When EAP-TNC use, should I disable fast_reauth ?

r.ooba at ictec.co.jp r.ooba
Tue Dec 8 17:23:51 PST 2009


>OK, that makes more sense. Did you expect the device to get isolated at
>that point, i.e., is there an expectation that the state would change
>with the following authentication (in which case there could be reason
>not to use session resumption)?

I can not write it well because I am weak at English.
I think The following case is problem.


1. "A non-compliant TNC client PC" attempts to connect to a network.
   This TNC client (wpa_supplicant) uses the fast_reauth function.

2. The TNC client PC is isolated by vlan network.
   At this time, wpa_supplicant receives EAP-SUCCESS.

3. Remediation is complete for TNC client PC.
   The TNC client PC become "compliant PC".

4. The TNC client PC attempts re-auth (by TNC Handshake Retry).
   At this time, "phase 2 method (EAP-TNC)" is omitted by the 
   fast_reauth function.

5. The TNC client PC is isolated again.

The TNC client PC compliant. However, it is finally isolated. 


Thanks,
Oba Ryuji

>On Tue, Dec 08, 2009 at 04:37:40PM +0900, r.ooba at ictec.co.jp wrote:
>
>> In my previous email, I wrote "wpa_supplicant auth failed" by mistake.
>> I meant "wpa_supplicant auth successful". I am sorry about that.
>> However, wpa_supplicant was isolated. 
>
>OK, that makes more sense. Did you expect the device to get isolated at
>that point, i.e., is there an expectation that the state would change
>with the following authentication (in which case there could be reason
>not to use session resumption)?
>
>Getting isolated result from TNC by itself may not be good enough reason
>to disable session resumption, so I would like to understand what your
>expectation was as far as the authentication and TNC result was
>concerned for both the first and second attempt.
>
>> >EAP-TNC is controlled by the authentication server, so if it need to
>> >validate TNC information, it should be able to do so here.. I would like
>> >to better understand what exactly happened before recommending
>> >fast_reauth to be disabled for this kind of use and if this is known to
>> >have problems, I would rather make wpa_supplicant work around them
>> >without requiring the user to change configuration.
>> 
>> Is it a thing that you investigate?
>
>Assuming I first fully understand the problem, I would be likely making
>sure wpa_supplicant handles it in a reasonable way in the future.
>
>-- 
>Jouni Malinen                                            PGP id EFC895FA
>_______________________________________________
>HostAP mailing list
>HostAP at lists.shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap



More information about the Hostap mailing list