[PATCH] EAP: Avoid incrementing round counter for non-initial Identity Requests

[Jouni Malinen]

On Wed, Dec 17, 2025 at 11:57:32AM +0800, xinpeng wang wrote:
> In various network environments, particularly after successful authentication, the
> Authenticator may periodically send EAP Identity Requests as a non-standard Keep-Alive
> or probing mechanism.

Would you have examples of specific cases where this is used? Are those
in wired or Wi-Fi networks?

> Modify the round-trip counting logic in SM_STATE(EAP, RECEIVED) to only increment the
> counters if:
> 1. The received message is NOT an EAP Identity Request, OR
> 2. The Supplicant has not yet selected an EAP method (i.e., it is the genuine initial
> Identity Request initiating a new session).

> diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
> @@ -313,11 +313,13 @@ SM_STATE(EAP, RECEIVED)
>  	eapReqData = eapol_get_eapReqData(sm);
>  	/* parse rxReq, rxSuccess, rxFailure, reqId, reqMethod */
>  	eap_sm_parseEapReq(sm, eapReqData);
> -	sm->num_rounds++;
> -	if (!eapReqData || wpabuf_len(eapReqData) < 20)
> -		sm->num_rounds_short++;
> -	else
> -		sm->num_rounds_short = 0;
> +	if (sm->selectedMethod != EAP_TYPE_NONE || sm->reqMethod != EAP_TYPE_IDENTITY) {

The commit message had two conditions: (1) not EAP-Request/Identity and
(2) EAP client has not yet selected an EAP method. That "m->reqMethod !=
EAP_TYPE_IDENTITY" is that condition (1), but how would
"sm->selectedMethod != EAP_TYPE_NONE" indicate that the EAP client has
_not_ yet selected an EAP method?

> @@ -1499,7 +1501,7 @@ static void eap_sm_processIdentity(struct eap_sm *sm, const struct wpabuf *req)
> -	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
> +	wpa_msg(sm->msg_ctx, MSG_DEBUG, WPA_EVENT_EAP_STARTED
>  		"EAP authentication started");

This is a completely independent change and should not be here.

-- 
Jouni Malinen                                            PGP id EFC895FA