Re: wpa-supplicant 2.4 and "RSN: no PMKSA entry found"

[Jan K]

Hi,

To sum up my issue with WPA-EAP connecting with 2.3 and not with 2.4.

> last time this question came up on the list (early May), the reason was
> in a bug in the authentication server. That just got triggered by
> wpa_supplicant v2.4 enabling use of TLS v1.2.

> http://lists.shmoo.com/pipermail/hostap/2015-May/032748.html

You must be right, since adding the following to my config:
phase1="tls_disable_tlsv1_2=1"
made me able to connect with wpa_supplicant 2.4.

> Do you know which authentication server is used in this network?

I asked this question, got no answer, asked it again, yet to no avail.
The admins in question are rather bofh-like, but I expected at least an explicit nack to my question.

So I must apologize for them and thank you for your hints.

Regards,
Jan 


On July 1, 2015 at 17:19 Jouni Malinen wrote:
> 
> > On Tue, Jun 30, 2015 at 09:05:20PM +0200, Jan K wrote:
> > I'm having trouble with WPA-EAP and wpa_supplicant 2.4; I get deauth for local reason during EAPOL, probably due to PMKSA cache problem.
> > Using identical config with 2.1 and 2.3 successfully connects, while 2.4 fails.
> > 
> > I've compared wpa_supplicant -ddd output to find the following change:
> > 
> > (both)RSN: Added PMKSA cache entry for 00:04:96:68:71:31 network_ctx=(...)
> > (both)nl80211: Add PMKID for 00:04:96:68:71:31
> > 
> > (bad) wlp4s0: RSN: no PMKSA entry found - trigger full EAP authentication
> > (good)wlp4s0: RSN: the new PMK matches with the PMKID
> > 
> > Next: 2.3 and 2.1 succeed EAPOL, 2.4 prints out several lines, waits for 0.5s and deauths.
> 
> Do you know which authentication server is used in this network? The
> last time this question came up on the list (early May), the reason was
> in a bug in the authentication server. That just got triggered by
> wpa_supplicant v2.4 enabling use of TLS v1.2.
> 
> See this email for more details:
> http://lists.shmoo.com/pipermail/hostap/2015-May/032748.html
> 
>