wpa_supplicant, pkcs11, pmksa
Wed Sep 7 16:20:47 PDT 2011
So I think that bgscan will work on the older kernels, it just won't
get the signal change events from the driver IIRC...so the timers will
be the only prompt for a roam. Though IMO it is worth the time to
upgrade the kernel, and use wpa_supplicant with the -on80211 flag,
because the roaming performance is far better that way. I know it's a
pain, but just package your custom kernel as an RPM and slide it in
there... :-) And yeah there is a lot of source-code reading involved
understanding how bgscan works. I"m sure that there is some
opportunity for us to contribute our hard-won knowledge into some wiki
some place to prevent the next wandering engineer having to do the
same. I digress...
PMKSA key caching is disabled in the supplicant by default:
You might try enabling that, and then give us the output of running
your supplicant during a roam event with the -dd flag.
On Wed, Sep 7, 2011 at 1:40 PM, Martinsson Patrik
<patrik.martinsson at smhi.se> wrote:
> Hi !
> First, my knowledge in this area is rather limited so therefore the
> questions might be "a bit weird" or "way off", forgive me for that.
> I'm trying to get wireless working with "smartcard-auth" and roaming. I can
> successfully connect and authenticate to our network, but there seems to be
> two problems, which may have a reasonable explanation, I don't know, hence
> this mail.
> - Roaming, cant get it to work satisfying.
> When moving from one ap to another, wpa_supplicant first disconnects and
> then makes a scan, and then tries to connect to the next ap, *but* this
> takes some time, from ~5 sec, to 1 minute, as of now, this is not a
> desirable since you can't roam without noticing it significant. I looked
> into the option bgscan (which is very hard to find btw), and as I understand
> it, that is the way to go when you want to roam, correct ?
> And bgscan uses signal_monitoring, which is implemented in kernel >2.6.35,
> which in turn means that I'm out of luck since I'm on 2.6.32-131(rhel 6.1),
> correct ?
> - Re-authentication, works but reads from smartcard.
> When I move from one ap to another, wpa_supplicant reauthenticates using
> pmksa, correct ?
> The re-authentication is partially working, it re-authenticates without
> asking for pin, but reads something from the smartcard (reauth won't work
> without smartcard, and pcscd-logs shows alot of activity at reauth), is this
> the way it should work ? I thought I could reauth without smartcard ?
> My wpa_supplicant.conf looks like this,
> pkcs11_module_path=/usr/lib/libiidp11.so # our smartcard vendor
> ??? ssid="xxx"
> ??? engine=1
> ??? engine_id="pkcs11"
> ??? key_mgmt=WPA-EAP
> ??? eap=TLS
> ??? identity="xxx"
> ??? key_id="1:xxx"
> ??? cert_id="1:xxx"
> I'm greatful for any hints or tips that I can get,
> Best regards,
> Patrik Martinsson, Sweden
> HostAP mailing list
> HostAP at lists.shmoo.com
More information about the Hostap