When EAP-TNC use, should I disable fast_reauth ?
r.ooba at ictec.co.jp
r.ooba
Mon Dec 7 23:37:40 PST 2009
>Why did the authentication fail?
In my previous email, I wrote "wpa_supplicant auth failed" by mistake.
I meant "wpa_supplicant auth successful". I am sorry about that.
However, wpa_supplicant was isolated.
>This sounds a bit odd.. If the first authentication failed,
>wpa_supplicant should not be able to try session resumption.
It made a mistake.
I meant "wpa_supplicant auth successful".
>EAP-TNC is controlled by the authentication server, so if it need to
>validate TNC information, it should be able to do so here.. I would like
>to better understand what exactly happened before recommending
>fast_reauth to be disabled for this kind of use and if this is known to
>have problems, I would rather make wpa_supplicant work around them
>without requiring the user to change configuration.
Is it a thing that you investigate?
Thanks,
Oba Ryuji
>On Mon, Dec 07, 2009 at 10:16:28AM +0900, r.ooba at ictec.co.jp wrote:
>
>> 1. wpa_supplicant start authenticating with TTLS/TNC.
>>
>> 2. wpa_supplicant auth failed.
>> wpa_supplicant is isolated by vlan network.
>> (However, TNC Server send EAP-SUCCESS to wpa_supplicant.)
>
>Why did the authentication fail?
>
>> 3. wpa_supplicant try re-auth.
>> However, "phase 2 method (EAP-TNC)" is omitted by the
>> fast_reauth function at this time.
>
>This sounds a bit odd.. If the first authentication failed,
>wpa_supplicant should not be able to try session resumption. Which
>version of wpa_supplicant are you using? Would you be able to send me a
>debug log from wpa_supplicant showing both the initial failure (with TNC
>success) and the second attempt to authenticate?
>
>> When EAP-TNC use, should I disable fast_reauth ?
>
>EAP-TNC is controlled by the authentication server, so if it need to
>validate TNC information, it should be able to do so here.. I would like
>to better understand what exactly happened before recommending
>fast_reauth to be disabled for this kind of use and if this is known to
>have problems, I would rather make wpa_supplicant work around them
>without requiring the user to change configuration.
>
>--
>Jouni Malinen PGP id EFC895FA
>_______________________________________________
>HostAP mailing list
>HostAP at lists.shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap
More information about the Hostap
mailing list