That's actually what ended up happening. The AP's kick functionality
does NOT properly clear the PMKSA cache entry, as I discovered through
empirical testing, and summarily filed a bug report.
On 2/9/2012 06:04, Jouni Malinen wrote:
On Feb 9, 2012 8:03 AM, "Christ Schlacta" <[email protected]
<mailto:[email protected]>> wrote:
>
> I'm using WPA2-EAP-TLS
> This morning around 7AM local time I blocked an offending user from
the wifi network by adding their account to the disabled-users group
in the ldap directory. Until 7PM, I got no entries in my log
specifying Login incorrect for the offending host until approximately
7PM. The client was able to connect and continue to access the
network successfully the entire time. I also effectively kicked the
user at the access point after setting the account to disabled. For
over 12 hours the user account was able to continue to connect unhindered.
How did you disconnect the user from the AP? Did that clear the PMKSA
cache entry on the AP? If not, the user could probably continue to use
the old PMK until it expired without having to go through EAP
authentication.
- Jouni
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
