PMKSA/PMKID issue(s)

Zimmermann, Christopher Brian (Chris) cbzimmermann at agere.com
Sat Jan 22 01:10:02 EST 2005


Jouni,

I'll try these right now and let you know.

Thanks,
Chris


-----Original Message-----
From: Jouni Malinen [mailto:jm at jm.kir.nu] On Behalf Of Jouni Malinen
Sent: Saturday, January 22, 2005 1:03 AM
To: Zimmermann, Christopher Brian (Chris)
Cc: hostap at shmoo.com
Subject: Re: PMKSA/PMKID issue(s)

On Sat, Jan 22, 2005 at 12:41:21AM -0500, Zimmermann, Christopher Brian
(Chris) wrote:

> You can see the EAP-SUCCESS, but the PMKID does not get processed via
> rsn_preauth_eapol_cb().  Both of these APs come from the Terrawave
> WPA2/WMM testbed package.

Interesting.. wpa_supplicant is discarding the EAP-Success packet for
the pre-authentication case even though it was accepted for the normal
authentication. It looks like I have not tested pre-authentication with
RADIUS servers that do not conform to EAP RFC (i.e., ones that require
EAP workarounds in wpa_supplicant).. EAPOL state machine initialization
in rsn_preauth_init() was not initializing couple of configuration
fields and this disabled EAP workarounds for pre-authentication even if
they were enabled for the normal authentication.

Please let me know whether the attached patch fixes this issue. This
change is already committed to CVS, too.

> But I don't get a add_pmkid() call into the driver interface.  And the
> timeout gets called, too.

This is because the EAP-Success was never processed..

> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Success
> EAP: Workaround for unexpected identifier field in EAP Success:
reqId=6 lastId=5 (these are supposed to be same)
> EAP: EAP entering state SUCCESS
> EAPOL: SUPP_BE entering state RECEIVE
> EAPOL: SUPP_BE entering state SUCCESS

This is the EAP-Success for the normal authentication.

> EAPOL: Received EAP-Success
> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Success
> EAP: EAP entering state DISCARD

This is for pre-authentication and it is discarded because of the EAP
workaround not being enabled here.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list