Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#110 Xsupplicant does not work with multiple supplicants

closed-fixed
Chris Hessing
General (76)
5
2007-12-13
2007-10-27
Scott H
No

If you have 2 Xsupplicant clients (or an XSupplicant client and any other client) that connect on the same switch port the XSupplicant gets booted off when the other supplicant logs on.

I initially thought that it was because the XSupplicant was sending an EAPOL logoff message before sending the START message, and that was causing the other client to disconnect. However, I see that if I use Xsupplicant on one client, and the XP supplicant on the other client, the Xsupplicant still logs off when the XP client logs on, but the XP supplicant does not send the LOGOFF message when starting EAPOL.

After the XP client has logged on, the Xsupplicant client can attempt to log on again, and will be successful. However, if 2 Xsupplicant clients are trying to log onto the same physical port, they will always knock each other off when they start the EAPOL process.

I am using Parallels with 2 virtual machines connected on the same interface.

I'm not an 802.1x expert, but is it supposed to send the LOGOFF message prior to sending the START message?

The attachment is a capture of one client (mac 18:83) successfully logging in. Then the second client (mac f5:bf) logs on, and the first client is kicked off, and eventually times out.

Discussion

  • Scott H
    Scott H
    2007-10-27

    capture from first client

     
    Attachments
  • Bret Jordan
    Bret Jordan
    2007-10-27

    Logged In: YES
    user_id=663867
    Originator: NO

    The first packet from the authenticator (switch) is technically a failure. So what I believe is happening is:
    1) Computer one connects and authenticates correctly.
    2) Computer two comes on-line and sends an EAPoL start
    3) This EAPoL start causes the authenticator to send the EAP Request-Identity (failure) packet which should be followed by a real EAP Request-Identity packet.

    I believe the reason this is done is to reset the state machine on the client. Chris, correct me if I am wrong.

     
  • Chris Hessing
    Chris Hessing
    2007-10-29

    Logged In: YES
    user_id=117575
    Originator: NO

    Bret's comments are correct. In addition running two supplicants on the same interface is a bad idea. You should either disable the supplicant in the host OS, or the supplicant in the Parallels VM. The 802.1X standard doesn't allow for multiple PAEs to run on a single interface.

     
  • Chris Hessing
    Chris Hessing
    2007-10-29

    • status: open --> closed
     
  • Scott H
    Scott H
    2007-10-29

    Logged In: YES
    user_id=1693738
    Originator: YES

    I'm not running dot1x on the host interface, only on the virtual hosts' interface. Each XP virtual host is running it's own single instance of Xsupplicant. You could get the same effect if you had 2 physical machines connected via a hub into a single dot1x switch port.

    This works fine if the supplicant is the Windows XP or Odyssey client, so that's why I think it is a problem with Xsupplicant.

    Most switches have support for multiple supplicants, so that people can place a hub at the edge port, and have multiple clients connect on the same dot1x port. Yeah, that's not a good idea, but it happens.

     
  • Chris Hessing
    Chris Hessing
    2007-10-30

    • assigned_to: nobody --> chessing
    • status: closed --> open
     
  • Chris Hessing
    Chris Hessing
    2007-12-13

    Logged In: YES
    user_id=117575
    Originator: NO

    This has been fixed. And will be in the next release. Please try it out, and reopen the bug if it is still a problem.

     
  • Chris Hessing
    Chris Hessing
    2007-12-13

    • status: open --> closed-fixed