wpa_supplicant responding to unicast packages for another host
Environment
- Red Hat Enterprise Linux (RHEL) 7
- wpa_supplicant-2.6-9.el7
Issue
The wpa_supplicant changes it's state when receiving packages that are being sent to a virtual machine inside VMWare Workstation operating in bridged mode. It e.g. ends up in the FAIL state, when Windows box inside the virtual machine is authenticating itself.
The issue is 100% reproducible, wpa_supplicant answers to anything, no matter what destination MAC address the Radius server sends it to.
The
# wpa_cli status
command keeps showing errors, so we never know whether the status information is correct.
Resolution
- Update to
wpa_supplicant-2.6-12.el7shipped with Advisory RHSA-2018:3107 or newer.
Root Cause
Previously, when wpa_supplicant was running on a Linux interface that was configured in promiscuous mode, incoming Extensible Authentication Protocol over LAN (EAPOL) packets were processed regardless of the destination address in the frame. However, wpa_supplicant checked the destination address only if the interface was enslaved to a bridge. As a consequence, in certain cases, wpa_supplicant was responding to EAPOL packets when the destination address was not the interface address. With this update, a socket filter has been added that allows the kernel to discard unicast EAPOL packets whose destination address does not match the interface address, and the described problem no longer occurs.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments