EAPOL auth: Disconnect after IEEE 802.1X failure
The EAPOL authenticator was previously forcing disconnection in the WPS use case. However, this can be benefitial operation with any IEEE 802.1X authentication mechanism and need not be limited to WPS. This helps some use cases like EAP-FAST where provisioning may require two authentication runs if the authentication server does not allow the PAC provisioning step to be used for normal data connection. While the station would be free to decide to re-associate in such a case, not all stations do and as such, it helps if the AP does that instead of leaving the association up with EAPOL state machine in HELD state for 60 seconds.
This commit is contained in:
parent
88dc899a1b
commit
fd8e4fda50
1 changed files with 9 additions and 6 deletions
|
@ -2080,14 +2080,18 @@ static void ieee802_1x_finished(struct hostapd_data *hapd,
|
||||||
"Added PMKSA cache entry (IEEE 802.1X)");
|
"Added PMKSA cache entry (IEEE 802.1X)");
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_WPS
|
if (!success) {
|
||||||
if (!success && (sta->flags & WLAN_STA_WPS)) {
|
|
||||||
/*
|
/*
|
||||||
* Many devices require deauthentication after WPS provisioning
|
* Many devices require deauthentication after WPS provisioning
|
||||||
* and some may not be be able to do that themselves, so
|
* and some may not be be able to do that themselves, so
|
||||||
* disconnect the client here.
|
* disconnect the client here. In addition, this may also
|
||||||
|
* benefit IEEE 802.1X/EAPOL authentication cases, too since
|
||||||
|
* the EAPOL PAE state machine would remain in HELD state for
|
||||||
|
* considerable amount of time and some EAP methods, like
|
||||||
|
* EAP-FAST with anonymous provisioning, may require another
|
||||||
|
* EAPOL authentication to be started to complete connection.
|
||||||
*/
|
*/
|
||||||
wpa_printf(MSG_DEBUG, "WPS: Force disconnection after "
|
wpa_printf(MSG_DEBUG, "IEEE 802.1X: Force disconnection after "
|
||||||
"EAP-Failure");
|
"EAP-Failure");
|
||||||
/* Add a small sleep to increase likelihood of previously
|
/* Add a small sleep to increase likelihood of previously
|
||||||
* requested EAP-Failure TX getting out before this should the
|
* requested EAP-Failure TX getting out before this should the
|
||||||
|
@ -2095,7 +2099,6 @@ static void ieee802_1x_finished(struct hostapd_data *hapd,
|
||||||
*/
|
*/
|
||||||
os_sleep(0, 10000);
|
os_sleep(0, 10000);
|
||||||
ap_sta_disconnect(hapd, sta, sta->addr,
|
ap_sta_disconnect(hapd, sta, sta->addr,
|
||||||
WLAN_REASON_PREV_AUTH_NOT_VALID);
|
WLAN_REASON_IEEE_802_1X_AUTH_FAILED);
|
||||||
}
|
}
|
||||||
#endif /* CONFIG_WPS */
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue