When EAP-TNC use, should I disable fast_reauth ?

Jouni Malinen j
Mon Dec 7 11:42:59 PST 2009


On Mon, Dec 07, 2009 at 10:16:28AM +0900, r.ooba at ictec.co.jp wrote:

> 1. wpa_supplicant start authenticating with TTLS/TNC.
> 
> 2. wpa_supplicant auth failed.
>    wpa_supplicant is isolated by vlan network.
>    (However, TNC Server send EAP-SUCCESS to wpa_supplicant.)

Why did the authentication fail?

> 3. wpa_supplicant try re-auth. 
>    However, "phase 2 method (EAP-TNC)" is omitted by the 
>    fast_reauth function at this time. 

This sounds a bit odd.. If the first authentication failed,
wpa_supplicant should not be able to try session resumption. Which
version of wpa_supplicant are you using? Would you be able to send me a
debug log from wpa_supplicant showing both the initial failure (with TNC
success) and the second attempt to authenticate?

> When EAP-TNC use, should I disable fast_reauth ?

EAP-TNC is controlled by the authentication server, so if it need to
validate TNC information, it should be able to do so here.. I would like
to better understand what exactly happened before recommending
fast_reauth to be disabled for this kind of use and if this is known to
have problems, I would rather make wpa_supplicant work around them
without requiring the user to change configuration.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list