reauth-problem with WPA2-tls
alex at digriz.org.uk
Thu Jun 3 09:16:30 CEST 2010
Andreas Hartmann <andihartmann at 01019freenet.de> wrote:
>>> If fast_reauth in wpa_supplicant is disabled, the reauthentication
>>> >> works fine, but the connection between the AP and the supplicant
>>> ist interrupted for about 20 seconds - much to long :-).
>>> Do you have any idea how to solve this problem?
>> Find out why the supplicant is taking 20s for authentication.
> How much time should be ok for the full reauthentication?
As far as I know, we *all* get sub-second re-auths, however our actual
full authentications (seven LDAP queries included) also take a similar
amount of time.
Fast re-auth results in fewer packets needing to be passed back and
forth. For a full authentication for us about 10 EAP packets need to be
exchanged between the client and RADIUS server, re-auth means for us
only about three or so need to be passed.
> I traced the authentication and could see, that the part with the
> radiusserver takes less than a second. Most of the time is needed until
> the AP sends the new keys for the encryption of the session.
> Ok, sometimes it's a little bit faster (9 seconds).
I could have this wrong, but it is the RADIUS server that sends the
encryption keys, not the AP.
It might be worth running tcpdump/wireshark on the client workstation
and compare that to what you are seeing at the RADIUS server end.
.sigmonster says: BOFH excuse #35:
working as designed
More information about the Freeradius-Users