Unable to connect to AP via WPA-PKS/CCMP

Jouni Malinen jkmaline at cc.hut.fi
Sun Oct 9 23:27:12 EDT 2005 

On Sun, Oct 09, 2005 at 11:22:06PM +0200, Thomas Heinz wrote:

> I have made an interesting observation. After using a clear text psk in 
> wpa_supplicant.conf, everything works as expected. I have attached two 
> files where clear.log contains the output of `wpa_supplicant -ddd -Dhostap 
> -c /etc/wpa_supplicant.conf -i wlan0` with clear text psk and hex.log with 
> the psk generated by wpa_passphrase. Line 128/clear.log shows that a 123 
> byte message has been received whereas line 127/hex.log indicates that 
> only 99 bytes have been received.

"Clear text psk" is somewhat misleading name for ASCII passphrase. Your
clear.log shows a successful 4-Way Handshake and hex.log looks like the
AP is rejecting authentication at a point which would most likely
indicate incorrect PSK.

Are you sure you used the correct SSID when running wpa_passphrase? PSK
is derived from both ASCII passphrase and SSID and if either one is
changed, the PSK would be different.

> Although my problem is now solved, I am very interested in the reason for 
> that. Maybe the logs are helpful to you in this respect. If you need 
> further information, please let me know.

I would guess that the PSK from wpa_passphrase run was not correct and
the most likely reason for this would be incorrect ASCII passphrase or
SSID. If you add -K to wpa_supplicant command line, the debug log
includes PSK. That would allow you to verify whether the PSK derived by
wpa_supplicant matches with the one derived by wpa_passphrase. Just
don't send out those logs if the PSK is a used in a real network..

> There is one more issue, I would like to know. Do the log files or 
> `hostap_diag -a wlan0` reveal any information that makes breaking the 
> encryption easier compared to sniffing the packets?
> I noticed several "[REMOVED]" tags in the logs so I guess it is at least 
> not obvious.

The goal is that debug logs do not include any secret material if -K is
not specified on the command line and I don't think hostap_diag would
include any key material, either.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list