclientguys from
munich would be glad :-)


More information about the Hostap mailing list