reauth-problem with WPA2-tls

Alexander Clouter alex at
Thu Jun 3 09:16:30 CEST 2010

Andreas Hartmann <andihartmann at> wrote:
>>> If fast_reauth in wpa_supplicant is disabled, the reauthentication 
>>> >> works fine, but the connection between the AP and the supplicant 
>>> ist interrupted for about 20 seconds - much to long :-).
>>> Do you have any idea how to solve this problem?
>>   Find out why the supplicant is taking 20s for authentication.
> How much time should be ok for the full reauthentication?
As far as I know, we *all* get sub-second re-auths, however our actual 
full authentications (seven LDAP queries included) also take a similar 
amount of time.  

Fast re-auth results in fewer packets needing to be passed back and 
forth.  For a full authentication for us about 10 EAP packets need to be 
exchanged between the client and RADIUS server, re-auth means for us 
only about three or so need to be passed.
> I traced the authentication and could see, that the part with the
> radiusserver takes less than a second. Most of the time is needed until
> the AP sends the new keys for the encryption of the session.
> Ok, sometimes it's a little bit faster (9 seconds).
I could have this wrong, but it is the RADIUS server that sends the 
encryption keys, not the AP.

It might be worth running tcpdump/wireshark on the client workstation 
and compare that to what you are seeing at the RADIUS server end.


Alexander Clouter
.sigmonster says: BOFH excuse #35:
                  working as designed

More information about the Freeradius-Users mailing list