Can one STA with EAPOL errors make hostapd drop all clients?
Rafał Miłecki
zajec5 at gmail.com
Mon May 25 04:40:39 EDT 2015
On 25 May 2015 at 10:38, Jouni Malinen <j at w1.fi> wrote:
> On Mon, May 25, 2015 at 10:17:06AM +0200, Rafał Miłecki wrote:
>> Thanks for info, nice to know. Looks like a spec-approved easy to way
>> to sabotage an AP ;) You're right about encryption, this problem
>> occurs with TKIP only.
>>
>> Any idea why my "good" STA can't reconnect after this action? I mean
>> these associated/disassociated/unauthorizing port logs in hostapd.
>> Unfortunately I didn't grab corresponding wpa_supplicant logs, but I
>> can try later if that helps.
>
> TKIP has a relatively weak design as it was only supposed to be a short
> term improvement with a limited lifetime (which has long ago expired).
> As such, it requires countermeasures that prevent attackers from trying
> certain attacks frequently. This results in the AP disabling all use of
> TKIP for 60 seconds per each two attempts.
>
> No one should really be using TKIP anymore. What you see here sounds
> correct and expected behavior and the best way of getting rid of that is
> by disabling use of TKIP completely (i.e., including use of it as the
> group cipher).
Thanks for explaining this to me!
--
Rafał
More information about the HostAP
mailing list