Unable to connect to WPA2-Enterprise since 2.4-r1: WPA_ALG_PMK bug?

Jouni Malinen j at w1.fi
Mon Apr 27 09:34:17 EDT 2015


On Mon, Apr 27, 2015 at 02:54:00PM +0200, Ralf Ramsauer wrote:
> After connecting to a WPA2-Enterprise network (wpa_supplicant 2.4-r1,
> PEAP/MSCHAPv2) I got the following messages in my journal (suspicious
> line highlighted):

>     *Apr 27 13:45:49 lefay wpa_supplicant[638]: nl80211: Unexpected
>     encryption algorithm 5*

It looks like this gets printed even when the driver does not support
vendor extensions for configuring PMK for offloading operations. I guess
this could be cleaned up a bit by removing that call when the driver did
not indicate support for it. Anyway, this should not cause any
difference in behavior since the error from this operation is ignored.

>     Apr 27 13:45:49 lefay NetworkManager[545]: <info>  (wlp3s0):
>     supplicant interface state: associated -> 4-way handshake
>     Apr 27 13:46:11 lefay NetworkManager[545]: <warn>  (wlp3s0):
>     Activation: (wifi) association took too long

I would need to see more details on this to be able to determine what
happened. Can you run wpa_supplicant manually (i.e., without
NetworkManager) and add -dd on the command line?

> So 2.4-r1 seems to use a 4 way handshake, 2.2 uses a three way
> handshake? Why did it change?

I'm not sure what you are referring to with "three way handshake". There
has been no changes in the protocol design between those versions.

> So I recompiled wpa_supplicant 2.4-r1 with debugging symbols and started
> analyzing.
> 
> The suspicious line "*nl80211: Unexpected encryption algorithm 5*" is
> thrown in driver_nl80211.c line 2399. It is a switch-case on the
> algorithm for WPA_ALG_PMK, which is ... not supported?
> Hum?

This is unlikely to be the main reason for the failure to complete
connection since the code path ends up trying to set a key which is
using unsupported algorithm. I'll remove this if the driver does not
indicate explicitly support for key management offload. Anyway, I don't
think that that change would fix the main issue here..

Which driver are you using?

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list