HostAP IEEE 802.1x modifications

Jouni Malinen jkmaline at cc.hut.fi
Mon Dec 9 22:07:23 EST 2002


On Mon, Dec 09, 2002 at 11:36:47AM -0300, Oleg Izhvanov wrote:

> Setting this bit was the workaround for WLAN card, that is yet being 
> developed, not
> for XP supplicant.  Setting this bit  is a directive for XP supplicant 
> to set the default key
> (not the unicast one, but one with indexes from 1 to 4) active. 

Actually, now that I got EAPOL-Keys working again with WinXP (see
below), that workaround was needed when only broadcast key is used. If
also individual unicast keys were sent, the workaround was not needed.
WinXP Supplicant reported this as "EAPOL-Key for transmit key *NOT*
received within 5 seconds in AUTHENTICATED state".

> There is a way to enable debugging messages in WinXP for EAPOL
> related stuff. Just look into following entry in your registry :
> 
> \\HKEY_LOCAL_MACHINE\Microsoft\Tracing\EAPOL

Thank you! This (or actually, the fixed address in the next message)
proved to be very helpful. I did search for 'eap' from the registry,
but there was so many matches that I must have missed this.


I finally got dynamic WEP keying working again with WinXP Supplicant.
Actually, it should have worked fine before, if I just would have tested
by sending both broadcast and unicast keys (I used only broadcast)..
IEEE 802.1aa/D4 update changed the order of EAP Success and EAPOL-Key
frames (key was now sent first). This seemed to break operation with
WinXP Supplicant (which seems to derive MPPE-Send/Recv-Keys only after
receiving EAP Success).

EAPOL tracing was helpful enough to tell me that EAPOL-Key decryption
failed, so I just reverted the change in EAPOL state machine (EAP
Success is sent first) and WinXP managed to decrypt keys yet again.
After this, I hit the problem that WinXP Supplicant claimed that it did
not receive EAPOL-Key for transmit key within 5 seconds.

I have interpreted standard so that the broadcast key would be used for
transmit if there is no individual unicast key. WinXP Supplicant does
not seem to agree with this. So, the '-w' workaround for hostapd can be
used to set unicast bit for the broadcast key to get this working. When
both broadcast (-b5) and unicast (-i5) keys are set, this workaround is
not needed.

Current CVS version of hostapd should now be able to work fine with
WinXP Supplicant. I have tested it with Lucent card and dynamic WEP key
setting for both broadcast and individual keys worked fine. In addition,
rekeying both keys was also working.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list