wpa_supplicant, pkcs11, pmksa

Martinsson Patrik patrik.martinsson
Fri Sep 9 02:07:07 PDT 2011

Hi Matt, 

Thanks for straightening things out for me. 

Yes, as I understood it (and verified with some testing) bgscan only works with a timer as a trigger on my current kernel. 
Upgrading a kernel in my case is not an option, however i appreciate the suggestion. 

I've compiled a newer version of wpa_supplicant with the nl80211 driver included and that's what I'm using atm, *and* after adding "proactive_key_caching=1;" to my config (don't know how i missed that from the config file), the reauth part when switching AP works flawless. It actually works pretty fast (couple of secs) so the "roaming" is good enough for me. 

My remaining questions though, 
- the length of the cache-time of the pmk is set by the server, correct ?
I see the option "dot11RSNAConfigPMKLifetime" in the config file, and i tried it out with an enormous value, and when i do the command "pmksa" from the wpa_cli I see the that the value I've set through the config is the one that's in use. Does that mean that I override the setting sent by the server, or is the PMK cache time-length actually set by the client ? 

- when the PMK-cache-time has reached the "PMKReauthThreshold" wpa_supplicant reauthenticates, correct ? 
Does that mean a "full-reauthentication" ? When my "pmk-trehshold" is reached and I don't have my smartcard inserted the reauth part fails, however if the smartcard is present the reauth works, even without asking for my pin. 

As always, I'm greatful for any hints or tips that I can get,

Best regards,
Patrik Martinsson, Sweden. 

From: Matt Causey [matt.causey at gmail.com]
Sent: Thursday, September 08, 2011 1:20
To: Martinsson Patrik
Cc: hostap at lists.shmoo.com
Subject: Re: wpa_supplicant, pkcs11, pmksa

So I think that bgscan will work on the older kernels, it just won't
get the signal change events from the driver IIRC...so the timers will
be the only prompt for a roam.  Though IMO it is worth the time to
upgrade the kernel, and use wpa_supplicant with the -on80211 flag,
because the roaming performance is far better that way.  I know it's a
pain, but just package your custom kernel as an RPM and slide it in
there... :-)  And yeah there is a lot of source-code reading involved
understanding how bgscan works.  I"m sure that there is some
opportunity for us to contribute our hard-won knowledge into some wiki
some place to prevent the next wandering engineer having to do the
same.  I digress...

PMKSA key caching is disabled in the supplicant by default:


You might try enabling that, and then give us the output of running
your supplicant during a roam event with the -dd flag.


On Wed, Sep 7, 2011 at 1:40 PM, Martinsson Patrik
<patrik.martinsson at smhi.se> wrote:
> Hi !
> First, my knowledge in this area is rather limited so therefore the
> questions might be "a bit weird" or "way off", forgive me for that.
> I'm trying to get wireless working with "smartcard-auth" and roaming. I can
> successfully connect and authenticate to our network, but there seems to be
> two problems, which may have a reasonable explanation, I don't know, hence
> this mail.
> - Roaming, cant get it to work satisfying.
> When moving from one ap to another, wpa_supplicant first disconnects and
> then makes a scan, and then tries to connect to the next ap, *but* this
> takes some time, from ~5 sec, to 1 minute, as of now, this is not a
> desirable since you can't roam without noticing it significant. I looked
> into the option bgscan (which is very hard to find btw), and as I understand
> it, that is the way to go when you want to roam, correct ?
> And bgscan uses signal_monitoring, which is implemented in kernel >2.6.35,
> which in turn means that I'm out of luck since I'm on 2.6.32-131(rhel 6.1),
> correct ?
> - Re-authentication, works but reads from smartcard.
> When I move from one ap to another, wpa_supplicant reauthenticates using
> pmksa, correct ?
> The re-authentication is partially working, it re-authenticates without
> asking for pin, but reads something from the smartcard (reauth won't work
> without smartcard, and pcscd-logs shows alot of activity at reauth), is this
> the way it should work ? I thought I could reauth without smartcard ?
> My wpa_supplicant.conf looks like this,
> ===
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> pkcs11_engine_path=/usr/lib64/openssl/engines/engine_pkcs11.so
> pkcs11_module_path=/usr/lib/libiidp11.so # our smartcard vendor
> network={
>     ssid="xxx"
>     engine=1
>     engine_id="pkcs11"
>     key_mgmt=WPA-EAP
>     eap=TLS
>     identity="xxx"
>     key_id="1:xxx"
>     cert_id="1:xxx"
> }
> ===
> I'm greatful for any hints or tips that I can get,
> Best regards,
> Patrik Martinsson, Sweden
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

More information about the Hostap mailing list