Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4997

wpa_supplicant doesn't send EAPOL logoff on sigterm

XMLWordPrintable

    • rhel-sst-networking-core
    • ssg_networking
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      As a system administrator,
      I want to have the option to send an EAPOL-logoff packet when wpa_supplicant disconnects,
      So that I can ensure that ports are switched to the unauthenticated state in a timely manner, enhancing security and operational control.

      Given a system administrator configuring the system to use wpa_supplicant for network authentication
      When they do not specifically enable the 802-1x.log-off-on-disconnect property
      Then the wpa_supplicant should not send an EAPOL-logoff packet upon disconnection, preserving the current default behavior.

      Definition of Done

      • The implementation meets the acceptance criteria
      • The unit tests and integration tests are written and passed
      • The code is part of a build attached to an errata
      Show
      As a system administrator, I want to have the option to send an EAPOL-logoff packet when wpa_supplicant disconnects, So that I can ensure that ports are switched to the unauthenticated state in a timely manner, enhancing security and operational control. Given a system administrator configuring the system to use wpa_supplicant for network authentication When they do not specifically enable the 802-1x.log-off-on-disconnect property Then the wpa_supplicant should not send an EAPOL-logoff packet upon disconnection, preserving the current default behavior. Definition of Done The implementation meets the acceptance criteria The unit tests and integration tests are written and passed The code is part of a build attached to an errata
    • None
    • None
    • None

      Description of problem:
      not sure if it is intended behaviour but I found old discussion [1] and patch [2] with this problem. The thing is that there are scenarios when wpa_supplicant should send EAPOL-logoff frame upon graceful exit so that port in question gets switched to unauthenticated state ASAP and relying on ctrl_interface is racy so it would make sense for wpa_supplicant to send this logoff upon graceful exit by itself.
      (When told by 'wpa_cli ... logoff', the EAPOL-logoff is sent just fine)

      I've got no strong views whether this is necessary and if so, if it should be configurable or what the default behaviour should be but it 1) can cause issues and 2) if not changed, should be IMO clearly stated why

      Version-Release number of selected component (if applicable):
      wpa_supplicant-2.10-2.el9.x86_64

      How reproducible:
      always

      Steps to Reproduce:
      1. authenticate with wpa_supplicant to wired 802.1x network
      2. kill wpa_supplicant with SIGTERM
      3.

      Actual results:
      wpa_supplicant doesn't send EAPOL-logoff packet so authenticator keeps the switch port authenticated & enabled

      Expected results:
      wpa_supplicant sends EAPOL-logoff packet so the authenticator can disable the switch port as soon as possible

      Additional info:
      [1] http://lists.shmoo.com/pipermail/hostap/2012-May/025911.html
      [2] https://patchwork.ozlabs.org/project/hostap/patch/B38921A06307F04FB687634DA7072AE70B1F696C58@MCHP057A.global-ad.net/

              nm-team Network Management Team
              djasa@redhat.com David Jaša
              Davide Caratti Davide Caratti
              Laura Trivelloni Laura Trivelloni
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: