wpa_supplicant, pkcs11, pmksa

Jouni Malinen j
Sat Sep 10 11:47:00 PDT 2011

On Fri, Sep 09, 2011 at 09:07:07AM +0000, Martinsson Patrik wrote:
> - the length of the cache-time of the pmk is set by the server, correct ?

In theory, yes. However, IEEE 802.11i did not provide a mechanism for
the AP to notify the station on how long the key is valid..

> I see the option "dot11RSNAConfigPMKLifetime" in the config file, and i tried it out with an enormous value, and when i do the command "pmksa" from the wpa_cli I see the that the value I've set through the config is the one that's in use. Does that mean that I override the setting sent by the server, or is the PMK cache time-length actually set by the client ? 

It is just a value that wpa_supplicant uses since it does not know the
PMK lifetime on the authentication server/AP.

> - when the PMK-cache-time has reached the "PMKReauthThreshold" wpa_supplicant reauthenticates, correct ? 
> Does that mean a "full-reauthentication" ? When my "pmk-trehshold" is reached and I don't have my smartcard inserted the reauth part fails, however if the smartcard is present the reauth works, even without asking for my pin. 

Yes, this would be a full EAP re-authentication. Though, based on the
EAP configuration that could actually allow session resumption which
could potentially work without requiring the smartcard. The server would
need to allow this, though, so the exact behavior is not fully
controlled by wpa_supplicant (nor can it really know what the server
will do before trying).

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list