wpa_supplicant TKIP countermeasures

Jonathan Bagg jbagg at lenbrook.com
Wed Nov 21 09:45:15 EST 2012


On 12-11-18 06:16 AM, Jouni Malinen wrote:
> On Fri, Nov 16, 2012 at 12:11:53PM -0500, Jonathan Bagg wrote:
>> Question about TKIP countermeasures in wpa_supplicant....After three
>> "Event MICHAEL_MIC_FAILURE (2) received" I see wpa_supplicant say "TKIP
>> countermeasures started", and then disconnects, but never reconnects
>> after 60 seconds (5.2.17 step #8 in Wi-Fi CERTIFIED n System
>> Interoperability Test Plan) Running wpa_supplicant v1.0
> This works fine in my tests.. When wpa_supplicant initiated TKIP
> countermeasures, it disconnected, added the BSSID of the AP into
> blacklist, and started scanning. After 60 seconds, TKIP countermeasures
> were stopped and the next scan was allowed to clear the blacklist. At
> this point, connection went through with the same AP.
>
>> Is wpa_supplicant supposed to handle the reconnect or is it up to the
>> user / higher level software?
> Yes, wpa_supplicant is supposed to find another AP (if available and
> enabled in configuration) or connect back to the same AP after 60
> seconds.
Thank you for the info.
> Which driver are you using? How do you configure ap_scan parameter in
> wpa_supplicant? Could you please send wpa_supplicant debug log with
> timestamps (-dt on command line) from a case where there was no
> connection?
supplicant output -> http://upgrade.nadelectronics.com/wifi/wpa_log_2.txt
packet sniff -> http://upgrade.nadelectronics.com/wifi/all-2.pkt

cw1200 (Sony-Ericson chipset)  The driver hasn't made it to the kernel 
yet.  To my knowledge, we are not configuring the ap_scan parameter.  It 
appears that the device is trying to reconnect right after the 
countermeasures disconnect but fails, and after 60 seconds, it doesn't 
not attempt to connect.  Unfortunately I don't know how to simulate MIC 
failures, so we are relaying on the test lab.  wpa_supplicant was 
started with....

wpa_supplicant -D nl80211 -i wlan0 -c /var/data/wpa.conf -dt > 
/var/log/wpa_log_2.txt &

The wpa.conf file wouldn't be much different than what is below witha 
different SSID and psk.
network={
ssid="wifi_test"
scan_ssid=1
key_mgmt=WPA-PSK
pairwise=CCMP
group=CCMP
psk=7d1bb2eb6f8cbc74a6ad97e90fe02498fa610bac1628778e8d5ddac2c57f88d9
}

Jon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20121121/4314a043/attachment.htm 


More information about the HostAP mailing list