EAP-TLS - Authentication succeeds with in-correct "private_key_passwd"

Jouni Malinen j at w1.fi
Sat Oct 9 01:49:01 EDT 2010

On Fri, Oct 08, 2010 at 12:29:35AM +0530, saurav barik wrote:
> Yes, logoff followed by logon also skips reauth. I tried forcing a
> reauth using eapol_sm_request_reauth() in "logon" path. Still it does
> not reauth.

What exactly do you mean with "reauth" in this context? In my tests,
logoff followed by logon goes through EAPOL authentication and EAP
authentication. However, if fast reauthentication is enabled, EAP-TLS
may actually skip certificate-based authentication (but still, this is a
new EAP authentication).

> I am wandering whether it should be considered as a
> known-issue in wpa_supplicant or is this behavior acceptable. I
> believe wpa_supplicant should reauthenticate if there is a change in
> EAP-TLS related config. Should I flush PMKSA caching in logon path as
> well? Is there any command-line config option(from wpa_cli) for it?

It should be possible to tricker EAP reauthentication with logoff/logon,
but there is currently no way to forcefully remove PMKSA cache entries.
I don't think EAPOL logon path should do anything about PMKSA cache
entries, but it is debatable if there are some changes that should
delete a PMKSA cache entry.

In theory, PMKSA cache entry remains valid as long as the PMK is valid
(and in many cases, no explicit validity period is communicated during
full authentication). As such, even local configuration changes would
not necessarily invalidate PMKSA cache entries.

There is currently no wpa_cli command for removing a PMKSA cache entry.
Though, I would be open to adding such a comment to allow manual removal
of these entries.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list