wpa supplicant restarts authentication when fast_reauth is enabled

Panagiotis Georgopoulos panos at comp.lancs.ac.uk
Fri Sep 24 17:12:29 EDT 2010

Hello all,


                I am having a wpa_supplicant (0.7.3) client that tries to
authenticate to a FreeRadius (2.1.10) over hostapd (0.7.2) using EAP-TTLS
and having fast_reauth=1 and session resumption enabled on the server side. 


In fact if I have just that enabled, fast reauthentication never happens
because I am told that FreeRadius does not store proper data in its cache to
reauthenticate the user, as openSSL stores what is on the reply of the inner
packet (phase 2 of eap-ttls) and that, does not have the identity of the
user to be cached (and the outer has an anonymous one). 


In order to fix this, I have enabled on FreeRadus the "use_tunneled_reply =
yes", however what I see now is that the client gets authenticated
successfully but the 4-way handshake betweek wpa_supplicant and hostapd
fails with the following message in wpa_supplicant.



WPA: RX message 1 of 4-Way Handshake from 00:14:6c:2d:00:85 (ver=2)

RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 bc cf 0e 3e 42 3c
4f c5 2c 18 fc 7d 5e 39 b2 8a

WPA: PMKID in EAPOL-Key - hexdump(len=22): dd 14 00 0f ac 04 bc cf 0e 3e

42 3c 4f c5 2c 18 fc 7d 5e 39 b2 8a

RSN: PMKID from Authenticator - hexdump(len=16): bc cf 0e 3e 42 3c 4f c5 2c
18 fc 7d 5e 39 b2 8a

RSN: no matching PMKID found

EAPOL: Successfully fetched key (len=32)

WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED]

RSN: added PMKSA cache entry for 00:14:6c:2d:00:85

RSN: no PMKSA entry found - trigger full EAP authentication

RSN: Do not reply to msg 1/4 - requesting full EAP authentication RX
ctrl_iface - hexdump_ascii(len=4):

     50 49 4e 47                                       PING

RX EAPOL from 00:14:6c:2d:00:85

RX EAPOL - hexdump(len=25): 02 00 00 15 01 f2 00 15 01 68 65 6c 6c 6f 2d 50
41 4e 4f 53 2d 41 50 2d 32

EAPOL: Received EAP-Packet frame


                After that wpa_supplicant issues an EAPOL start frame and
the authentication happens from the start but again the same thing happen
when they reach the 4 way handshake. It seems to me that there is some sort
of a bug on the wpa_supplicant side.. Could anyone shed some light?


               Thanks a lot,



.          Wpa supplicant output : http://pastebin.com/4xSPt0k3 

.          Hostapd output : http://pastebin.com/Xnb0TF2q 

.          FreeRadius output: http://pastebin.com/p1V1XEVm 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20100924/ca23e8c0/attachment.htm 

More information about the HostAP mailing list