Blocked user not disconnected for 12+ hours
Christ Schlacta
lists at aarcane.org
Thu Feb 9 22:02:23 CET 2012
That's actually what ended up happening. The AP's kick functionality
does NOT properly clear the PMKSA cache entry, as I discovered through
empirical testing, and summarily filed a bug report.
On 2/9/2012 06:04, Jouni Malinen wrote:
>
>
> On Feb 9, 2012 8:03 AM, "Christ Schlacta" <lists at aarcane.org
> <mailto:lists at aarcane.org>> wrote:
> >
> > I'm using WPA2-EAP-TLS
>
> > This morning around 7AM local time I blocked an offending user from
> the wifi network by adding their account to the disabled-users group
> in the ldap directory. Until 7PM, I got no entries in my log
> specifying Login incorrect for the offending host until approximately
> 7PM. The client was able to connect and continue to access the
> network successfully the entire time. I also effectively kicked the
> user at the access point after setting the account to disabled. For
> over 12 hours the user account was able to continue to connect unhindered.
>
> How did you disconnect the user from the AP? Did that clear the PMKSA
> cache entry on the AP? If not, the user could probably continue to use
> the old PMK until it expired without having to go through EAP
> authentication.
>
> - Jouni
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120209/c69d6259/attachment.html>
More information about the Freeradius-Users
mailing list