EAP-TLS - Authentication succeeds with in-correct "private_key_passwd"

saurav barik saurav.barik at gmail.com
Thu Oct 7 15:22:24 EDT 2010


I agree - PMKSA caching is a good feature. But it should not force to
skip the need for a reauth. A user might try to change his TLS
certificates/password at the run-time and edit the wpa_supplicant.conf
for the new configs. In this case, wpa_supplicant should have a
provision to start a reauth session because the certificates are
changed. In this case user is not breaking a working config - he just
wants to use new configuration. As of now, the only way the new config
can take effect is by restarting the running wpa_supplicant. Would not
it be better, if we can have a similar mechanism with a running
wpa_supplicant?

If we need to re-run wpa_supplicant every time TLS certs are changed,
then logon/logoff options from wpa_cli is redundant. Please correct me
if I am wrong.

Thanks,
Saurav

On Fri, Oct 8, 2010 at 12:33 AM, Christ Schlacta <aarcane at gmail.com> wrote:
>  An inability to break a working config is hardly a bug.  PMKSA should
> never flush unless it's failed, and flushing any sooner, or forcing
> re-authentication sooner is wasteful of bandwidth and other resources.
> This should be classified as a feature, not as a bug.
>
> On 10/7/2010 11:59 AM, saurav barik wrote:
>> Yes, logoff followed by logon also skips reauth. I tried forcing a
>> reauth using eapol_sm_request_reauth() in "logon" path. Still it does
>> not reauth. I am wandering whether it should be considered as a
>> known-issue in wpa_supplicant or is this behavior acceptable. I
>> believe wpa_supplicant should reauthenticate if there is a change in
>> EAP-TLS related config. Should I flush PMKSA caching in logon path as
>> well? Is there any command-line config option(from wpa_cli) for it?
>>
>> Please advise.
>>
>> Thanks,
>> Saurav
>>
>> On Tue, Oct 5, 2010 at 11:58 PM, Jouni Malinen<j at w1.fi>  wrote:
>>> On Tue, Oct 05, 2010 at 06:40:59PM +0530, saurav barik wrote:
>>>> Is there any way to trigger a forced reauthentication from a running
>>>> wpa_supplicant? wpa_cli config options does not have it.
>>> When using IEEE 802.1X/EAP, logoff follow by logon would do this without
>>> reassociation and reassociate will do this in all security modes
>>> (though, PMKSA caching may be used to skip EAP authentication in that
>>> case).
>>>
>>> --
>>> Jouni Malinen                                            PGP id EFC895FA
>>> _______________________________________________
>>> HostAP mailing list
>>> HostAP at lists.shmoo.com
>>> http://lists.shmoo.com/mailman/listinfo/hostap
>>>
>> _______________________________________________
>> HostAP mailing list
>> HostAP at lists.shmoo.com
>> http://lists.shmoo.com/mailman/listinfo/hostap
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>


More information about the HostAP mailing list