Unable to connect to WPA2-Enterprise since 2.4-r1: WPA_ALG_PMK bug?

David Woodhouse dwmw2 at infradead.org
Wed Jul 8 18:47:17 EDT 2015


On Wed, 2015-07-08 at 22:11 +0300, Jouni Malinen wrote:
> 
> RSN: Stop connection attempt on apparent PMK mismatch
> 
> If WPA2-Enterprise connection with full EAP authentication (i.e., no
> PMKSA caching used) results in a PMKID that does not match the one the
> AP/Authenticator indicates in EAPOL-Key msg 1/4, there is not much point
> in trying to trigger full EAP authentication by sending EAPOL-Start
> since this sequence was immediately after such full authentication
> attempt.

That works...

wlo1: SME: Trying to authenticate with 18:33:9d:0c:da:de (SSID='TSNOfficeWLAN' freq=5300 MHz)
wlo1: Trying to associate with 18:33:9d:0c:da:de (SSID='TSNOfficeWLAN' freq=5300 MHz)
wlo1: Associated with 18:33:9d:0c:da:de
wlo1: CTRL-EVENT-EAP-STARTED EAP authentication started
wlo1: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=FR
wlo1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
TLS - SSL error: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
wlo1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
wlo1: CTRL-EVENT-EAP-PEER-CERT depth=3 subject='/C=US/O=Intel Corporation/CN=Intel Root CA'
wlo1: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=Intel Corporation/CN=Intel Intranet Basic Policy CA'
wlo1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=Intel Corporation/CN=Intel Intranet Basic Issuing CA 1A'
wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=ir10d-pra1.ir.intel.com'
wlo1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
wlo1: RSN: PMKID mismatch - authentication server may have derived different MSK?!
wlo1: CTRL-EVENT-DISCONNECTED bssid=18:33:9d:0c:da:de reason=1 locally_generated=1

We end up *blacklisting* the offending BSSIDs and not trying them again
for a while... would it be possible to start by disabling TLSv1.2 for
the offending BSSIDs, rather than giving up entirely?

That might be a simpler workaround than the other one (which I'm about
to test).

-- 
dwmw2




More information about the HostAP mailing list