WPA2-PSK with TKIP fails to set GTK/PTK to driver: ioctl[IEEE80211_IOCTL_SETMODE]: No such device or address

Jouni Malinen j at w1.fi
Sun Feb 18 13:06:15 EST 2007 

On Sun, Feb 18, 2007 at 01:57:17PM +0200, kstauffer wrote:

> I managed to get debug logs from AP and it discards 4th eapol frame with
> following message when WPA2 is used:
> AP:
> paed: w 0-DEVPR eapol_rsn_  Replay counter mismatch (got 16777216 exp 2,
> discarding EAPOL-Key.
> 
> I'm very confused at the moment, where does it get that 16777216?

That could be just a byteorder bug (though a bit odd one) in the AP's
debug output (16777216 = 0x1000000 and the replay counter was actually
0x0000000000000001 in that case).. The debug log seems to indicate that
the AP was receiving msg 2/4 again after having sent out 3/4. Supplicant
log did not show msg 2/4 being retransmitted, so this looks like a some
sort of bug in lower layer (e.g., if an ACK was not received for the
frame, it would have been retransmitted and for some reason the AP would
not have discarded it as a duplicate).

At this point, the AP state machine seems to get very confused.. It
drops back to an earlier state and only at that point, the real
message 4/4 is processed. Though, since the AP state is now in
incorrect, it drops the frame with claimed MIC failure (it was trying ot
parse this as msg 2/4, so no surprise in this failing)..

Looking at the capture log, it looks like there are some major problems
in trying to get frames through.. The client (00:12:bf:19:76:69) seems
to be retransmitting the message 2/4 even though the sniffer is seeing
acknowledgement frames from the AP. Maybe the client was further away
from the AP or there were some other issues in it receiving the frames.
Anyway, this type of retransmissions should be fine if the
implementations are following the standard correctly..

Based on the comparison of the capture log and the AP debug log, it
looks like the AP does not implement IEEE 802.11 duplicate filtering
correctly (or at all). Because of this, it sends the retransmitted
EAPOL-Key frames to the state machine and this breaks the state machine
(which itself is somewhat questionable, too, but the main issue is in
the duplicate filtering). In other words, it looks like this AP breaks
down if the second message of 4-way handshake is retransmitted due to
client not receive ACK frame.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list