Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1430

[NMCI] NM should set ethernet layer up before calling wpa_supplicant to perform EAPOL login (8021x_hostapd_freeradius_doc_procedure)

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • None
    • Low
    • rhel-net-mgmt
    • ssg_networking
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      Given the 8021x_hostapd_freeradius_doc_procedure test case and a RHEL machine

      When the 8021x_hostapd_freeradius_doc_proceduretest case is executed in the RHEL machine

      Then NM should ensure that interface used by wpa_supplicant to connect is up before instructing wpa_supplicant.service to perform EAPOL login on the interface.

      Show
      Given the 8021x_hostapd_freeradius_doc_procedure test case and a RHEL machine When the 8021x_hostapd_freeradius_doc_proceduretest case is executed in the RHEL machine Then NM should ensure that interface used by wpa_supplicant to connect is up before instructing wpa_supplicant.service to perform EAPOL login on the interface.
    • None
    • None
    • If docs needed, set a value
    • None
    • 0

      Description of problem:
      this was a mysterious issue in nmci: 8021x_hostapd_freeradius_doc_procedure failed quite consistently on el8 where wpa_supplicant called from shell most times succesfully authenticated against radius but then nm failed to bring up the connection because of wpa_supplicant the systemd service timed out waiting for any EAPOL reply (and NM then erroring out with unhelpful error of no secrets available). Network topology is:

      no NS | vethsetup NS
      ----------------

      br0  

      test1 + test1b eth4 +--|-- (uplink)
      ----------------

       
      +-- hostapd listens on br0

      +-- wpa_supplicant connects to test1

      and statuses of relevant interfaces before calling of the wpa_supplicant and 'nmcli c up ...' is:
      68: test1@test1b: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
      link/ether 1e:fa:8e:06:df:81 brd ff:ff:ff:ff:ff:ff
      67: test1b@test1: <NO-CARRIER,BROADCAST,MULTICAST,UP,M-DOWN> mtu 1500 qdisc noqueue master br0 state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
      link/ether 1a:87:1f:1d:5e:e9 brd ff:ff:ff:ff:ff:ff
      66: br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
      link/ether 1a:87:1f:1d:5e:e9 brd ff:ff:ff:ff:ff:ff
      38: eth4@if37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP mode DEFAULT group default qlen 1000
      link/ether 86:56:b1:74:c0:fc brd ff:ff:ff:ff:ff:ff link-netns vethsetup

      When the test1 interface is brought up using 'ip l set test1 up', the test consistently passes. So the likely explanation is that NM instructs wpa_supplicant.service to perform EAPOL login on interface whose link is down - and wpa_supplicant the systemd service then fails. IMO NM shouldn't leave bringin up link layer on wpa_supplicant and it should do so itself before calling wpa_supplicant.

      Version-Release number of selected component (if applicable):
      main, 1.38, 1.36, 1.34 on el8 (el9 seems unaffected)

      Acceptance Criteria:
      Given the 8021x_hostapd_freeradius_doc_procedure test case and a RHEL machine

      When the 8021x_hostapd_freeradius_doc_proceduretest case is executed in the RHEL machine

      Then NM should ensure that interface used by wpa_supplicant to connect is up before instructing wpa_supplicant.service to perform EAPOL login on the interface.

              nm-team Network Management Team
              djasa@redhat.com David Jaša
              Network Management Team Network Management Team
              Desktop QE Desktop QE
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: