pmkid in association request

Paresh Sawant paresh.sawant
Tue Dec 23 00:39:58 PST 2008


Let me explain the 2 scenarios -

#1
-- with just only AP1 running
Connect AP1 -> disconnect AP1 -> re-connect AP1
When I do re-connect to AP1 it skips the PMKSA since association request
contained valid PMKID.

-- with just only AP2 running
Connect AP2 -> disconnect AP2 -> re-connect AP2
When I do re-connect to AP2 it skips the PMKSA since association request
contained valid PMKID

Conclusion: in both the reconnects i see correct exhibition of behavior

#2
Following is the sequence of actions ->
2.1> initially AP1(ssid = "linksis-wpa2-ttls") is running, so i connect AP1
doing full PMKSA, i successfully finish RSNA.

2.2>I start AP2(ssid = "linksis-wpa2-ttls"), and after AP2 is up and
running, I stop AP1. wpa_supp receives "media connect" for AP2, and it
performs RSNA with AP2 successfully.

2.3> I start AP1 again (without any change in configuration), and after AP1
is up and running, I stop AP2. wpa_supp receives "media connect" for AP1,
and it performs RSNA with AP1 successfully.

Conclusion: I see an issue in <2.3>, since AP1 does not honor the pmkid in
association request, it performs the full EAP again. Since wpa_supp sends
correct PMKID in association, I was expecting AP1 to directly jump to PTKSA,
but it does not happen that way.

Hope I made the scenarios clear. Please let me know if needs more
clarification.


Thanks
- Paresh


On Tue, Dec 23, 2008 at 1:53 PM, Jouni Malinen <j at w1.fi> wrote:

> On Mon, Dec 22, 2008 at 07:16:48PM +0530, Paresh Sawant wrote:
>
> > I have 2 linksys access points (WRT54GL), both belong to same ssid,
>
> > wpa_supplicant successfully manages to associate using eap-ttls with both
> > APS, but I notice while reassociating with either of the APs, even though
> > the association request carries valid PMKID in RSN IE, AP chooses to do
> > complete EAP-TTLS instead of skipping PMKSA. But it does NOT behave this
> way
> > when I have only one AP running, it honors the pmkid carried in the
> > association request and skips the PMKSA jumping directly to PTKSA.
>
> Just to make sure I understood your test scenario:
>
> AP1 -> AP1 uses PMKSA caching
>
> AP1 -> AP2 does not (as expected, since AP2 did not yet know PMK)
>
> did you try AP1 -> AP2 -> AP1 (the second reassociation could use PMKSA
> caching)
>
> If you want to get the first reassociation to use PMKSA caching, you
> would also need to enable RSN pre-authentication (or opportunistic key
> caching if the APs support that).
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20081223/f5209dfe/attachment.htm 



More information about the Hostap mailing list