wpa_supplicant responding to unicast packages for another host
Environment
- Red Hat Enterprise Linux (RHEL) 7
- wpa_supplicant-2.6-9.el7
Issue
The wpa_supplicant
changes it's state when receiving packages that are being sent to a virtual machine inside VMWare
Workstation operating in bridged mode. It e.g. ends up in the FAIL
state, when Windows box inside the virtual machine is authenticating itself.
The issue is 100% reproducible, wpa_supplicant
answers to anything, no matter what destination MAC
address the Radius
server sends it to.
The
# wpa_cli status
command keeps showing errors, so we never know whether the status information is correct.
Resolution
- Update to
wpa_supplicant-2.6-12.el7
shipped with Advisory RHSA-2018:3107 or newer.
Root Cause
Previously, when wpa_supplicant
was running on a Linux interface that was configured in promiscuous
mode, incoming Extensible Authentication Protocol over LAN (EAPOL
) packets were processed regardless of the destination address in the frame. However, wpa_supplicant
checked the destination address only if the interface was enslaved to a bridge. As a consequence, in certain cases, wpa_supplicant
was responding to EAPOL
packets when the destination address was not the interface address. With this update, a socket filter has been added that allows the kernel to discard unicast EAPOL
packets whose destination address does not match the interface address, and the described problem no longer occurs.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments