[PATCH v2] eap_peer: Ignore Identity heartbeats in round counting

xinpeng wang wangxinpeng at uniontech.com
Tue Apr 14 02:54:46 PDT 2026 

In many wired 802.1X network environments, the Authenticator sends
periodic EAP-Request/Identity messages as a non-standard keep-alive
mechanism after a successful authentication.

Since these Identity Requests are often short messages (< 20 bytes),
they consistently increment 'num_rounds_short' without being reset
by any interleaved long messages. This eventually causes the EAP state
machine to exceed EAP_MAX_AUTH_ROUNDS_SHORT and transition to the
FAILURE state. While the network may remain connected, this leads to
spurious EAP failure logs and unnecessary state transitions.

Modify the round-trip counting logic in SM_STATE(EAP, RECEIVED) to
exclude Identity Requests when no EAP method is currently selected.
This prevents the counter from overflowing due to network probing
or keep-alive messages, while still maintaining protection against
protocol loops during active EAP method negotiation.

Signed-off-by: xinpeng wang <wangxinpeng at uniontech.com>
---
Thanks for your review, Jouni. Here is the v2 addressing your comments.
Changes since v1:
- Updated the commit message to accurately describe the logic.
- Answered Jouni's questions: This is for wired PEAP environments where 
  switches use Identity Requests as keep-alives.
- Removed the unrelated change to log levels.

 src/eap_peer/eap.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 935286242..9453a051e 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -313,11 +313,25 @@ SM_STATE(EAP, RECEIVED)
 	eapReqData = eapol_get_eapReqData(sm);
 	/* parse rxReq, rxSuccess, rxFailure, reqId, reqMethod */
 	eap_sm_parseEapReq(sm, eapReqData);
-	sm->num_rounds++;
-	if (!eapReqData || wpabuf_len(eapReqData) < 20)
-		sm->num_rounds_short++;
-	else
-		sm->num_rounds_short = 0;
+
+	/*
+	 * Only increment the round counters if:
+	 * 1. The request is not an EAP-Identity (i.e., it's a specific EAP method).
+	 * 2. Or, an EAP method has already been selected (i.e., we are in the
+	 * middle of a negotiation session).
+	 *
+	 * This avoids incrementing counters for periodic Identity Requests used
+	 * as keep-alive mechanisms in some wired 802.1X networks. Without this,
+	 * repeated short Identity heartbeats would eventually trigger a spurious
+	 * EAP failure after exceeding EAP_MAX_AUTH_ROUNDS_SHORT.
+	 */
+	if (sm->selectedMethod != EAP_TYPE_NONE || sm->reqMethod != EAP_TYPE_IDENTITY) {
+		sm->num_rounds++;
+		if (!eapReqData || wpabuf_len(eapReqData) < 20)
+			sm->num_rounds_short++;
+		else
+			sm->num_rounds_short = 0;
+	}
 }
 
 
-- 
2.50.1

More information about the Hostap mailing list