Blocked user not disconnected for 12+ hours

Jouni Malinen jkmalinen at gmail.com
Thu Feb 9 15:04:40 CET 2012


On Feb 9, 2012 8:03 AM, "Christ Schlacta" <lists at aarcane.org> wrote:
>
> I'm using WPA2-EAP-TLS

> This morning around 7AM local time I blocked an offending user from the
wifi network by adding their account to the disabled-users group in the
ldap directory.  Until 7PM, I got no entries in my log specifying Login
incorrect for the offending host until approximately 7PM.  The client was
able to connect and continue to access the network successfully the entire
time.  I also effectively kicked the user at the access point after setting
the account to disabled.  For over 12 hours the user account was able to
continue to connect unhindered.

How did you disconnect the user from the AP? Did that clear the PMKSA cache
entry on the AP? If not, the user could probably continue to use the old
PMK until it expired without having to go through EAP authentication.

- Jouni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120209/1ebe2114/attachment.html>


More information about the Freeradius-Users mailing list