When EAP-TNC use, should I disable fast_reauth ?
Jouni Malinen
j
Mon Dec 7 11:42:59 PST 2009
On Mon, Dec 07, 2009 at 10:16:28AM +0900, r.ooba at ictec.co.jp wrote:
> 1. wpa_supplicant start authenticating with TTLS/TNC.
>
> 2. wpa_supplicant auth failed.
> wpa_supplicant is isolated by vlan network.
> (However, TNC Server send EAP-SUCCESS to wpa_supplicant.)
Why did the authentication fail?
> 3. wpa_supplicant try re-auth.
> However, "phase 2 method (EAP-TNC)" is omitted by the
> fast_reauth function at this time.
This sounds a bit odd.. If the first authentication failed,
wpa_supplicant should not be able to try session resumption. Which
version of wpa_supplicant are you using? Would you be able to send me a
debug log from wpa_supplicant showing both the initial failure (with TNC
success) and the second attempt to authenticate?
> When EAP-TNC use, should I disable fast_reauth ?
EAP-TNC is controlled by the authentication server, so if it need to
validate TNC information, it should be able to do so here.. I would like
to better understand what exactly happened before recommending
fast_reauth to be disabled for this kind of use and if this is known to
have problems, I would rather make wpa_supplicant work around them
without requiring the user to change configuration.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list