wpa_supplicant, pkcs11, pmksa

Martinsson Patrik patrik.martinsson at smhi.se
Wed Sep 7 13:40:50 EDT 2011


Hi !

First, my knowledge in this area is rather limited so therefore the questions might be "a bit weird" or "way off", forgive me for that.

I'm trying to get wireless working with "smartcard-auth" and roaming. I can successfully connect and authenticate to our network, but there seems to be two problems, which may have a reasonable explanation, I don't know, hence this mail.

- Roaming, cant get it to work satisfying.
When moving from one ap to another, wpa_supplicant first disconnects and then makes a scan, and then tries to connect to the next ap, *but* this takes some time, from ~5 sec, to 1 minute, as of now, this is not a desirable since you can't roam without noticing it significant. I looked into the option bgscan (which is very hard to find btw), and as I understand it, that is the way to go when you want to roam, correct ?
And bgscan uses signal_monitoring, which is implemented in kernel >2.6.35, which in turn means that I'm out of luck since I'm on 2.6.32-131(rhel 6.1), correct ?

- Re-authentication, works but reads from smartcard.
When I move from one ap to another, wpa_supplicant reauthenticates using pmksa, correct ?
The re-authentication is partially working, it re-authenticates without asking for pin, but reads something from the smartcard (reauth won't work without smartcard, and pcscd-logs shows alot of activity at reauth), is this the way it should work ? I thought I could reauth without smartcard ?

My wpa_supplicant.conf looks like this,

===
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
pkcs11_engine_path=/usr/lib64/openssl/engines/engine_pkcs11.so
pkcs11_module_path=/usr/lib/libiidp11.so # our smartcard vendor

network={
    ssid="xxx"
    engine=1
    engine_id="pkcs11"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="xxx"
    key_id="1:xxx"
    cert_id="1:xxx"
}
===

I'm greatful for any hints or tips that I can get,

Best regards,
Patrik Martinsson, Sweden
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20110907/37ab6ca4/attachment.htm 


More information about the HostAP mailing list