wpa_supplicant WPA-PSK pairwise OK, group fails

Dimitris Kogias dimitris at gmail.com
Tue May 17 23:31:32 EDT 2005


Hi Jouni,

Jouni Malinen wrote:
> On Tue, May 17, 2005 at 09:13:03AM -0700, Dimitris Kogias wrote:
> 
> 
>>ipw2200 1.0.3
>>wpa_supplicant 0.4.0 (debian unstable package).
>>D-Link DWL-900AP+ access point configured for WPA-PSK.
> 
> 
> Are you using the latest firmware image on that AP?

Latest one from D-Link, 3.07, dated 30 December 2003.  Release notes at
http://support.dlink.com/products/view.asp?productid=DWL%2D900AP%2B%5FrevC

This is an end-of-life product so they probably won't be releasing any
firmware updates for it.

>>While all of the above is going on, I see this in the kernel logs:
>>
>>May 15 18:50:18 0x19 kernel: TKIP: replay detected:
>>STA=00:40:05:5b:3f:34 previous TSC 000000000000 received TSC 000000000000
> 
> 
> If this is indeed what is happening, the AP sent out two packets with
> the same packet number and the client driver dropped one of them. If
> that one happened to be the Group Key packet, that could explain why it
> was not seen in the wpa_supplicant debug. Another possibility would be
> in the AP sending out the Group Key packets in plaintext.. Would you
> happen to have a way of using a wireless sniffer to capture what packets
> are being sent between the AP and client when this happens?
> 

No wireless sniffer, and no other wpa_supplicant capable adapter handy
to tcpdump with, but I ran tcpdump on the same interface while running
wpa_supplicant (with the same results).

00:12:f0:13:51:dc is the laptop station, 00:40:05:5b:3f:34 is the AP:

d at 0x19:~$ sudo tcpdump -i eth1 -s 0 -XX -vv
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size
65535 bytes
20:15:39.240397 00:12:f0:13:51:dc > 00:40:05:5b:3f:34, ethertype Unknown
(0x888e), length 18:
        0x0000:  0040 055b 3f34 0012 f013 51dc 888e 0101  . at .[?4....Q.....
        0x0010:  0000                                     ..
20:15:42.395305 00:40:05:5b:3f:34 > 00:12:f0:13:51:dc, ethertype Unknown
(0x888e), length 113:
        0x0000:  0012 f013 51dc 0040 055b 3f34 888e 0103  ....Q.. at .[?4....
        0x0010:  005f fe00 8900 2000 0000 0000 0000 019d  ._..............
        0x0020:  6891 6ae4 9f38 f845 531c 59e6 86a5 7da8  h.j..8.ES.Y...}.
        0x0030:  cf5d 3a0d 0d6b 3d54 7760 fb05 b4de 0200  .]:..k=Tw`......
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  00                                       .
20:15:59.395266 00:40:05:5b:3f:34 > 00:12:f0:13:51:dc, ethertype Unknown
(0x888e), length 113:
        0x0000:  0012 f013 51dc 0040 055b 3f34 888e 0103  ....Q.. at .[?4....
        0x0010:  005f fe00 8900 2000 0000 0000 0000 0151  ._.............Q
        0x0020:  67b5 e544 04f8 dae7 425e e3db 60c9 7348  g..D....B^..`.sH
        0x0030:  9875 84f5 94ad 0a9f 833e 0cc5 3b8c b900  .u.......>..;...
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  00                                       .
20:15:59.399629 00:12:f0:13:51:dc > 00:40:05:5b:3f:34, ethertype Unknown
(0x888e), length 137:
        0x0000:  0040 055b 3f34 0012 f013 51dc 888e 0103  . at .[?4....Q.....
        0x0010:  0077 fe01 0900 2000 0000 0000 0000 01db  .w..............
        0x0020:  d333 ef9d a729 2399 7571 7553 0b60 24bf  .3...)#.uquS.`$.
        0x0030:  fc67 c031 ae5e 1004 3665 7cdb 3b5e ed00  .g.1.^..6e|.;^..
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 00ba  ................
        0x0060:  5ffd 4a30 cb90 9008 f63a 8568 e914 8700  _.J0.....:.h....
        0x0070:  18dd 1600 50f2 0101 0000 50f2 0201 0000  ....P.....P.....
        0x0080:  50f2 0201 0000 50f2 02                   P.....P..
20:15:59.404416 00:40:05:5b:3f:34 > 00:12:f0:13:51:dc, ethertype Unknown
(0x888e), length 139:
        0x0000:  0012 f013 51dc 0040 055b 3f34 888e 0103  ....Q.. at .[?4....
        0x0010:  0079 fe01 c900 2000 0000 0000 0000 0251  .y.............Q
        0x0020:  67b5 e544 04f8 dae7 425e e3db 60c9 7348  g..D....B^..`.sH
        0x0030:  9875 84f5 94ad 0a9f 833e 0cc5 3b8c b900  .u.......>..;...
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 00e8  ................
        0x0060:  f73e eabd 0dbf 23ab b13c f554 9b98 1900  .>....#..<.T....
        0x0070:  1add 1800 50f2 0101 0000 50f2 0201 0000  ....P.....P.....
        0x0080:  50f2 0201 0000 50f2 0200 00              P.....P....
20:15:59.406376 00:12:f0:13:51:dc > 00:40:05:5b:3f:34, ethertype Unknown
(0x888e), length 113:
        0x0000:  0040 055b 3f34 0012 f013 51dc 888e 0103  . at .[?4....Q.....
        0x0010:  005f fe01 0900 2000 0000 0000 0000 0200  ._..............
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000 0000 0000 0000 0000 0000 00ef  ................
        0x0060:  9a8c c718 e37a c8e4 ccd2 f2d1 95ee 1d00  .....z..........
        0x0070:  00                                       .
tcpdump: pcap_loop: recvfrom: Network is down
6 packets captured
6 packets received by filter
0 packets dropped by kernel
d at 0x19:~$



As I said the wpa_supplicant results were the same:  Intermittent
point-to-point WLAN connectivity, TKIP replay log entries.  Today I have
also upgraded to the latest version of the ipw2200 driver, 1.0.4, and I
am seeing this message that I didn't see before, and only on the first
time wpa_supplicant tries to set up WPA:

WPA: RX EAPOL-Key - hexdump(len=99): 01 03 00 5f fe 00 89 00 20 00 00 00
00 00 00 00 01 9d 68 91 6a e4 9f 38 f8 45 53 1c 59 e6 86 a5 7d a8 cf 5d
3a 0d 0d 6b 3d 54 77 60 fb 05 b4 de 02 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
State: ASSOCIATED -> 4WAY_HANDSHAKE
WPA: RX message 1 of 4-Way Handshake from 00:40:05:5b:3f:34 (ver=1)
Invalid group cipher (0).
WPA: Failed to generate WPA IE (for msg 2 of 4).
Authentication with 00:40:05:5b:3f:34 timed out.

I don't remember seeing 'Invalid group cipher(0)' before.


Dimitris.



More information about the HostAP mailing list