EAP-TLS - Authentication succeeds with in-correct "private_key_passwd"

saurav barik saurav.barik at gmail.com
Sat Oct 9 14:49:15 EDT 2010

I disabled fast_reauth in my conf file(fast_reauth=0). Then I changed
wpa_supplicant conf file with wrong certificates and triggerred logoff
followed by logon from wpa_cli. Immediately I could ping the AP
successfully(with wrong certificates). So I am not too sure whether
the reauthentication really happened. I also tried doing a reassociate
after logon. But in all the cases the ping to the AP was successful
with wrong certs. If logoff/logon causes a reauth then why should the
port get enabled with wrong certs? If PMKSA does not have anything to
do with this behavior, I really don't have any issues with it. I am
just concerned about the station still able to successfully connect to
the AP (via wpa-eap) with wrong credentials.

On Sat, Oct 9, 2010 at 11:19 AM, Jouni Malinen <j at w1.fi> wrote:
> On Fri, Oct 08, 2010 at 12:29:35AM +0530, saurav barik wrote:
>> Yes, logoff followed by logon also skips reauth. I tried forcing a
>> reauth using eapol_sm_request_reauth() in "logon" path. Still it does
>> not reauth.
> What exactly do you mean with "reauth" in this context? In my tests,
> logoff followed by logon goes through EAPOL authentication and EAP
> authentication. However, if fast reauthentication is enabled, EAP-TLS
> may actually skip certificate-based authentication (but still, this is a
> new EAP authentication).
>> I am wandering whether it should be considered as a
>> known-issue in wpa_supplicant or is this behavior acceptable. I
>> believe wpa_supplicant should reauthenticate if there is a change in
>> EAP-TLS related config. Should I flush PMKSA caching in logon path as
>> well? Is there any command-line config option(from wpa_cli) for it?
> It should be possible to tricker EAP reauthentication with logoff/logon,
> but there is currently no way to forcefully remove PMKSA cache entries.
> I don't think EAPOL logon path should do anything about PMKSA cache
> entries, but it is debatable if there are some changes that should
> delete a PMKSA cache entry.
> In theory, PMKSA cache entry remains valid as long as the PMK is valid
> (and in many cases, no explicit validity period is communicated during
> full authentication). As such, even local configuration changes would
> not necessarily invalidate PMKSA cache entries.
> There is currently no wpa_cli command for removing a PMKSA cache entry.
> Though, I would be open to adding such a comment to allow manual removal
> of these entries.
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

More information about the HostAP mailing list