fast_reauth problem in combination with freeradius

Dennis Borgmann dennis.borgmann
Mon Jan 24 06:57:50 PST 2011


Hello hostapd-list!

I experience an error while using wpa_supplicant-0.7.3 in combination
with hostapd-0.7.3, freeradius-2.0.4 and openssl-0.9.8g. I am using EAP-TLS.

When using the "fast_reauth=1" option within wpa_supplicant.conf, I will
observe a disconnect as soon as there should be a reauthenticaton. Prior
to a reauth, the connection is running fine. As soon as I put
"fast_reauth=0" the error does not show up anymore.

Steps to reproduce the error after installing the software mentioned above:

put this into wpa_supplicant.conf:
dot11RSNAConfigPMKLifetime=600
# Threshold for reauthentication (percentage of PMK lifetime); default 70
dot11RSNAConfigPMKReauthThreshold=10

Now there will be a rauth one minute after initial successful
connection. Due to fast_reauth being enabled by default, the error will
directly occur. Once fast_reauth is set to "0" and wpa_supplicant being
restarted, the error goes away. Searching the internet intensively only
came up with one valid solution, which was to disable state resumption
of SSL within freeradius at all by setting ctx_options |=
SSL_OP_NO_TICKET in src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
of freeradius-source, which essentially does the same - it disables fast
reauthentication.

It does not affect my connection at all. Doing a "ping -i 0.1 <IP>" via
the link secured by EAP-TLS did not show up with any problem without
fast_reauth, so it seems to be fast enough anyway. But how could this
problem be solved without workaround?

Here are the outputs of both "freeradius -X" and "wpa_supplicant (...) -ddd"


freeradius:
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 05a8], ClientHello 
    TLS_accept:error in SSLv3 read client hello C
rlm_eap: SSL error error:140D9115:SSL
routines:SSL_GET_PREV_SESSION:session id context uninitialized
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
  eaptls_process returned 13
  rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.

wpa_supplicant:

EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:c0:ca:46:45:8b
RX EAPOL - hexdump(len=8): 02 00 00 04 04 7a 00 04
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed



wpa_supplicant.conf:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=2
ap_scan=1
country=DE
fast_reauth=1
dot11RSNAConfigPMKLifetime=600
# Threshold for reauthentication (percentage of PMK lifetime); default 70
dot11RSNAConfigPMKReauthThreshold=10
network={
ssid="test"
scan_ssid=1
proto=RSN
key_mgmt=WPA-EAP
auth_alg=OPEN
pairwise=CCMP
group=CCMP
eap=TLS
identity="test1"
ca_cert="/export-ca.crt"
client_cert="/test1.crt"
private_key="/test1.key"
eap_workaround=0
}

Any suggestions?

Dennis



More information about the Hostap mailing list