Abstract: Multiple wpa_supplicants on the same switch port are triggering each others EAP state machine. Hello, is there a way to tell wpa_supplicant, when called with the -Dwired option, to use the switch port MAC address as ethernet destination address? We have a scenario here where several users could be authenticated via 802.1x by one switch port. E.g. by using an EAP-pass-through switch connected to a 802.1x enabled port of an other switch. If we use more than one "wpa_supplicant -Dwired" on such a port, they get the EAP messages of the other wpa_supplicant(s) because the destination address of wpa_supplicant's EAP messages is always set to the ethernet multicast address. Those EAP messages trigger the local wpa_supplicant's EAP state machine which in turn reauthenticates after 30 seconds. Which triggers the EAP state machine of the other wpa_supplicants and in 30 seconds ... You get the picture. By comparing with the Windows 10 802.1x supplicant implementation, we found that this supplicant uses the switch port MAC address as ethernet destination address after its initial EAPOL Start package to the ethernet multicast address. So it does not trigger wpa_supplicant's EAP state machine. According to IEEE Std 802.1X-2010 11.1.1 the destination address could either the group destination address or the peer PAE. If it is not possible to change the behavior via a configuration option, may be it is possible to change the default in the source code? -- Ralf _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
