[PATCH] Set supplicant port unauthorized during EAP reauthentication

Jouni Malinen j
Thu Apr 9 13:59:24 PDT 2015


On Thu, Apr 09, 2015 at 01:50:16PM +0200, Mikael Kanstrup wrote:
> When authenticator initiates an EAP reauthentication port should be
> set unauthorized until EAP negotiation completes. This prevents
> sending data frames when not being authenticated.

Why? The device is authenticated (the old authentication is still valid)
during reauthentication.

> The patch solves the following scenario:
> - STA connected to AP with EAP based authentication
> - iperf (or other traffic) active
> - AP (authenticator) initiates EAP reauthentication
>   (eap_reauth_period times out)
> - During EAP negotiation data continue to flow

That all sounds correct to me..

> - AP deauthenticates STA with reason 2 "Previous authentication
>   no longer valid" or reason 7 "Class 3 frame received
>   from nonassociated station"

But this does not. Which AP shows such behavior?

> diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
> @@ -312,6 +312,7 @@ SM_STATE(SUPP_PAE, AUTHENTICATED)
>  SM_STATE(SUPP_PAE, RESTART)
>  {
>  	SM_ENTRY(SUPP_PAE, RESTART);
> +	eapol_sm_set_port_unauthorized(sm);
>  	sm->eapRestart = TRUE;

This looks quite undesirable. The existing connection is supposed to
remain usable during reauthentication. That's the main point for an AP
to trigger reauthentication in time to complete this before the previous
session times out.
 
-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list