WPA2-personal: rsn preauth?

Thomas Osterried thomas at osterried.de
Fri Sep 24 05:37:52 EDT 2010


Hello,

we run hostapd in a larger network which provides access for Laptops and -what is more important- mobile WLAN Sip-Phones.
In this WPA2 (802.11i) network with WPA2-personal (pre-shared keys) we have to analyze and solve roaming issues.

We've set up a test-bed for analyzing the roaming delay and quest for solutions like pre-authentication, which is part of the 802.11i standard. My question here focuses on the pre-auth topic.

There are mainly three approaches to minimize roaming delay:
* pre-authentication (via current AP to the next AP the STA likes to roam to)
* opportunistic caching (distribute a PMKSA to all APs in the network)
* PMK caching (AP caches the PMK for the situation the STA roams back to the AP he's currently associated with)
We've not considered 802.11r since we researched that there are only very few STAs in the wild supporting this standard.

We enabled rsn_preauth=1, rsn_preauth_interfaces=eth0 and okc=1, but we did not observe any change in the bearing of the STA, and we did not observe any exchange of key material between the APs.


After studying the specs and reading hostapd's sources I'm still not sure about the following questions:

1. pre-auth while running WPA2-personal
In a WPA2-personal network, the PMK derives from password+ESSID.
Consequently, the PMK is the same on every AP in the network.
Because both,
  - it's always necessary to generate a session key in a 4-way-handshake between that STA with that AP (PTK, GTK) (which is is quite fast - we measured 50ms)
  - the PMK is the same on all APs (for all associated STAs),
..I wonder if pre-authentication needs to happen anyhow -- and if would happen, if its enabled in hostapd. IMHO, it would not do harm (except for more computing overhead).
Maybe I've overseen something and there are good reasons for having this exchange of key material even in a WPA2-personal environment - are they?

2. EAP capability flag "[PREAUTH]"
I did kill -SIGUSR1 to the pid of hostapd while my mobile phone was associated (as well as my linux notebook, wpa_supplicant version 0.6.9). For both I found in the dump file:
STA=...
  AID=0 flags=0x23 [AUTH][ASSOC][AUTHORIZED]
  capability=0x0 listen_interval=0
  supported_rates=
  timeout_next=NULLFUNC POLL
The PREAUTH capability is not referenced in STA's flags and I've not found any client which would lead the capability flags to be like [AUTH][ASSOC][AUTHORIZED][PREAUTH]
Just to be sure: does anyone knows of STAs that generally support preauth, but do only announce this feature while running in WPA2-enterprise environments?

3. 4-way-handshake (for PTK/GTK) always necessary?
Somewhere I read of mechanisms which even allow the 4-way-authentication to be omited (or reduced to 2-way). It's a myth, isn't it?

Kind regards,
        - Thomas Osterried

PS: I posted my question yesterday to the list but it awaits green light by the moderator. I've subscribed to the hostp list now and I hope you'll get this mail only once.


More information about the HostAP mailing list