FILS reassociation duplicate sequence number

James Prestwood prestwoj at gmail.com
Thu Aug 5 08:01:04 PDT 2021 

Hi,

I am running into a problem where the radius server thinks there was a
duplicate access request during FILS reassocation. I have two EAP/FILS
enabled APs. Here is the sequence of events:

 - Authenicate over EAP to AP1
 - Disconnect from AP1 and authenticate using FILS to AP1
 - Reassociate to AP2 using FILS

Everything appears to be working fine initially (my identity is found)
but then the radius server throws the message away claiming the
sequence number is a duplicate:

RADIUS SRV: Creating a new session
RADIUS SRV: User-Name - hexdump_ascii(len=28):
     35 37 30 66 64 33 34 37 63 33 36 35 61 65 30 31   570fd347c365ae01
     40 65 78 61 6d 70 6c 65 2e 63 6f 6d               @example.com    
hostapd_radius_get_eap_user: Failed to find user
RADIUS SRV: Matching user entry found
RADIUS SRV: Calling-Station-Id: 02:00:00:00:02:00
RADIUS SRV: [0x6 127.0.0.1] New session created
EAP: Server state machine created
RADIUS SRV: New session 0x6 initialized
RADIUS SRV: Received EAP data - hexdump(len=55): 05 00 00 37 02 00 00
00 01 1c 35 37 30 66 64 33 34 37 63 33 36 35 61 65 30 31 40 65 78 61 6d
70 6c 65 2e 63 6f 6d 02 a7 b6 c0 eb 19 80 b7 24 82 1a a2 d4 44 a7 09 27
EAP: EAP entering state INITIALIZE
EAP: parseEapResp: rxResp=0 rxInitiate=1 respId=0 respMethod=2
respVendor=0 respVendorMethod=0
: CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state INITIATE_RECEIVED
EAP: EAP-Initiate/Re-Auth - hexdump(len=50): 00 00 00 01 1c 35 37 30 66
64 33 34 37 63 33 36 35 61 65 30 31 40 65 78 61 6d 70 6c 65 2e 63 6f 6d
02 a7 b6 c0 eb 19 80 b7 24 82 1a a2 d4 44 a7 09 27
EAP: Flags=0x0 SEQ=0
EAP: EAP-Initiate/Re-auth - keyName-NAI - hexdump_ascii(len=28):
     35 37 30 66 64 33 34 37 63 33 36 35 61 65 30 31   570fd347c365ae01
     40 65 78 61 6d 70 6c 65 2e 63 6f 6d               @example.com    
EAP: SEQ=0 replayed (already received SEQ=0)
RADIUS SRV: No EAP data from the state machine - ignore this Access-
Request silently (assuming it was a duplicate)

And sure enough, if I remove the sequence number check it all works as
expected and I am able to reassociate:

diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 0b7a5b98c..e0f4259bb 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -886,13 +886,6 @@ SM_STATE(EAP, INITIATE_RECEIVED)
                goto report_error;
        }
 
-       if (erp->recv_seq != (u32) -1 && erp->recv_seq >= seq) {
-               wpa_printf(MSG_DEBUG,
-                          "EAP: SEQ=%u replayed (already received
SEQ=%u)",
-                          seq, erp->recv_seq);
-               goto fail;
-       }
-
        /* Is there enough room for Cryptosuite and Authentication Tag?
*/
        start = parse.keyname + parse.keyname_len;
        max_len = end - start;

Thanks,
James

More information about the Hostap mailing list