wpa_supplicant: does not handle wired reauthentication

Paul Szabo paul.szabo at sydney.edu.au
Sat Dec 20 11:23:10 PST 2025 

I use wpa_supplicant to handle 802.1X EAP-TLS authentication on wired
networks. Though it works perfectly at boot time, wpa_supplicant does
not reauthenticate after a brief network interruption e.g. an unplug
and reconnect of the network cable or a reboot of the network switch,
causing the network switch to block the port.

Is there some configuration option for wpa_supplicant to reauthenticate?

My solution (for now) is to add a "watcher" script, started as a systemd
service, to do "wpa_cli reassociate" whenever the state of the network
cable changes.

Thanks, Paul
--
Paul Szabo       psz at maths.usyd.edu.au       www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics   University of Sydney    Australia


===


My /etc/network/interface file:

# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
auto eth0
iface eth0 inet dhcp
    wpa-driver wired
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf


===


My /etc/wpa_supplicant/wpa_supplicant.conf file:

network={
  key_mgmt=WPA-EAP
  eap=TLS
  identity="my_id_name"
  client_cert="/etc/wpa_supplicant/my_id_name.crt"
  private_key="/etc/wpa_supplicant/my_id_name.key"
  ca_cert="/etc/wpa_supplicant/my_ca_name.crt"
}


===

 
My watcher script (in case it may be useful to others):

#!/bin/bash -

INTERFACE="eth0"

function logme () {
  # Could write our own logfile:
  #echo -E "$(date): $*" >> /var/log/wpa_watch.log
  # or could explicitly syslog with:
  #logger -t "wpa_watch[$$]" "$*"
  # but no need, systemd will syslog any STDOUT or STDERR
  echo -E "$*"
}

function getstate () {
  # Record both operstate (up/down) and also carrier_changes (number)
  # so can detect short-lived dropouts, regardless of how often we check
  CURR_STATE="$(< /sys/class/net/$INTERFACE/operstate):$(< /sys/class/net/$INTERFACE/carrier_changes)"
}

# May not need this initialization (but neater to have)
getstate; LAST_STATE=$CURR_STATE
logme "Starting for $INTERFACE - state is now $CURR_STATE"

while :; do
  getstate
  if [ "$CURR_STATE" != "$LAST_STATE" ]; then
    LAST_STATE="$CURR_STATE"
    # Seems that asking wpa_supplicant to reassociate is sufficient, it is
    # then able to reauthenticate. This action seems harmless in terms of
    # network accessibility, and is useful even while the network is down as
    # then wpa_supplicant can reauthenticate as soon as the network comes up.
    # Note that wpa_cli uses socket /run/wpa_supplicant/$INTERFACE .
    logme "$INTERFACE state now $CURR_STATE - will ask wpa_supplicant to reassociate"
    wpa_cli -i $INTERFACE reassociate
  fi

  # Check often enough, not longer than the time of shortest possible
  # network dropout and then DHCP bind. Though we would "notice" with
  # our check of carrier changes, but may too late: dhcpcd might get
  # the "quarantine IP" for an hour!
  # Testing shows that 10 secs would be too long.
  sleep 2
done


===

More information about the Hostap mailing list