wpa_supplicant: multiple supplicants on the same switch port

Ralf Wenk iz-wpas2017 at hs-karlsruhe.de
Wed Jan 17 05:34:06 PST 2018

	Multiple wpa_supplicants on the same switch port are triggering
	each others EAP state machine.


is there a way to tell wpa_supplicant, when called with the -Dwired option,
to use the switch port MAC address as ethernet destination address?

We have a scenario here where several users could be authenticated via 
802.1x by one switch port.
E.g. by using an EAP-pass-through switch connected to a 802.1x enabled port
of an other switch.

If we use more than one "wpa_supplicant -Dwired" on such a port, they get
the EAP messages of the other wpa_supplicant(s) because the destination
address of wpa_supplicant's EAP messages is always set to the ethernet
multicast address.
Those EAP messages trigger the local wpa_supplicant's EAP state machine
which in turn reauthenticates after 30 seconds. Which triggers the EAP
state machine of the other wpa_supplicants and in 30 seconds ...
You get the picture.

By comparing with the Windows 10 802.1x supplicant implementation,
we found that this supplicant uses the switch port MAC address as
ethernet destination address after its initial EAPOL Start package to
the ethernet multicast address. So it does not trigger wpa_supplicant's
EAP state machine.

According to IEEE Std 802.1X-2010 11.1.1 the destination address could
either the group destination address or the peer PAE.

If it is not possible to change the behavior via a configuration option,
may be it is possible to change the default in the source code?

-- Ralf

More information about the Hostap mailing list