wpa_supplicant - client station disconnects after a few minutes

clement_ml_hostap at guivy.fr clement_ml_hostap at guivy.fr
Fri Jun 2 07:03:10 PDT 2017 

Hello,

I am working on deploying 802.1x (EAP-TLS) over wired ethernet, using
Microsoft NPS as radius server, HPE (comware) switches, and different types
of clients. While for Windows clients it’s working fine, I can’t get the
Ubuntu 16.04 LTS (wpasupplicant 2.4-0ubuntu6) to function properly. At first
it connects to the network, but then it keeps reconnecting every 1-2 minutes
(while windows clients reauth every 20 minutes as per switches config), but
my main problem is that after a while (usually a few minutes, sometimes a
bit longer) the reconnection process doesn’t work anymore. If I deplug /
replug the Ethernet cable from the client PC it works again for a few
minutes, then drops connection again.
On the server side I can see in the logs that after some time the client is
denied (couldn’t manage to get a more verbose error unfortunately). I
enabled the verbose mode on the client side, and noticed several instances
of the following message :

EAP: EAP-Success Id mismatch - reqId=103 lastId=-1

I am by no means a developer person, but I tracked that message into the
source and found it in eap.c :

########################## START QUOTE
static int eap_success_workaround(struct eap_sm *sm, int reqId, int lastId)
{
	/*
	 * At least Microsoft IAS and Meetinghouse Aegis seem to be sending
	 * EAP-Success/Failure with lastId + 1 even though RFC 3748 and
	 * RFC 4137 require that reqId == lastId. In addition, it looks like
	 * Ringmaster v2.1.2.0 would be using lastId + 2 in EAP-Success.
	 *
	 * Accept this kind of Id if EAP workarounds are enabled. These are
	 * unauthenticated plaintext messages, so this should have minimal
	 * security implications (bit easier to fake EAP-Success/Failure).
	 */
	if (sm->workaround && (reqId == ((lastId + 1) & 0xff) ||
			       reqId == ((lastId + 2) & 0xff))) {
		wpa_printf(MSG_DEBUG, "EAP: Workaround for unexpected "
			   "identifier field in EAP Success: "
			   "reqId=%d lastId=%d (these are supposed to be "
			   "same)", reqId, lastId);
		return 1;
	}
	wpa_printf(MSG_DEBUG, "EAP: EAP-Success Id mismatch - reqId=%d "
		   "lastId=%d", reqId, lastId);
	return 0;
}
########################## END QUOTE

Is it correct to say that if I get to this point, it means that the
workaround mechanism is disabled on my system ? (which confuses me since my
Ubuntu installation is quite a default one so I would expect this setting to
be on its default value, ie enabled if I read well).
Is there a way to check in realtime whether or not this feature is enabled ?
Anything else to look for, given my problem ?
Any help is appreciated. 

Regards,

Clément Guivy

More information about the Hostap mailing list