Hi
I'm facing a problem with MACsec setup on wired connection with the
latest hostap release v2.9.
My setup is trivial (just for testing) - HOSTAP and RADIUS on the same
machine,
communicating via RADIUS protocol over 127.0.0.1;
The wpa_supplicant is requesting service from another machine connected
to HOSTAP via network interface.
EAP frame exchange for authorization between wpa_supplicant and HOSTAP
takes place via multicast address 01:80:c2:00:00:03.
The problem:
1) The wpa_supplicant is successfully authenticated @RADIUS which is
indicated by the 'Success' EAP frame sent by the HOSTAP. At this moment
the MKA should step in.
2) The wpa_supplicant sends an EAPOL-MKA frame which to my understanding
is kind of heartbeat or indicator.
The HOSTAP does not respond with any EAPOL-MKA frames and does not send
any EAPOL frame after.
3) The EAPOL-MKA "indicator" is repeated 3 times more by the
wpa_supplicant and this is the end.
The fragment of debug trace from hostapd at the stage of authentication
finish:
...
...
EAP: EAP entering state SUCCESS2
enp0s8: CTRL-EVENT-EAP-SUCCESS2 08:00:27:6e:f4:d8
IEEE 802.1X: 08:00:27:6e:f4:d8 BE_AUTH entering state SUCCESS
enp0s8: STA 08:00:27:6e:f4:d8 IEEE 802.1X: Sending EAP Packet
(identifier 112)
IEEE 802.1X: 08:00:27:6e:f4:d8 AUTH_PAE entering state AUTHENTICATED
enp0s8: STA 08:00:27:6e:f4:d8 IEEE 802.1X: authorizing port
enp0s8: STA 08:00:27:6e:f4:d8 IEEE 802.1X: authenticated - EAP type: 13
(TLS)
IEEE 802.1X: External notification - Create MKA for 08:00:27:6e:f4:d8
MACsec: Successfully fetched key (len=64)
MSK: - hexdump(len=64): [REMOVED]
MACsec: Failed to get SessionID from EAPOL state machines
IEEE 802.1X: Could not get EAP Session Id
...
...
The last two lines of the above trace point to a problem I cannot
explain. Please advise.
My hostapd.conf settings are:
ieee8021x=1
eapol_version=3
eapol_key_index_workaround=0
use_pae_group_addr=1
driver=macsec_linux
macsec_policy=1
eap_server=0
own_ip_addr=127.0.0.1
radius_client_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=testing123
Interesting is that if I use the same hostapd binary but change the
hostapd.conf for the in-built EAP authenticator
instead of external RADIUS server, then the EAPOL-MKA wakes up and
MACsec is successfully enabled.
The "Failed to get SessionID..." lines are not observed in the trace
output and the HOSTAP sends EAPOL-MKA frames.
My hostapd.conf settings for a "good" case differ from above
configuration only with 'eap_server=1' and paths to the user file and
certificates.
Of course, the RADIUS related section is entirely commented out.
Please give me a clue what could be a problem in "bad" case. What is the
root cause for the following trace output?
MACsec: Failed to get SessionID from EAPOL state machines
IEEE 802.1X: Could not get EAP Session Id
Thanks in advance,
Andre
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
