Problems making WPA work with ndiswrapper/broadcom

Jouni Malinen jkmaline at cc.hut.fi
Tue Aug 17 22:44:49 EDT 2004 

On Tue, Aug 17, 2004 at 01:49:51PM -0300, Donald Teed wrote:

> OK, I've now had a little more sucess.  Another AP is set up
> which does broadcast the SSID and I can see the AP with iwlist.

What AP (model & firmware version) is this?

> Working with this config:
> 
> ctrl_interface=/var/run/wpa_supplicant # for wpa_cli support
> 
> network={
>         ssid="acadia-test"
>         scan_ssid=0
>         key_mgmt=WPA-EAP
>         eap=PEAP
>         proto=WPA
>         pairwise=TKIP
>         group=TKIP
>         identity="test"
>         password="testpasswd"
>         phase1="peapver=0 peaplabel=0"
>         phase2="auth=MSCHAPV2"
> }

Configuring CA certificate is highly recommended for PEAP, even though
this kind of configuration should work. Without CA configuration, the
authentication is open for man-in-the-middle attacks.

> wpa_supplicant -Dndiswrapper -iwlan0 -c/etc/wpa_supplicant.conf -w -dd

> Scan results: 1
> Selecting BSS from priority group 0
> 0: 00:40:96:49:35:20 ssid='acadia-test' wpa_ie_len=24 rsn_ie_len=0
>    selected
> Trying to associate with 00:40:96:49:35:20 (SSID='acadia-test' freq=2462 
> MHz)

OK, AP scanning seems to be working.

> WPA: Own WPA IE - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50 f2 02 01 
> 00 00 50 f2 02 01 00 00 50 f2 01
> Setting authentication timeout: 5 sec 0 usec
> Authentication with 00:00:00:00:00:00 timed out.

However, IEEE 802.11 association did not succeed in five seconds.

> Is there a way to increase the timeout for authentication?  Maybe
> 5 seconds isn't enough time?

This can be increased, but five seconds should be enough time for
association.. If you like to test this, you would need to change the
following call in wpa_supplicant_associate() function of
wpa_supplicant.c:

        /* Timeout for IEEE 802.11 authentication and association */
        wpa_supplicant_req_auth_timeout(wpa_s, 5, 0);

The second parameter (5) is number of seconds that the association is
allowed to take.

> What problem does this demonstrate?  I'm able to use the same
> user to connect with Win XP on the same client notebook.

IEEE 802.11 association seems to be failing for some reason. The best
way for debugging this would be to use a wireless sniffer to verify
whether the client is sending out association request. Since ndiswrapper
has been successfully used with a Broadcom card and wpa_supplicant, I
would also consider testing with another NDIS driver. Please also let me
know which NDIS driver you are using (URL for a download site would be
useful) and which ndiswrapper version you have tested.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list