PMKSA/PMKID issue(s)

Zimmermann, Christopher Brian Chris cbzimmermann
Mon Jan 24 07:24:25 PST 2005


That did the trick.  


-----Original Message-----
From: at
[ at] On Behalf Of
Zimmermann, Christopher Brian (Chris)
Sent: Saturday, January 22, 2005 1:10 AM
To: Jouni Malinen
Cc: hostap at
Subject: RE: PMKSA/PMKID issue(s)


I'll try these right now and let you know.


-----Original Message-----
From: Jouni Malinen [mailto:jm at] On Behalf Of Jouni Malinen
Sent: Saturday, January 22, 2005 1:03 AM
To: Zimmermann, Christopher Brian (Chris)
Cc: hostap at
Subject: Re: PMKSA/PMKID issue(s)

On Sat, Jan 22, 2005 at 12:41:21AM -0500, Zimmermann, Christopher Brian
(Chris) wrote:

> You can see the EAP-SUCCESS, but the PMKID does not get processed via
> rsn_preauth_eapol_cb().  Both of these APs come from the Terrawave
> WPA2/WMM testbed package.

Interesting.. wpa_supplicant is discarding the EAP-Success packet for
the pre-authentication case even though it was accepted for the normal
authentication. It looks like I have not tested pre-authentication with
RADIUS servers that do not conform to EAP RFC (i.e., ones that require
EAP workarounds in wpa_supplicant).. EAPOL state machine initialization
in rsn_preauth_init() was not initializing couple of configuration
fields and this disabled EAP workarounds for pre-authentication even if
they were enabled for the normal authentication.

Please let me know whether the attached patch fixes this issue. This
change is already committed to CVS, too.

> But I don't get a add_pmkid() call into the driver interface.  And the
> timeout gets called, too.

This is because the EAP-Success was never processed..

> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Success
> EAP: Workaround for unexpected identifier field in EAP Success:
reqId=6 lastId=5 (these are supposed to be same)
> EAP: EAP entering state SUCCESS
> EAPOL: SUPP_BE entering state RECEIVE
> EAPOL: SUPP_BE entering state SUCCESS

This is the EAP-Success for the normal authentication.

> EAPOL: Received EAP-Success
> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Success
> EAP: EAP entering state DISCARD

This is for pre-authentication and it is discarded because of the EAP
workaround not being enabled here.

Jouni Malinen                                            PGP id EFC895FA
HostAP mailing list
HostAP at

More information about the Hostap mailing list