wpa_supplicant, pkcs11, pmksa

Matt Causey matt.causey at gmail.com
Wed Sep 7 19:20:47 EDT 2011


So I think that bgscan will work on the older kernels, it just won't
get the signal change events from the driver IIRC...so the timers will
be the only prompt for a roam.  Though IMO it is worth the time to
upgrade the kernel, and use wpa_supplicant with the -on80211 flag,
because the roaming performance is far better that way.  I know it's a
pain, but just package your custom kernel as an RPM and slide it in
there... :-)  And yeah there is a lot of source-code reading involved
understanding how bgscan works.  I"m sure that there is some
opportunity for us to contribute our hard-won knowledge into some wiki
some place to prevent the next wandering engineer having to do the
same.  I digress...

PMKSA key caching is disabled in the supplicant by default:

http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/wpa_supplicant.conf

You might try enabling that, and then give us the output of running
your supplicant during a roam event with the -dd flag.

--
Matt



On Wed, Sep 7, 2011 at 1:40 PM, Martinsson Patrik
<patrik.martinsson at smhi.se> wrote:
> Hi !
>
> First, my knowledge in this area is rather limited so therefore the
> questions might be "a bit weird" or "way off", forgive me for that.
>
> I'm trying to get wireless working with "smartcard-auth" and roaming. I can
> successfully connect and authenticate to our network, but there seems to be
> two problems, which may have a reasonable explanation, I don't know, hence
> this mail.
>
> - Roaming, cant get it to work satisfying.
> When moving from one ap to another, wpa_supplicant first disconnects and
> then makes a scan, and then tries to connect to the next ap, *but* this
> takes some time, from ~5 sec, to 1 minute, as of now, this is not a
> desirable since you can't roam without noticing it significant. I looked
> into the option bgscan (which is very hard to find btw), and as I understand
> it, that is the way to go when you want to roam, correct ?
> And bgscan uses signal_monitoring, which is implemented in kernel >2.6.35,
> which in turn means that I'm out of luck since I'm on 2.6.32-131(rhel 6.1),
> correct ?
>
> - Re-authentication, works but reads from smartcard.
> When I move from one ap to another, wpa_supplicant reauthenticates using
> pmksa, correct ?
> The re-authentication is partially working, it re-authenticates without
> asking for pin, but reads something from the smartcard (reauth won't work
> without smartcard, and pcscd-logs shows alot of activity at reauth), is this
> the way it should work ? I thought I could reauth without smartcard ?
>
> My wpa_supplicant.conf looks like this,
>
> ===
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> pkcs11_engine_path=/usr/lib64/openssl/engines/engine_pkcs11.so
> pkcs11_module_path=/usr/lib/libiidp11.so # our smartcard vendor
>
> network={
>     ssid="xxx"
>     engine=1
>     engine_id="pkcs11"
>     key_mgmt=WPA-EAP
>     eap=TLS
>     identity="xxx"
>     key_id="1:xxx"
>     cert_id="1:xxx"
> }
> ===
>
> I'm greatful for any hints or tips that I can get,
>
> Best regards,
> Patrik Martinsson, Sweden
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
>


More information about the HostAP mailing list