EAP-TLS - Authentication succeeds with in-correct "private_key_passwd"

Jouni Malinen j at w1.fi
Sun Oct 10 02:47:14 EDT 2010

On Sun, Oct 10, 2010 at 12:19:15AM +0530, saurav barik wrote:
> I disabled fast_reauth in my conf file(fast_reauth=0). Then I changed
> wpa_supplicant conf file with wrong certificates and triggerred logoff
> followed by logon from wpa_cli. Immediately I could ping the AP
> successfully(with wrong certificates). So I am not too sure whether
> the reauthentication really happened. I also tried doing a reassociate
> after logon. But in all the cases the ping to the AP was successful
> with wrong certs. If logoff/logon causes a reauth then why should the
> port get enabled with wrong certs? If PMKSA does not have anything to
> do with this behavior, I really don't have any issues with it. I am
> just concerned about the station still able to successfully connect to
> the AP (via wpa-eap) with wrong credentials.

Please take a look at wpa_supplicant debug log (run it with -dd on
command line) and see what happens between logoff and logon. Please also
keep in mind that the station may not actually have any IEEE 802.1X port
control, so this behavior may depend on the AP side only (i.e., if it
does not implement 802.1X correctly, the connection could still

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list