Hi,
I am running into a problem where the radius server thinks there was a
duplicate access request during FILS reassocation. I have two EAP/FILS
enabled APs. Here is the sequence of events:
- Authenicate over EAP to AP1
- Disconnect from AP1 and authenticate using FILS to AP1
- Reassociate to AP2 using FILS
Everything appears to be working fine initially (my identity is found)
but then the radius server throws the message away claiming the
sequence number is a duplicate:
RADIUS SRV: Creating a new session
RADIUS SRV: User-Name - hexdump_ascii(len=28):
35 37 30 66 64 33 34 37 63 33 36 35 61 65 30 31 570fd347c365ae01
40 65 78 61 6d 70 6c 65 2e 63 6f 6d @example.com
hostapd_radius_get_eap_user: Failed to find user
RADIUS SRV: Matching user entry found
RADIUS SRV: Calling-Station-Id: 02:00:00:00:02:00
RADIUS SRV: [0x6 127.0.0.1] New session created
EAP: Server state machine created
RADIUS SRV: New session 0x6 initialized
RADIUS SRV: Received EAP data - hexdump(len=55): 05 00 00 37 02 00 00
00 01 1c 35 37 30 66 64 33 34 37 63 33 36 35 61 65 30 31 40 65 78 61 6d
70 6c 65 2e 63 6f 6d 02 a7 b6 c0 eb 19 80 b7 24 82 1a a2 d4 44 a7 09 27
EAP: EAP entering state INITIALIZE
EAP: parseEapResp: rxResp=0 rxInitiate=1 respId=0 respMethod=2
respVendor=0 respVendorMethod=0
: CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state INITIATE_RECEIVED
EAP: EAP-Initiate/Re-Auth - hexdump(len=50): 00 00 00 01 1c 35 37 30 66
64 33 34 37 63 33 36 35 61 65 30 31 40 65 78 61 6d 70 6c 65 2e 63 6f 6d
02 a7 b6 c0 eb 19 80 b7 24 82 1a a2 d4 44 a7 09 27
EAP: Flags=0x0 SEQ=0
EAP: EAP-Initiate/Re-auth - keyName-NAI - hexdump_ascii(len=28):
35 37 30 66 64 33 34 37 63 33 36 35 61 65 30 31 570fd347c365ae01
40 65 78 61 6d 70 6c 65 2e 63 6f 6d @example.com
EAP: SEQ=0 replayed (already received SEQ=0)
RADIUS SRV: No EAP data from the state machine - ignore this Access-
Request silently (assuming it was a duplicate)
And sure enough, if I remove the sequence number check it all works as
expected and I am able to reassociate:
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 0b7a5b98c..e0f4259bb 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -886,13 +886,6 @@ SM_STATE(EAP, INITIATE_RECEIVED)
goto report_error;
}
- if (erp->recv_seq != (u32) -1 && erp->recv_seq >= seq) {
- wpa_printf(MSG_DEBUG,
- "EAP: SEQ=%u replayed (already received
SEQ=%u)",
- seq, erp->recv_seq);
- goto fail;
- }
-
/* Is there enough room for Cryptosuite and Authentication Tag?
*/
start = parse.keyname + parse.keyname_len;
max_len = end - start;
Thanks,
James
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
