When EAP-TNC use, should I disable fast_reauth ?

Jouni Malinen j
Tue Dec 8 05:30:50 PST 2009


On Tue, Dec 08, 2009 at 04:37:40PM +0900, r.ooba at ictec.co.jp wrote:

> In my previous email, I wrote "wpa_supplicant auth failed" by mistake.
> I meant "wpa_supplicant auth successful". I am sorry about that.
> However, wpa_supplicant was isolated. 

OK, that makes more sense. Did you expect the device to get isolated at
that point, i.e., is there an expectation that the state would change
with the following authentication (in which case there could be reason
not to use session resumption)?

Getting isolated result from TNC by itself may not be good enough reason
to disable session resumption, so I would like to understand what your
expectation was as far as the authentication and TNC result was
concerned for both the first and second attempt.

> >EAP-TNC is controlled by the authentication server, so if it need to
> >validate TNC information, it should be able to do so here.. I would like
> >to better understand what exactly happened before recommending
> >fast_reauth to be disabled for this kind of use and if this is known to
> >have problems, I would rather make wpa_supplicant work around them
> >without requiring the user to change configuration.
> 
> Is it a thing that you investigate?

Assuming I first fully understand the problem, I would be likely making
sure wpa_supplicant handles it in a reasonable way in the future.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list