[PATCH] EAPOL_SUPP: ignore Response at CONNECTING state

Jouni Malinen j at w1.fi
Mon Apr 18 07:49:04 PDT 2022

On Thu, Jan 06, 2022 at 09:47:27AM +0800, xinpeng wang wrote:
> When using PEAP certification, the server may use Identity's Request message
> as a heartbeat; there will be many clients on the Internet to send address
> 01: 80: C2: 00: 03 Identity's Response message as a heartbeat; at this time
> When a client is broken and reconnect, it is easy to receive this message,
> resulting in triggering restart of EAPOL authentication, resulting in a slow
> authentication. So Ignore the response message in the Connecting state.

This sounds really confusing.. Why would a Supplicant process an EAP
response message in any state (well, with the exception of the quite
unfortunate LEAP design)? What is special about the CONNECTING state in
this context? That said, it is quite inconvenient if the EAPOL state
machine needs to peek into the EAP header for something like this..

How commonly does this happen? Based on the that address, I'd assuming
this is about use of EAPOL/IEEE 802.1X on a wired Ethernet interface
rather than anything with Wi-Fi. Though, that should have been with one
more zero octet: 01:80:C2:00:00:03, i.e., the PAE group address. Would
you be able to share some debug logs showing the undesired behavior?

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list