wpa_supplicant fails to preauthenticate

Jouni Malinen j
Tue Dec 4 19:36:46 PST 2007

On Tue, Dec 04, 2007 at 12:13:23AM +0530, Paresh Sawant wrote:

> If we assume that pre-auth is not allowed if the bssid belongs to different
> ssid than one it is already associated with, then would that be right idea
> to make wpa_supplicant report an error instead of initiating the pre-auth by
> sending out eapol start packet ?

I couldn't find a very strong statement from the standard on disallowing
pre-authentication between different ESSes, but the comments in clause
8.4.6 seem to imply that pre-authentication is used only within the
current ESS, i.e., only with the same SSID. Taken into account that
pre-authentication requires layer 2 connectivity between the APs, this
sounds like a reasonable assumption.

wpa_supplicant is actually only adding pre-authentication candidates if
the SSID of the target AP matches the current SSID. The test case you
described uses an external trigger (wpa_cli preauthenticate) to force
wpa_supplicant to start pre-authentication. At this point, the SSID of
the destination BSS is not even known and as such, there is no way of
reporting an error here. The current wpa_supplicant behavior seems
reasonable to me.

> Is it possible to have 2 different access points within same ESS having
> separate security policies e.g. ap1 with WPA2-PSK and ap2 with WPA2-EAP ? I
> don't see IEEE 802.11i enforcing such a rule. please correct me.

There may not be an explicit statement for this in the standard, but
I've heard many comments  on the security policy to be assumed to be
configured consistently throughout the ESS. Though, it should also be
noted that it is possible even for a single AP to advertise support for
both PSK and EAP AKMPs since WPA/RSN IE can include multiple key
management protocols.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list