PMKSA-cache: 802.1x authentication is forced even if AP have PMKID of the STA in its PMKSA-cache

Jouni Malinen jkmaline at cc.hut.fi
Sun Apr 3 23:41:55 EDT 2005


On Thu, Mar 10, 2005 at 07:41:38AM -0800, Ajeet Nankani wrote:

> I have 2 Hostapd APs, and one STA with wpa_supplicant(ap_scan=1). All
> are prism(1.7.4) based. I am using freeradius for authentication.
> 
> When i roam back to the AP, to which i athenticated, just few minutes
> before, I see that STA sends PMKID from its PMKSA cache in the
> re-association frame, and in the AP log i see a message "PMKID found
> from PMKSA cache", but even then it starts 802.1x authentication with
> STA, which it should not as AP has found PMKID in its cache, and can use
> that one to drive PTKs and GTKs.

It looks like PMKSA caching did not survive all the changes to get
hostapd using the latest IEEE 802.1X draft. EAPOL state machine was not
properly notified about the matched PMKID and it started full
authentication. This is now fixed in development branch. In addition, I
fixed the case where integrated EAP authenticator is used; it did not
add PMKSA cache entries at all.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list