Unable to connect to WPA2-Enterprise since 2.4-r1: WPA_ALG_PMK bug?

Ralf Ramsauer ralf+hostap at ramses-pyramidenbau.de
Mon May 4 12:59:41 EDT 2015


Hi,

so here's the news:

Freeradius 2.2.6 fails to connect with

    May 04 17:43:03 lefay wpa_supplicant[642]: nl80211: Unexpected
    encryption algorithm 5

Freeradius 2.2.7 just works fine.
But keep in mind, in most cases people do not have access to the wifi
backend :)

And as I don't know the backend of my university, I don't know what
they're using.

FYI: Today i read that Arch downgraded to wpa_supplicant 2.3 referencing
on this thread [1]. Initially it was reported at [2] by someone else.
Some others seem to have experienced the same bug.

Cheers
  Ralf

[1]
https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/wpa_supplicant&id=7562b98bd83fe5bce43e6952e0e922e7791e18b5
[2] https://bugs.archlinux.org/task/44740


On 05/03/2015 10:32 PM, Ralf wrote:
> Am 2015-05-03 21:14, schrieb Jouni Malinen:
>> On Mon, Apr 27, 2015 at 06:01:43PM +0200, Ralf Ramsauer wrote:
>>> I also tried another WPA2-Enterprise WiFi which uses TTLS/PAP
>>> instead of PEAP/MSCHAPv2 - same problem here.
>>
>> Which authentication server are you using? It sounds like the main issue
>> here is in interoperability issue in TLS v1.2 key derivation for EAP.
>> The same derivation mechanism is used for both TTLS and PEAP.
>>
>> Are you by any chance using FreeRADIUS with TLS v1.2 enabled but before
>> the key derivation fix went in (March 31, 2015)? If so, that would
>> explain the problem due to FreeRADIUS deriving a different MSK when
>> using TLS v1.2.
>
> For the TTLS/PAP one we're using freeradius version 2.2.6. Tommorrow
> i'll tell the admin to upgrade and report what happens then.
>
> The second one is the WiFi of my university. I have no influence on
> that WiFi. I only know that they're using lots of Cisco stuff together
> with Microsoft Active Directory.
>
>>
>> Newer version of wpa_supplicant just happens to trigger this by enabling
>> TLS v1.2 to be negotiated, but the real fix is likely needed on the
>> authentication server.
>
> I can tell you tommorrow.
>
> Thank you
>   Ralf
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150504/14ccaea8/attachment.htm>


More information about the HostAP mailing list