group key handshake failure in WPA-EAP mode

Piotr Zawadzki pzawadzki at polsl.pl
Sun Apr 23 08:21:13 EDT 2006


I have working setup with hostapd 0.5.2 (RSN and TKIP encryption), freeradius 
as a AAA server and wpa_supplicant 0.5.2.
But if i change protocol from RSN to WPA the group key handshake fails
 with the following log on hostapd

-- output fragment from hostapd -dd
wlan0: STA 00:01:36:0b:5a:7e WPA: pairwise key handshake completed (WPA)
WPA: 00:01:36:0b:5a:7e WPA_PTK_GROUP entering state REKEYNEGOTIATING
wlan0: STA 00:01:36:0b:5a:7e WPA: sending 1/2 msg of Group Key Handshake
WPA: Send EAPOL(secure=1 mic=1 ack=1 install=0 pairwise=0 ie_len=0 gtk_len=32 
keyidx=1 encr=1)
Plaintext EAPOL-Key Key Data - hexdump(len=32): [REMOVED]
IEEE 802.1X: 00:01:36:0b:5a:7e AUTH_PAE entering state AUTHENTICATED
wlan0: STA 00:01:36:0b:5a:7e IEEE 802.1X: authorizing port
wlan0: STA 00:01:36:0b:5a:7e IEEE 802.1X: authenticated
Received management frrame - hexdump(len=163): 0a 02 02 01 00 01 36 0b 5a 7e 
00 0f cb b0 0d 9b 00 0f cb b0 0d 9b e0 a0 aa aa 03 00 00 00 88 8e 02 03 00 7f 
fe 03 91 00 20 00 00 00 00 00 00 00 03 4b 4c bd 50 78 0b 14 ff c1 76 9d 21 f5 
9d 34 89 c1 84 8f 94 d5 b0 cd 72 06 aa 73 b5 ea 69 0f ed c1 84 8f 94 d5 b0 cd 
72 06 aa 73 b5 ea 69 0f ef 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23 
da 22 16 71 71 3f ab fb e1 6e 07 c6 12 2a 27 00 20 54 26 f6 a9 15 84 5b 8e db 
ce 62 bd 4d 76 5a 8b d4 32 f0 7e 3e 63 60 f2 d8 4a 80 ac b8 09 34 82
DATA (TX callback) ACK
IEEE 802.1X: 00:01:36:0b:5a:7e TX status - version=2 type=3 length=127 - ack=1
wlan0: STA 00:01:36:0b:5a:7e WPA: EAPOL-Key timeout
WPA: 00:01:36:0b:5a:7e WPA_PTK_GROUP entering state REKEYNEGOTIATING
wlan0: STA 00:01:36:0b:5a:7e WPA: sending 1/2 msg of Group Key Handshake
WPA: Send EAPOL(secure=1 mic=1 ack=1 install=0 pairwise=0 ie_len=0 gtk_len=32 
keyidx=1 encr=1)
Plaintext EAPOL-Key Key Data - hexdump(len=32): [REMOVED]
Received management frrame - hexdump(len=163): 0a 02 02 01 00 01 36 0b 5a 7e 
00 0f cb b0 0d 9b 00 0f cb b0 0d 9b 70 a1 aa aa 03 00 00 00 88 8e 02 03 00 7f 
fe 03 91 00 20 00 00 00 00 00 00 00 04 4b 4c bd 50 78 0b 14 ff c1 76 9d 21 f5 
9d 34 89 c1 84 8f 94 d5 b0 cd 72 06 aa 73 b5 ea 69 0f ed c1 84 8f 94 d5 b0 cd 
72 06 aa 73 b5 ea 69 0f f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 95 
db 47 0c ce 02 97 b4 9c 0c 13 a5 01 b4 32 ae 00 20 be 31 c5 cb ad 2e 23 a7 b8 
16 0b 26 fc f5 f7 1e 48 38 34 f1 a3 8c 27 c9 46 6c a8 ff 1d 33 4f fc
DATA (TX callback) ACK
IEEE 802.1X: 00:01:36:0b:5a:7e TX status - version=2 type=3 length=127 - ack=1
wlan0: STA 00:01:36:0b:5a:7e WPA: EAPOL-Key timeout
...
WPA: 00:01:36:0b:5a:7e WPA_PTK_GROUP entering state KEYERROR
WPA: 00:01:36:0b:5a:7e WPA_PTK entering state DISCONNECT
hostapd_wpa_auth_disconnect: WPA authenticator requests disconnect: STA 
00:01:36:0b:5a:7e reason 2
WPA: 00:01:36:0b:5a:7e WPA_PTK_GROUP entering state IDLE
WPA: 00:01:36:0b:5a:7e WPA_PTK entering state DISCONNECTED
WPA: 00:01:36:0b:5a:7e WPA_PTK entering state INITIALIZE
wlan0: STA 00:01:36:0b:5a:7e IEEE 802.11: deauthenticated due to local deauth 
request
--

The configuration files (for WPA)
-- hostapd.conf
driver=hostap
ssid=misiek
macaddr_acl=0
auth_algs=1
ieee8021x=1
eap_server=0
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=pssst
wpa=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP
--
-- wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=1000
update_config=1
network={
	ssid="misiek"
	proto=WPA
	key_mgmt=WPA-EAP
	pairwise=TKIP
	eap=PEAP
	identity="piotrz"
	password="olala"
	ca_cert="/etc/certs/misiek/root.pem"
}
--
The above configuration works smoothly if I set wpa=2 in hostapd.conf and 
proto=WPA2 in wpa_supplicant.conf

Any hints are highly appreciated.
-- 
Piotr Zawadzki, Silesian Technical University
PGP: http://www.keyserver.net/



More information about the HostAP mailing list