Hello,
I am working on deploying 802.1x (EAP-TLS) over wired ethernet, using
Microsoft NPS as radius server, HPE (comware) switches, and different types
of clients. While for Windows clients it?s working fine, I can?t get the
Ubuntu 16.04 LTS (wpasupplicant 2.4-0ubuntu6) to function properly. At first
it connects to the network, but then it keeps reconnecting every 1-2 minutes
(while windows clients reauth every 20 minutes as per switches config), but
my main problem is that after a while (usually a few minutes, sometimes a
bit longer) the reconnection process doesn?t work anymore. If I deplug /
replug the Ethernet cable from the client PC it works again for a few
minutes, then drops connection again.
On the server side I can see in the logs that after some time the client is
denied (couldn?t manage to get a more verbose error unfortunately). I
enabled the verbose mode on the client side, and noticed several instances
of the following message :
EAP: EAP-Success Id mismatch - reqId=103 lastId=-1
I am by no means a developer person, but I tracked that message into the
source and found it in eap.c :
########################## START QUOTE
static int eap_success_workaround(struct eap_sm *sm, int reqId, int lastId)
{
/*
* At least Microsoft IAS and Meetinghouse Aegis seem to be sending
* EAP-Success/Failure with lastId + 1 even though RFC 3748 and
* RFC 4137 require that reqId == lastId. In addition, it looks like
* Ringmaster v2.1.2.0 would be using lastId + 2 in EAP-Success.
*
* Accept this kind of Id if EAP workarounds are enabled. These are
* unauthenticated plaintext messages, so this should have minimal
* security implications (bit easier to fake EAP-Success/Failure).
*/
if (sm->workaround && (reqId == ((lastId + 1) & 0xff) ||
reqId == ((lastId + 2) & 0xff))) {
wpa_printf(MSG_DEBUG, "EAP: Workaround for unexpected "
"identifier field in EAP Success: "
"reqId=%d lastId=%d (these are supposed to be "
"same)", reqId, lastId);
return 1;
}
wpa_printf(MSG_DEBUG, "EAP: EAP-Success Id mismatch - reqId=%d "
"lastId=%d", reqId, lastId);
return 0;
}
########################## END QUOTE
Is it correct to say that if I get to this point, it means that the
workaround mechanism is disabled on my system ? (which confuses me since my
Ubuntu installation is quite a default one so I would expect this setting to
be on its default value, ie enabled if I read well).
Is there a way to check in realtime whether or not this feature is enabled ?
Anything else to look for, given my problem ?
Any help is appreciated.
Regards,
Clément Guivy
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
