When EAP-TNC use, should I disable fast_reauth ?

r.ooba at ictec.co.jp r.ooba
Mon Dec 7 23:37:40 PST 2009 

>Why did the authentication fail?

In my previous email, I wrote "wpa_supplicant auth failed" by mistake.
I meant "wpa_supplicant auth successful". I am sorry about that.
However, wpa_supplicant was isolated. 

>This sounds a bit odd.. If the first authentication failed,
>wpa_supplicant should not be able to try session resumption. 

It made a mistake.
I meant "wpa_supplicant auth successful".

>EAP-TNC is controlled by the authentication server, so if it need to
>validate TNC information, it should be able to do so here.. I would like
>to better understand what exactly happened before recommending
>fast_reauth to be disabled for this kind of use and if this is known to
>have problems, I would rather make wpa_supplicant work around them
>without requiring the user to change configuration.

Is it a thing that you investigate?


Thanks, 
Oba Ryuji




>On Mon, Dec 07, 2009 at 10:16:28AM +0900, r.ooba at ictec.co.jp wrote:
>
>> 1. wpa_supplicant start authenticating with TTLS/TNC.
>> 
>> 2. wpa_supplicant auth failed.
>>    wpa_supplicant is isolated by vlan network.
>>    (However, TNC Server send EAP-SUCCESS to wpa_supplicant.)
>
>Why did the authentication fail?
>
>> 3. wpa_supplicant try re-auth. 
>>    However, "phase 2 method (EAP-TNC)" is omitted by the 
>>    fast_reauth function at this time. 
>
>This sounds a bit odd.. If the first authentication failed,
>wpa_supplicant should not be able to try session resumption. Which
>version of wpa_supplicant are you using? Would you be able to send me a
>debug log from wpa_supplicant showing both the initial failure (with TNC
>success) and the second attempt to authenticate?
>
>> When EAP-TNC use, should I disable fast_reauth ?
>
>EAP-TNC is controlled by the authentication server, so if it need to
>validate TNC information, it should be able to do so here.. I would like
>to better understand what exactly happened before recommending
>fast_reauth to be disabled for this kind of use and if this is known to
>have problems, I would rather make wpa_supplicant work around them
>without requiring the user to change configuration.
>
>-- 
>Jouni Malinen                                            PGP id EFC895FA
>_______________________________________________
>HostAP mailing list
>HostAP at lists.shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap

More information about the Hostap mailing list