EAP-TLS too fast?

Andrea G Forte andreaf at cs.columbia.edu
Wed Feb 8 12:02:58 EST 2006


Dear all,

I have setup a RADIUS server (freeradius) with hostapd 0.4.7 and 
wpa_supplicant 0.4.7. Both the last two use hostap-driver 0.4.7.
I am using EAP-TLS (client and server certificates generated by the 
CA.all script included in freeradius) with RSN (CCMP). I am not sure if 
something is wrong in the authentication process. The problem is that it 
is taking too little time for the authentication process to complete. In 
the attached file you can see one authentication process captured using 
kismet and then parsed with Ethereal. As you can see the time from 
Assoc. resp to the first encrypted data packet is only 222 msec. About a 
year ago it was of the order of one second (and all the literature says 
so). Has WPA2 improved the authentication time so much? Am I doing 
something wrong in setting up EAP-TLS in the wpa_supplicant?
This is the relevant entry in wpa_supplicant.conf:

network={
       ssid="test"
       proto=RSN
       key_mgmt=WPA-EAP
       pairwise=CCMP
       group=CCMP
       eap=TLS
       identity="myself"
       ca_cert="/etc/cert/cacert.pem"
#       client_cert="/etc/cert/cert-clt.pem"
       private_key="/etc/cert/cert-clt.p12"
       private_key_passwd="whatever"
       priority=5
}

Another thing is that the supplicant sends the following packet twice:
TLS      Certificate, Client Key Exchange, Certificate Verify, Change 
Cipher Spec, Encrypted Handshake Message

and also the "server hello" is sent twice. Is this the correct behavior?

This overlaps a little with freeradius, so I am not sure if this is 
offtopic for this list. If you feel it is, my apologies.
Your help is always very much appreciated.

Thank you,
Andrea

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: auth_time.txt
Url: http://lists.shmoo.com/pipermail/hostap/attachments/20060208/bce5e838/attachment.txt 


More information about the HostAP mailing list