Bug 2067124

Summary: NM should instruct wpa_supplicant to send EAPOL-logoff upon bringing down 802.1x connection
Product: Red Hat Enterprise Linux 9 Reporter: David Jaša <djasa>
Component: wpa_supplicantAssignee: NetworkManager Development Team <nm-team>
Status: NEW --- QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: low    
Version: 9.0CC: bgalvani, lrintel, rkhan, sfaye, sukulkar, till
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Jaša 2022-03-23 11:17:34 UTC 
Description of problem:
When bringing down 802.1x connection, my expectation is that EAPOL-logoff frame is sent so that authenticator can change switch port in question to unautheticated state right away. You can do that manually by issuing 'wpa_cli ... logoff' but that doesn't look right behaviour to me.

Version-Release number of selected component (if applicable):
NetworkManager-1.37.2-1.el9.x86_64
wpa_supplicant-2.10-2.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. create 802.1x wired connection
2. bring the connection up
3. bring the connection down

Actual results:
authenticator (hostapd) is not informed that NM's station is closing connection

Expected results:
EAPOL-logoff frame is sent and authenticator knows that the station got disconnected


Additional info:
related bug: bug 2067117
Comment 1 Till Maas 2022-03-23 16:45:37 UTC 
Lubomir, does this need more than the change in bug 2067117? What's your opinion on this?
Comment 2 David Jaša 2022-03-25 14:39:50 UTC 
(In reply to Till Maas from comment #1)
> Lubomir, does this need more than the change in bug 2067117? What's your
> opinion on this?

I think so, if you bring up and down 802.1x-protected connection, wpa_supplicant service keeps running with the same PID so even if wpa_supplicant starts logging off on signals like SIGTERM, it won't solve scenario of bringing active connection or device down.
Comment 3 Lubomir Rintel 2022-12-14 13:46:48 UTC 
(In reply to Till Maas from comment #1)
> Lubomir, does this need more than the change in bug 2067117? What's your
> opinion on this?

Yes, I think it's pretty much what David says. Bringing the connection down is different from terminating the daemon altogether.