disconnect after reauth via radius - association problems

Klaus Müller kmueller at justmail.de
Sat Mar 19 08:23:09 EDT 2011


Hello,

I'm seeing disconnects after a successful reauth via radius. I'm using
WPA2-TLS with a WAP610N (AP) and two different chips on the side of
supplicant:

1. WUSB600N v2 (USB WLAN stick) - it's a chip driven with ralink
rt3572sta driver (version 2.5.0.0 from ralink - it's a OSS-driver)

2. Atheros Communications Inc. AR9285 onboard controller with ath9k
module shipped with the kernel.


Following the output for the Atheros chip:

iwconfig
wlan0     IEEE 802.11bgn  ESSID:"ssid"
          Mode:Managed  Frequency:2.412 GHz  Access Point: 00:25:11:bb:cc:aa
          Bit Rate=150 Mb/s   Tx-Power=20 dBm
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=59/70  Signal level=-51 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:50  Invalid misc:517   Missed beacon:0


iw wlan0 scan

BSS 00:25:11:bb:cc:aa (on wlan0) -- associated
        TSF: 4680396808 usec (0d, 01:18:00)
        freq: 2412
        beacon interval: 100
        capability: ESS Privacy ShortPreamble ShortSlotTime (0x0431)
        signal: -49.00 dBm
        last seen: 160 ms ago
        SSID: ssid
        Supported rates: 1.0* 2.0* 5.5* 11.0*
        DS Parameter set: channel 1
        Power constraint: 0 dB
        ERP: <no flags>
        Extended supported rates: 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: IEEE 802.1X
                 * Capabilities: 16-PTKSA-RC (0x000c)
        WMM:    * Parameter version 1
                * BE: CW 15-1023, AIFSN 3
                * BK: CW 15-1023, AIFSN 7
                * VI: CW 7-15, AIFSN 2, TXOP 3008 usec
                * VO: acm CW 3-7, AIFSN 2, TXOP 1504 usec


wpa_supplicant.conf
network={
       proactive_key_caching=1 # the problem comes up with or without it
       ssid="ssid"
       scan_ssid=1
       key_mgmt=WPA-EAP
       pairwise=CCMP
       group=CCMP
       eap=TLS
       identity="id at somewhere.com"
       ca_cert="/etc/mycerts/ca.pem"
       client_cert="/etc/mycerts/client.crt"
       private_key="/etc/mycerts/client.key"
       private_key_passwd="private"
}


My distribution is OpenSuSE 11.4 (64 bit and 32 bit) with
2.6.37.1-1.2-desktop. wpa_supplicant is wpa_supplicant-0.7.3-2.1.


The problem is, that mostly after reauthentication (directly after or a
few seconds later), the connection is disconnected by the supplicant.
The log of wpa_supplicant is:


1300437189.810594: CTRL-EVENT-EAP-STARTED EAP authentication started
1300437189.839797: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
1300437189.839840: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS)
selected
1300437189.876134: CTRL-EVENT-EAP-SUCCESS EAP authentication completed
successfully
1300437189.894990: WPA: Key negotiation completed with 00:25:11:bb:cc:aa
[PTK=CCMP GTK=CCMP]
1300437192.972422: CTRL-EVENT-DISCONNECTED bssid=00:25:11:bb:cc:aa reason=0
1300437194.255602: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300437194.282628: Associated with 00:25:11:bb:cc:aa
1300437194.292817: WPA: Key negotiation completed with 00:25:11:bb:cc:aa
[PTK=CCMP GTK=CCMP]
1300437194.292832: CTRL-EVENT-CONNECTED - Connection to
00:25:11:bb:cc:aa completed (reauth) [id=0 id_str=]


The disconnection after reauth mostly does not appear, if the NIC is
idle during reauth. But if there is going data through the NIC at the
same time (~ 0.1 MB/s or more), the disconnection mostly comes up (as in
the log above).

Additionally I tried an actual git version (from yesterday)
and tested again. The problem seems to be slightly better, but it isn't
really fixed.

After the disconnection happened, building up a new connection doesn't
work always fine. Sometimes it takes more then 3 minutes, until a
successful authentication can be done, because the association doesn't
work. Then it looks like that:

1300441176.148982: CTRL-EVENT-EAP-STARTED EAP authentication started
1300441176.169673: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
1300441176.169713: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS)
selected
1300441176.203153: CTRL-EVENT-EAP-SUCCESS EAP authentication completed
successfully
1300441176.229234: WPA: Key negotiation completed with 00:25:11:bb:cc:aa
[PTK=CCMP GTK=CCMP]
1300441179.291906: CTRL-EVENT-DISCONNECTED bssid=00:25:11:bb:cc:aa reason=0
1300441179.298451: CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=0
1300441183.310665: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441183.310882: Association request to the driver failed
1300441188.311099: Authentication with 00:25:11:bb:cc:aa timed out.
1300441192.234596: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441192.234797: Association request to the driver failed
1300441197.234931: Authentication with 00:25:11:bb:cc:aa timed out.
1300441201.154663: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441201.154876: Association request to the driver failed
1300441206.155933: Authentication with 00:25:11:bb:cc:aa timed out.
1300441210.068575: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441210.068822: Association request to the driver failed
1300441215.069466: Authentication with 00:25:11:bb:cc:aa timed out.
1300441218.989433: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441218.989635: Association request to the driver failed
1300441223.990511: Authentication with 00:25:11:bb:cc:aa timed out.
1300441227.910611: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441227.910822: Association request to the driver failed
1300441232.911615: Authentication with 00:25:11:bb:cc:aa timed out.
1300441236.834567: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441236.834766: Association request to the driver failed
1300441241.838502: Authentication with 00:25:11:bb:cc:aa timed out.
1300441245.751623: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441245.751829: Association request to the driver failed
1300441250.754482: Authentication with 00:25:11:bb:cc:aa timed out.
1300441254.671862: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441254.672071: Association request to the driver failed
1300441259.672802: Authentication with 00:25:11:bb:cc:aa timed out.
1300441263.589631: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441263.589843: Association request to the driver failed
1300441268.590332: Authentication with 00:25:11:bb:cc:aa timed out.
1300441272.511456: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441272.511664: Association request to the driver failed
1300441277.516144: Authentication with 00:25:11:bb:cc:aa timed out.
1300441281.439450: Trying to associate with 00:25:11:bb:cc:aa
(SSID='ssid' freq=2412 MHz)
1300441281.439654: Association request to the driver failed
1300441281.580478: Associated with 00:25:11:bb:cc:aa
1300441282.613687: WPA: Key negotiation completed with 00:25:11:bb:cc:aa
[PTK=CCMP GTK=CCMP]
1300441282.613721: CTRL-EVENT-CONNECTED - Connection to
00:25:11:bb:cc:aa completed (reauth) [id=0 id_str=]
1300441381.135741: WPA: Group rekeying completed with 00:25:11:bb:cc:aa
[GTK=CCMP]


I detected, that with the git version of wpa_supplicant, the
ralink-driver (2.5.0.0) does have massive problems to do an initial
connection at all, because the association often doesn't come up at all
(the same as in the log above). Therefore I went back to wpa_supplicant
0.7.3.

I have to say, that the 2.4.0.2-version of the ralink driver works
mostly fine (with wpa_supplicant 0.7.3 and OpenSuSE 11.3 (kernel 2.6.34)).


I would be glad if these two problems could be fixed:
-> disconnection originated by wpa_supplicant after reauth
-> problems to associate to the AP


If you need some more information - please ask - I will try to provide
them. I can do some testing too, if it is needed!


Thank you,
Klaus


More information about the HostAP mailing list