issues with long connection time for Non/802.1x networks

From: dennis knorr <dennis knorr gmx net>
To: networkmanager-list gnome org
Subject: issues with long connection time for Non/802.1x networks
Date: Wed, 18 Jan 2017 00:42:41 +0100

Hi,
i already posted this to the wpa_supplicant ML. They pointed me here,
though i think the feature itself could reside in both components, but
here it goes :D
I work for a city administration in the south of germany and we want to
migrate to 802.1x for client authentication via cable and wireless LAN.
Therefore we created a networkmanager profile with 802.1x with
certificates to authenticate to the switch (we use a different profile
for wirelesslan). so far so good.

Now we noticed that if the switch is not already set for 802.1x client
authentication, networkmanager with wpasupplicant tries for over a
minute establishing the connection (3 tries), after that, i stops and
networkmanager falls back to a non-802.1x connection. (802.1x
authentication and fallback to MacByPass with ACLs if there's no
certificate, at least during the migration time). It is even worse,
because of PXE-delay, which we need, because we provision clients via PXE.

This looks quite bad to Windows in comparison. First the retries occur
much faster and it is less of them. Secondly, even with the
eapol-request, there is already a dhcp-request to the network if there's
a  link with resulting in a quicker network connection, even if there's
no valid 802.1x connection.

So i looked in networkmanager and wpa_supplicant if i could configure
the timeout and retries and did not find anything, where i could
configure eapol timeouts and retries. Is it possible that this would be
implemented? Should i open a ticket? should we try to send patches?

My wishes/requirements would be:
* possibility to configure timeout for non-successfull connection
attempt with 802.1x/wpa supplicant (on cable/wireless)
* possibility to configure number of retries for connection attempts
with 802.1x/wpa supplicant (on cable/wireless)
* possibility for  a mixed network to send after the connection attempt
(but not waiting for the successfull completion) a dhcp request, so we
already get perhaps an IP.

Any opinion or information on this matter? We would be glad, if you can
help us or tell us, what you need, so this could be integrated into the
networkmanager.

Yours, Dennis

Follow-Ups:
- Re: issues with long connection time for Non/802.1x networks
  - From: Beniamino Galvani

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]