When EAP-TNC use, should I disable fast_reauth ?
r.ooba at ictec.co.jp
r.ooba
Tue Dec 8 17:23:51 PST 2009
>OK, that makes more sense. Did you expect the device to get isolated at
>that point, i.e., is there an expectation that the state would change
>with the following authentication (in which case there could be reason
>not to use session resumption)?
I can not write it well because I am weak at English.
I think The following case is problem.
1. "A non-compliant TNC client PC" attempts to connect to a network.
This TNC client (wpa_supplicant) uses the fast_reauth function.
2. The TNC client PC is isolated by vlan network.
At this time, wpa_supplicant receives EAP-SUCCESS.
3. Remediation is complete for TNC client PC.
The TNC client PC become "compliant PC".
4. The TNC client PC attempts re-auth (by TNC Handshake Retry).
At this time, "phase 2 method (EAP-TNC)" is omitted by the
fast_reauth function.
5. The TNC client PC is isolated again.
The TNC client PC compliant. However, it is finally isolated.
Thanks,
Oba Ryuji
>On Tue, Dec 08, 2009 at 04:37:40PM +0900, r.ooba at ictec.co.jp wrote:
>
>> In my previous email, I wrote "wpa_supplicant auth failed" by mistake.
>> I meant "wpa_supplicant auth successful". I am sorry about that.
>> However, wpa_supplicant was isolated.
>
>OK, that makes more sense. Did you expect the device to get isolated at
>that point, i.e., is there an expectation that the state would change
>with the following authentication (in which case there could be reason
>not to use session resumption)?
>
>Getting isolated result from TNC by itself may not be good enough reason
>to disable session resumption, so I would like to understand what your
>expectation was as far as the authentication and TNC result was
>concerned for both the first and second attempt.
>
>> >EAP-TNC is controlled by the authentication server, so if it need to
>> >validate TNC information, it should be able to do so here.. I would like
>> >to better understand what exactly happened before recommending
>> >fast_reauth to be disabled for this kind of use and if this is known to
>> >have problems, I would rather make wpa_supplicant work around them
>> >without requiring the user to change configuration.
>>
>> Is it a thing that you investigate?
>
>Assuming I first fully understand the problem, I would be likely making
>sure wpa_supplicant handles it in a reasonable way in the future.
>
>--
>Jouni Malinen PGP id EFC895FA
>_______________________________________________
>HostAP mailing list
>HostAP at lists.shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap
More information about the Hostap
mailing list