EAP-TLS - Authentication succeeds with in-correct "private_key_passwd"

Panagiotis Georgopoulos panos
Fri Oct 8 02:16:29 PDT 2010


Hello Saurav,

	Please see inile...


> I agree - PMKSA caching is a good feature. But it should not force to
> skip the need for a reauth. A user might try to change his TLS
> certificates/password at the run-time and edit the wpa_supplicant.conf
> for the new configs. In this case, wpa_supplicant should have a
> provision to start a reauth session because the certificates are
> changed. In this case user is not breaking a working config - he just
> wants to use new configuration. As of now, the only way the new config
> can take effect is by restarting the running wpa_supplicant. Would not
> it be better, if we can have a similar mechanism with a running
> wpa_supplicant?

As far as I know, you can use wpa_cli and force wpa_supplicant to read the
new configuration (that the user changed) by running 'reconfigure'. That
will read the new configuration and use the new certificates and password
(if the user changed them). I am not sure if this flushes PMKSA caching or
how it affects reauth, but it is worth a try if that is what you need.

Cheers,
Panos


> 
> If we need to re-run wpa_supplicant every time TLS certs are changed,
> then logon/logoff options from wpa_cli is redundant. Please correct me
> if I am wrong.
> 
> Thanks,
> Saurav





More information about the Hostap mailing list