Invalid key signature in EAPOL-Key packet

Jouni Malinen jkmaline at cc.hut.fi
Sat Dec 3 20:14:42 EST 2005


On Sat, Dec 03, 2005 at 02:07:59PM -0600, Philip M. White wrote:

> I am trying to authenticate to a wireless network using a Netgear WG511T
> PCMCIA wireless card, latest madwifi driver out of Subversion, and
> wpa_supplicant 0.4.7.  My friend got the same network to work for him
> with his ipw2200 card with the same wpa_supplicant.conf.  The error that
> I am getting does not SEEM like an issue with drivers, but perhaps you
> could clarify this.

Your configuration files were not the same; there are number of
differences shown in the debug logs..

> The error that I am getting happens when wpa_supplicant is verifying key
> signature (HMAC-MD5), and it apparently cannot verify it, while the
> other setup can.

This happens because the keying material from EAP authentication is
derived differently in your configuration. Just remove the following
line from your configuration and this should be fixed:

    phase1="peaplabel=1"

Most RADIUS servers do not use the new label and it is better to just
leave wpa_supplicant to use the default value here. With peaplabel=1 you
ended up configuring wpa_supplicant to use different label in key
derivation and that resulted in different keys being used for validating
the signature in the EAPOL-Key frame.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list