fast_reauth=1

Jouni Malinen j
Fri Sep 24 23:04:01 PDT 2010


On Thu, Sep 23, 2010 at 09:02:38PM +0100, Panagiotis Georgopoulos wrote:

> * Proactive key caching : to avoid doing a full reauth when client moves
> from AP1 to AP2 and then back to AP1 quickly (i.e. reconnecting to the same
> AP - how quickly though?). Also when pre_auth is allowed so that when a
> client moves from AP1 to AP2 only the 4-way handshake is performed locally,
> without full authentication with a AAA backend server, since the later AP
> learns from the former via a switch that authentication has already been
> performed.

That is PMKSA caching, not proactive key caching.. RSN
pre-authentication is one way of generating PMKSA cache entries;
proactive key caching is another way (assuming that the same PMK is used
and locally deriving the PMKSA entry).

> * Session resumption, fast reauth (in wpa_supplciant) : this is basically an
> SSL/TLS feature and allows e.g. in EAP-TLS to skip phase 2 if the client has
> been recently authenticated successfully. E.g. this is used to speed up
> authentication when client moves from AP1 where he has been successfully
> authenticated to AP2. Packets are still send from the NAS to the AAA server
> when client connects to AP2, but the AAA server does not do Phase 2 of the
> authentication (due to session resumption) thus resulting in faster
> authentication for the client.

This is not limited to TLS. Many EAP methods support abbreviated mode in
which information from the initial authentication can be used to speed
up subsequent authentication with the same authentication server (i.e.,
when PMKSA caching could not be used).

By the way, EAP-TLS is not normally described to have Phase 2. Session
resumption is part of the TLS handshake (i.e., skip sending of
certificates and instead, use previously derived key material from an
earlier authentication). In case of EAP-PEAP/TTLS/FAST, Phase 2 (e.g.,
password-based authentication of the client) may also be skipped when
fast reauthentication is used.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list