Re: wpa_supplicant: secured mesh and WiLink8 issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 04, 2016 at 01:54:10PM +0100, Jeroen Roovers wrote:
> I tried your advice in
> https://bobcopeland.com/blog/2016/10/encrypted-mesh-psa/ . I am using
> a 3.4 kernel and trying out wpa_supplicant 2.6, so I added
> ieee80211w=2 to the configuration:
> 
> %< snip >%
> user_mpm=1
> update_config=1
> 
> network={
>         mode=5
>         ssid="secret"
>         frequency=2412
>         proto=RSN
>         pairwise=CCMP
>         key_mgmt=SAE
>         group=CCMP
>         psk="secret"
> }
> %< snip >%

(I don't see ieee80211w here?)

> The first mesh node that went up initially showed this:
> 
> 2016-11-04T12:33:06.987105+00:00 AirFi wpa_supplicant[476]: AP-ENABLED
> 2016-11-04T12:33:07.004874+00:00 AirFi wpa_supplicant[476]: wlan1:
> joining mesh "<secret>"
> 2016-11-04T12:33:07.006015+00:00 AirFi wpa_supplicant[476]: wlan1:
> mesh join error=-114

Hmm -EALREADY, I guess this one was already operating?

> After restarting wpa_supplicant (with two other nodes running already)
> I instead got this:

[snip]

> 2016-11-04T12:40:22.923110+00:00 AirFi wpa_supplicant[1019]: wlan1:
> new peer notification for xx:xx:xx:xx:xx:55
> 2016-11-04T12:40:23.438482+00:00 AirFi wpa_supplicant[1019]: wlan1:
> new peer notification for xx:xx:xx:xx:xx:6c
> 2016-11-04T12:40:36.131965+00:00 AirFi wpa_supplicant[1019]: wlan1:
> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:55
> 2016-11-04T12:40:39.639177+00:00 AirFi wpa_supplicant[1019]: wlan1:
> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:6c

So two were running already, same wpa_s version?

> 2016-11-04T12:40:53.579341+00:00 AirFi wpa_supplicant[1019]: wlan1:
> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:55
> 2016-11-04T12:40:54.826637+00:00 AirFi wpa_supplicant[1019]: wlan1:
> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:6c

...but SAE authentication failed.  This happens before even peering,
so it sounds like this is something other than the encryption change.
Just to be sure, the password and SAE group configurations are the
same across all nodes?

To be clear, the sequence goes like this:

SAE authentication (derives PMK from password)
    ---> AMPE peering (derives MTK from PMK, MGTK generated and exchanged)
        ---> HWMP route establishment (uses keys from previous step)

The changes referred to in my blog post happened at steps 2 and 3, while
looks like your failure happened at step 1.

> So maybe your advice needs some extra good bits for specific situations.
> 
> Kind regards,
>     jer

-- 
Bob Copeland %% http://bobcopeland.com/

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux