<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1323314781;
mso-list-type:hybrid;
mso-list-template-ids:63703192 359709290 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l1
{mso-list-id:1783693985;
mso-list-type:hybrid;
mso-list-template-ids:1253635208 341450380 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-GB link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal><span lang=EN-US>Hello all,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US> In
an effort to understand how re-authentication and pre-authentication work in
order to speed up the authentication process for the client I have the two
following questions.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoListParagraph style='margin-left:54.0pt;text-indent:-18.0pt;
mso-list:l1 level1 lfo2'><![if !supportLists]><span lang=EN-US><span
style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><b><span lang=EN-US>Re-authentication</span></b><span
lang=EN-US> : As far as I understand it, hostapd has the eap_reauth_period
option to define the number of seconds where reauthentication for a client can
be performed. In simple terms this means that a client has been authenticated,
it gets disconnected and then re-connected back to this AP within the
reauth_period. If it does, then hostapd does not peform authentication for the
client (neither when it acts as an EAP server, nor when it uses an external
Radius server for the authentication). The only think that it does is to start
the accounting procedure for the client that got reconnected. Is this right?
How does the AP know the identity of the client so that it can confirm that
this client has been connected before ?<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:54.0pt'><b><span lang=EN-US><o:p> </o:p></span></b></p>
<p class=MsoListParagraph style='margin-left:54.0pt'><span lang=EN-US>Incidentally,
do fast-reauthentication and pmk caching refer to the same procedure as
described above?<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:54.0pt'><b><span lang=EN-US><o:p> </o:p></span></b></p>
<p class=MsoListParagraph style='margin-left:54.0pt'><span lang=EN-US>As a side
note, am I right in thinking that re-authentication on hostapd is the same as
session resumption (or fast-reauthenication) as I’ve seen in freeRadius’
configuration file? <o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:54.0pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoListParagraph style='margin-left:54.0pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoListParagraph style='margin-left:54.0pt;text-indent:-18.0pt;
mso-list:l1 level1 lfo2'><![if !supportLists]><span lang=EN-US><span
style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><b><span lang=EN-US>Pre-authentication</span></b><span
lang=EN-US> : Here I am a bit more confused. I would have guessed that enabling
the pre-authentication options in hostapd.conf would allow a wpa_supplicant
client to perform pre-authentication with an Access Point that he is roaming
to, before losing his previous connection with a different Access Point. Is
this right?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:54.0pt'><span lang=EN-US>However, why do
we have pre-auth options for hostapd and not for wpa_supplicant? In theory, any
Access Point should not care if the user is performing pre-authentication, but
manage to authenticate him before the wpa_supplicant decides to disassociate him
from the previous access point. Why is there a rsn_preauth_interfaces option in
hostapd.conf? The interface option that the machine is using to create the AP
is not enough? The client that will try to do pre-authentication will try to
connect to the access point anyway…<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:54.0pt'><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal style='margin-left:54.0pt'><span lang=EN-US>Thanks in advance
for your replies,<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:54.0pt'><span lang=EN-US>Panos<o:p></o:p></span></p>
</div>
</body>
</html>