Message ID | 20180302201103.16264-5-msiedzik@extremenetworks.com |
---|---|
State | Accepted |
Headers | show |
Series | MKA bugfixes and enhancements | expand |
On Fri, Mar 02, 2018 at 03:10:52PM -0500, msiedzik@extremenetworks.com wrote: > When the number of live peers becomes 0 the KaY is setting > 'kay->authenticated' true and telling the CP to connect AUTHENTICATED. > Per IEEE802.1X-2010 Clause 12.2, MKA.authenticated means "the Key Sever > has proved mutual authentication but has determiend that Controlled Port > communication should proceed without the use of MACsec", which means > port traffic will be passed in the clear. > When the number of live peers becomes 0 the KaY must instead set > 'kay->authenticated' false and tell the CP to connect PENDING. Per > Clause 12.3 connect PENDING will "prevent connectivity by clearing the > controlledPortEnabled parameter." Thanks, applied.
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index 41e5a07e6..fd329e610 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -2393,7 +2393,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) participant->orx = FALSE; participant->is_key_server = FALSE; participant->is_elected = FALSE; - kay->authenticated = TRUE; + kay->authenticated = FALSE; kay->secured = FALSE; kay->failed = FALSE; kay->ltx_kn = 0; @@ -2410,7 +2410,7 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) ieee802_1x_delete_transmit_sa(kay, txsa); } - ieee802_1x_cp_connect_authenticated(kay->cp); + ieee802_1x_cp_connect_pending(kay->cp); ieee802_1x_cp_sm_step(kay->cp); } else { ieee802_1x_kay_elect_key_server(participant);