pre-authentication to RSN AP through non-RSN AP

Jason Young a.young.jason at gmail.com
Mon Mar 8 20:07:09 EST 2010


Hi,

I'm testing pre-authentication with the 0.6.x supplicant and I've found that it
does not work when the current AP is non-RSN (i.e. [WPA-EAP-TKIP]) and the
preauth AP is RSN (i.e. [WPA2-EAP-CCMP-preauth]). The pre-authentication
exchange does succeed according to the supplicant logs but the pmksa is never
added to the pmksa cache because pmksa_cache_add (src/rsn_supp/pmksa_cache.c)
is silently failing when the current protocol is not RSN. This problem does not
happen with in 0.7.x because commit f5a51b58d4a78821cf28b99b54dc7addd0da34
moves the protocol check into the caller but never added a check for the
preauth case in rsn_preauth_eapol_cb (src/rsn_supp/preauth.c).

So my question is: which behavior is correct for pre-authentication? I don't
see anything in the 802.11 spec that prevents preauthenticating to an RSN AP
through a non-RSN AP.

-- Jason Young

# 0.6.x
1268086938.061726: RSN: PMK from pre-auth - hexdump(len=32): [REMOVED]
1268086938.062320: RSN: pre-authentication with 00:22:6b:XX:XX:XX
completed successfully
1268086938.062486: EAP: deinitialize previously used EAP method (13,
TLS) at EAP deinit
> wpa_cli pmksa
Index / AA / PMKID / expiration (in seconds) / opportunistic

# 0.7.x
1268087034.081983: RSN: PMK from pre-auth - hexdump(len=32): [REMOVED]
1268087034.082765: RSN: added PMKSA cache entry for 00:22:6b:XX:XX:XX
1268087034.083146: RSN: pre-authentication with 00:22:6b:XX:XX:XX
completed successfully
1268087034.083330: EAP: deinitialize previously used EAP method (13,
TLS) at EAP deinit
> wpa_cli pmksa
Index / AA / PMKID / expiration (in seconds) / opportunistic
1 00:22:6b:XX:XX:XX 423848538d2f04fc2809b1072ac716ce 43127 0


More information about the HostAP mailing list