Andreas Hartmann <andihartmann@01019freenet.de> wrote:
If fast_reauth in wpa_supplicant is disabled, the reauthentication
works fine, but the connection between the AP and the supplicant ist interrupted for about 20 seconds - much to long :-).
Do you have any idea how to solve this problem?
Find out why the supplicant is taking 20s for authentication.
How much time should be ok for the full reauthentication?
As far as I know, we *all* get sub-second re-auths, however our actual full authentications (seven LDAP queries included) also take a similar amount of time. Fast re-auth results in fewer packets needing to be passed back and forth. For a full authentication for us about 10 EAP packets need to be exchanged between the client and RADIUS server, re-auth means for us only about three or so need to be passed.
I traced the authentication and could see, that the part with the radiusserver takes less than a second. Most of the time is needed until the AP sends the new keys for the encryption of the session. Ok, sometimes it's a little bit faster (9 seconds).
I could have this wrong, but it is the RADIUS server that sends the encryption keys, not the AP. It might be worth running tcpdump/wireshark on the client workstation and compare that to what you are seeing at the RADIUS server end. Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #35: working as designed