Implementation of Initial EAP Request/Identity with driver = wired, question.

Mariusz Plata mariuszplata at gmail.com
Mon May 30 07:21:36 PDT 2022 

Hi,

I have a question on how hostapd works when it comes to sending very initial
Request/Identity once a port becomes up.


Little bit of a background - looking into spec: IEEE Std 802.1X™- 2004:

I see following:
6.6.1
An Authenticator PAE is responsible for enforcing the authentication of a
Supplicant PAE that attaches to its controlled Port

8.1.2.1
The Authenticator PAE will typically initiate the conversation when it receives
an indication that the Port has become operable.

Also in chapter 8.1.8 where example echanges are depicted, I see figure 8-6
with periodic EAP-Request/Identity.


In my implementation I expect just one supplicant (driver = wired). So what I
would expect is that these initial periodic EAP-Request/Identity are being sent
once the port is up (sending ENABLE via ctrl interface) and hostapd is running.


However this is not true, and the question is: did I miss something? Am I
misusing hostapd? Is there any way to make hostapd send these
EAP-Request/Identity continuously and expect/handle single supplicant/station
in case of wired driver?


Workaround that I made (but I am not happy about it) is to send a NEW_STA
request via ctrl interface (This NEW_STA makes hostapd send
EAP-Request/Identity). But as this is the very initial state (port just became
up) I have no idea about the supplicant's MAC address. So I used a dummy MAC
00:00:00:00:00:01. Of course this is a hack, and I simply (re)add this NEW_STA
each 60s, and then immediately DEAUTHENTICATE it (I don't want hostapd keep
doing retransmissions in case supplicant with some real MAC connects with
EAPOL-Start).

Later, once supplicant send EAPOL-Start, I can discover its MAC and then add
NEW_STA with proper MAC (after being disconnected etc), then hostapd does rtx
few times (and will properly stop it on EAPOL-Start from supplicant with that
particular MAC - will have just one STA), but still, after few attempts it
gives up, so I still need to keep timer to add NEW_STA (with proper MAC) via
ctrl interface again...

Is there any way to implement it easier/properly when just one supplicant is
expected?


BTW: this is example of my conf file:
##### hostapd configuration file ##########
driver=wired
ctrl_interface=/var/run/hostapd
ieee8021x=1
eap_reauth_period=300
use_pae_group_addr=1
logger_stdout=1
logger_stdout_level=2
radius_retry_primary_interval=600
#[1] RADIUS authentication server
auth_server_addr=<someIP>
auth_server_port=1812

More information about the Hostap mailing list