Prioritizing authentication pkts & resending failed EAPOL pkts?

Jouni Malinen j at w1.fi
Tue Mar 29 11:17:15 EDT 2011


On Tue, Feb 08, 2011 at 12:44:09PM +0100, Björn Smedman wrote:
> On Fri, Feb 4, 2011 at 11:43 PM, Jouni Malinen <j at w1.fi> wrote:
> > On Fri, Feb 04, 2011 at 10:44:53PM +0100, Björn Smedman wrote:
> >>  +static const u32 eapol_key_timeout_first = 1; /* ms */
> >>  +static const u32 eapol_key_timeout_subseq = 1000; /* ms */

> > Correct, that would likely be fast enough on making hostapd send out two
> > EAPOL-Key msg 1/4 frames before the response to the first one is
> > received. This should still work, but sure, it uses about twice the
> > bandwidth and CPU.
> 
> I just tried the 1 ms first timeout thing. For Mac OS X supplicant
> your prediction seems 100% correct. But my WinXP laptop fails to
> associate.

> To me it looks like WinXP is expecting the negotiation to continue
> from its last sent EAPOL-Key 2/4 whereas hostapd continues from the
> first. I have a tcpdump file for this I can send you in private if you
> think it helps.

Yes, that is indeed what seems to be happening. I went through number of
deployed supplicant implementations and confirmed that some of them
generate a new SNonce whenever receiving a new EAPOL-Key 1/4 even if
those frames are in the context of the same 4-way handshake and then
fail to use the first SNonce (which is the one that hostapd will pick
based on 802.11 rules). This results in the authenticator and supplicant
deriving different PTK values and the supplicant rejecting EAPOL-Key
3/4.

Unfortunately, the IEEE 802.11 standard is somewhat unclear in this area
and it is possible to hit this issue even when both the authenticator
and the supplicant are trying to follow the standard. While the standard
does not really allow a longer timeout to be used at the authenticator,
it looks like that is needed to avoid to interoperability issue with
certain station devices that are slow enough to take more than 100 ms to
reply to the first EAPOL-Key 1/4 message. I introduced the following
change to address this in hostapd:

http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=e4bf4db907a8a2d0496d1a184f2574c7f7f1f7f1

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list