Issue with Enterprise authentication due to ap_sta_delayed_1x_auth_fail_cb

kiran k ikirank at gmail.com
Thu Apr 24 02:57:17 PDT 2025 

Hi,
Removing the call to ap_sta_delayed_1x_auth_fail_cb on logoff would
this code work.

Index: /components/opensource/router_tools/hostapd/trunk/hostapd-2.10/src/ap/ieee802_1x.c
===================================================================
--- /components/opensource/router_tools/hostapd/trunk/hostapd-2.10/src/ap/ieee802_1x.c
(revision 854914)
+++ /components/opensource/router_tools/hostapd/trunk/hostapd-2.10/src/ap/ieee802_1x.c
(working copy)
@@ -3133,6 +3133,11 @@
  * EAP-FAST with anonymous provisioning, may require another
  * EAPOL authentication to be started to complete connection.
  */
+#ifdef CONFIG_DRIVER_BRCM
+ if (sta->eapol_sm->eapolLogoffauthenticatingState) {
+ sta->eapol_sm->eapolLogoffauthenticatingState = false;
+ } else
+#endif /* CONFIG_DRIVER_BRCM */
  ap_sta_delayed_1x_auth_fail_disconnect(hapd, sta);
  }
 }
Index: /components/opensource/router_tools/hostapd/trunk/hostapd-2.10/src/eapol_auth/eapol_auth_sm.c
===================================================================
--- /components/opensource/router_tools/hostapd/trunk/hostapd-2.10/src/eapol_auth/eapol_auth_sm.c
(revision 854914)
+++ /components/opensource/router_tools/hostapd/trunk/hostapd-2.10/src/eapol_auth/eapol_auth_sm.c
(working copy)
@@ -428,8 +428,13 @@
  (sm->keyDone && !sm->portValid))
  SM_ENTER(AUTH_PAE, HELD);
  else if (sm->eapolStart || sm->eapolLogoff ||
- sm->authTimeout)
+ sm->authTimeout) {
+#ifdef CONFIG_DRIVER_BRCM
+ if (sm->eapolLogoff)
+ sm->eapolLogoffauthenticatingState = true;
+#endif /* CONFIG_DRIVER_BRCM */
  SM_ENTER(AUTH_PAE, ABORTING);
+ }
  break;
  case AUTH_PAE_ABORTING:
  if (sm->eapolLogoff && !sm->authAbort)
Index: /components/opensource/router_tools/hostapd/trunk/hostapd-2.10/src/eapol_auth/eapol_auth_sm_i.h
===================================================================
--- /components/opensource/router_tools/hostapd/trunk/hostapd-2.10/src/eapol_auth/eapol_auth_sm_i.h
(revision 854914)
+++ /components/opensource/router_tools/hostapd/trunk/hostapd-2.10/src/eapol_auth/eapol_auth_sm_i.h
(working copy)
@@ -68,6 +68,9 @@
         AUTH_PAE_FORCE_UNAUTH, AUTH_PAE_RESTART } auth_pae_state;
  /* variables */
  bool eapolLogoff;
+#ifdef CONFIG_DRIVER_BRCM
+ bool eapolLogoffauthenticatingState;
+#endif /* CONFIG_DRIVER_BRCM */
  bool eapolStart;
  PortTypes portMode;
  unsigned int reAuthCount;


Thanks,
Kiran

On Mon, Apr 21, 2025 at 11:57 AM kiran k <ikirank at gmail.com> wrote:
>
> Hi,
> I am running into an issue with Enterprise authentication with a STA
> using hostapd. There is a 20 to 40 second delay because the timer
> ap_sta_delayed_1x_auth_fail_cb is being called in the middle of EAP
> exchange. I am attaching a log with a sequence of steps.
> The sequence of steps are as follows:
> 1) The STA does an association and the 4 way handshake is successfully
> completed. Now the station goes out of AP coverage.
> 2) STA again associates back to AP and AP sends an EAP Request Id with
> ID 116 in line  160 in the attached log.
> 3) The  sends a EAP logoff instead of responding with an EAP response
> in line 172. Not sure if this is expected.
> 4) Hostapd starts a timer ap_sta_delayed_1x_auth_fail_cb for 10ms on
> receiving EAP-Logoff in line 179
> 5)  AP sends a new EAP Request ID message with ID 209 line 190
> 6)  Then STA sends EAP Response ID message with ID 116 (previous EAP
> exchange before logoff) in line number 202
> 7)  AP discards this EAP Response with ID 116.
> 8)  STA responds with EAP Response ID 209 in line 209
> 9)  AP sends a RADIUS access request to the RADIUS server in line 233
> 10) AP receives Access Challenge from RADIUS server 269
> 11) Now in middle of this   ap_sta_delayed_1x_auth_fail_cb timer is
> triggered at line 286 causing Disconnection of STA
> 12) Then association is retriggered after deauth.
> 13) This is causing a delay of 20 to 40 seconds to authenticate.
>
> The timer ap_sta_delayed_1x_auth_fail_cb should be cancelled for the
> EAP exchange to go through. This is causing a 20 to 40 second delay in
> association.  If a new association happens we clear all the disconnect
> timers.
> Where do we cancel the timer if no new association happens as
> explained above. Can you please provide some insights as to where to
> call the cancellation of ap_sta_delayed_1x_auth_fail_cb timer.
>
> Thanks & Regards,
> Kiran
> 949428EAP_64B_WLINTERNAL_WL26D1_WLMLO_OT

More information about the Hostap mailing list