fast_reauth=1

Panagiotis Georgopoulos panos at comp.lancs.ac.uk
Thu Sep 23 16:02:38 EDT 2010


Hello Dan, Jouni, all
 
> On Wed, 2010-09-22 at 17:44 -0700, Jouni Malinen wrote:
> > On Wed, Sep 22, 2010 at 11:43:40PM +0100, Panagiotis Georgopoulos
> wrote:
> >
> > > What does fast_reauth in wpa_supplicant.conf does exactly do?
> >
> > > Is this the client equivalent of FreeRadius session resumption so
> that if a
> > > client roams from Access Point 1 to Access Point 2 to not repeat
> the full
> > > EAP authentication?
> >
> > Yes.
> 
> Do I have it correct when I assume that the proactive_key_caching stuff
> at the 802.11 level, while the fast_reauth stuff is at the 802.1x
> level?
> Should both ever be used at the same time?
> 
> Dan
> 

I might be the wrong person to answer this since I am trying to investigate
these myself lately and they are a bit confusing. In theory though it should
be alright to use both at the same time as their purpose, although the same
(i.e. faster rooming for the client) is achieved in different ways.

* Proactive key caching : to avoid doing a full reauth when client moves
from AP1 to AP2 and then back to AP1 quickly (i.e. reconnecting to the same
AP - how quickly though?). Also when pre_auth is allowed so that when a
client moves from AP1 to AP2 only the 4-way handshake is performed locally,
without full authentication with a AAA backend server, since the later AP
learns from the former via a switch that authentication has already been
performed.

* Session resumption, fast reauth (in wpa_supplciant) : this is basically an
SSL/TLS feature and allows e.g. in EAP-TLS to skip phase 2 if the client has
been recently authenticated successfully. E.g. this is used to speed up
authentication when client moves from AP1 where he has been successfully
authenticated to AP2. Packets are still send from the NAS to the AAA server
when client connects to AP2, but the AAA server does not do Phase 2 of the
authentication (due to session resumption) thus resulting in faster
authentication for the client.

If I am wrong, I 'd be grateful if someone would correct me!

So why not enable both?

Cheers,
Panos







More information about the HostAP mailing list