Clarification about re-authentication and pre-authentication

Panagiotis Georgopoulos panos
Fri Sep 10 09:00:44 PDT 2010 

Hello all,

 

                In an effort to understand how re-authentication and
pre-authentication work in order to speed up the authentication process for
the client I have the two following questions.

 

1)      Re-authentication : As far as I understand it, hostapd has the
eap_reauth_period option to define the number of seconds where
reauthentication for a client can be performed. In simple terms this means
that a client has been authenticated, it gets disconnected and then
re-connected back to this AP within the reauth_period. If it does, then
hostapd does not peform authentication for the client (neither when it acts
as an EAP server, nor when it uses an external Radius server for the
authentication). The only think that it does is to start the accounting
procedure for the client that got reconnected. Is this right? How does the
AP know the identity of the client so that it can confirm that this client
has been connected before ?

 

Incidentally, do fast-reauthentication and pmk caching refer to the same
procedure as described above?

 

As a side note, am I right in thinking that re-authentication on hostapd is
the same as session resumption (or fast-reauthenication) as I've seen in
freeRadius' configuration file? 

 

 

2)      Pre-authentication : Here I am a bit more confused. I would have
guessed that enabling the pre-authentication options in hostapd.conf would
allow a wpa_supplicant client to perform pre-authentication with an Access
Point that he is roaming to, before losing his previous connection with a
different Access Point. Is this right?

 

However, why do we have pre-auth options for hostapd and not for
wpa_supplicant? In theory, any Access Point should not care if the user is
performing pre-authentication, but manage to authenticate him before the
wpa_supplicant decides to disassociate him from the previous access point.
Why is there a rsn_preauth_interfaces option in hostapd.conf? The interface
option that the machine is using to create the AP is not enough? The client
that will try to do pre-authentication will try to connect to the access
point anyway.

 

Thanks in advance for your replies,

Panos

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20100910/78f42e16/attachment.htm

More information about the Hostap mailing list