Prioritizing authentication pkts & resending failed EAPOL pkts?

Ben Greear greearb at candelatech.com
Thu Feb 3 18:13:11 EST 2011


On 02/03/2011 02:57 PM, Jouni Malinen wrote:
> On Thu, Feb 03, 2011 at 12:18:56PM -0800, Ben Greear wrote:
>> So first question:  Is the auth traffic prioritized over regular traffic?
>
> That depends on the driver, so this is somewhat of an incorrect mailing
> list for that question.. Anyway, many management frame subtypes are
> often sent at higher priority when QoS/WMM is enabled.
>
>> Second:  Any idea how to go about fixing up the retransmit logic per
>> this TODO:
>>
>> 		/* TODO: re-send EAPOL-Key couple of times (with short delay
>> 		 * between them?). If all attempt fail, report error and
>> 		 * deauthenticate STA so that it will get new keys when
>> 		 * authenticating again (e.g., after returning in range).
>> 		 * Separate limit/transmit state needed both for unicast and
>> 		 * broadcast keys(?) */
>
> Are you really looking at IEEE 802.1X and dynamic WEP keys? Sounds kind
> of pointless in this day and age with all the security issues identified
> with WEP. WPA/WPA2 4-way handshake do retransmit EAPOL-Key frames even
> without the lowlevel ack since the station needs to reply to the frames.
>
>> Here's a filtered part of the log showing ack-failure msgs...
>>
>> 1296763802.180575: 1296763802.365012: IEEE 802.1X: 00:0c:42:61:00:78 TX status - version=2 type=3 length=95 - ack=0
>
> These frames are retransmitted at higher layer by the WPA/WPA2 4-way
> handshake authenticator, i.e., the comment above does not apply for
> these.

Ok.  I saw those ack=0 messages, and then very shortly after the
4-way auth failed because sm->TimeoutCtr > dot11RSNAConfigPairwiseUpdateCount.

dot11RSNAConfigPairwiseUpdateCount is 4 on my system.  I assumed that
the lack of ack was directly responsible..but maybe it's just a symptom.

Seems that 80 stations do ok..it's only when I get up above 100 that
I have troubles..and it seems that HT40 cause more problems than
when I'm using HT20.

I believe I'm using pretty standard auth/encryption, but could
be wrong about that:


ctrl_interface=/var/run/wpa_supplicant
fast_reauth=1
# My hacks
#can_scan_one=1
#min_scan_gap=5
network={
     ssid="ath9k-vap-1U"
     proto=WPA
     key_mgmt=WPA-PSK
     #psk="passwd"
     psk=[key]
     pairwise=TKIP CCMP
     group=TKIP CCMP
}


Thanks,
Ben

-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the HostAP mailing list