On Tue, Aug 06, 2019 at 04:40:34PM +0200, Flole wrote: > I have a WPA2 Enterprise Network configured running hostapd 2.5 and I had a > device do the EAP Handshake and in the middle of the Handshake there were 2 > packets targeted to that device sent to the Access Point to be forwarded to > the client (meaning its target IP/Mac was set to the clients IP/Mac). The > packets were forwarded unencrypted on-air and it is visible in a wifi > capture in clear text, even though this is a WPA2 Enterprise encrypted > network. I think under no circumstances should any data packet be sent > unencrypted, and that sending of the packets should either be delayed or the > packets should be discarded at that point because the client is not > currently fully connected. Just to be clear on this, hostapd does not send these frames, i.e., forwarding of data frames is completely outside the scope of hostapd and it is done by the kernel networking stack and WLAN driver. Which WLAN hardware (vendor/model) and driver are you using? > Is this known? Has someone seen something similar? is this intended? Is this > maybe fixed in a newer version (the changelog doesnt indicate that)? This sounds like a bug in the driver. hostapd marks specific station as authorized only after having successfully completed the WPA2 4-way handshake, i.e., only once the encryption keys are configured. The kernel code is supposed to drop packets that might show up for forwarding to a station that has associated, but not yet being marked authorized. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
