Re: Fwd: station sending dis-association frame during FT session timeout

Jouni Malinen <jouni@xxxxxxxxxxxxxx> · Thu, 7 Mar 2019 21:42:24 +0200

On Tue, Feb 19, 2019 at 10:15:36PM +0530, mahesh kumar wrote:
> we are seeing an issue where session timeout is configured as 5min in cisco
> controller.
> station connected to AP1(FT 8021X) and then roamed to AP2(FT8021X).
> After session timeout during eapol exchange station sent disconnection due
> to FT IE mismatch in 3/4 frame and FT IE in re-assoc response.

Are you saying the AP is initiating a new EAP authentication during the
FT association? That is not the way FT is supposed to work.
MSK/PMK-R0/PMK-R1 can be updated only by forcing a new FT initial
mobility domain association, i.e., the AP would need to send a
Deauthentication frame with reason code INVALID_AUTHENTICATION (2)
instead of sending the EAP-Request/Identity frame.

> log:
> 02-18 17:11:39.672 D/wpa_supplicant( 8440): wlan0: FT: FTIE mismatch
> 02-18 17:11:39.672 D/wpa_supplicant( 8440): FT: FTIE in EAPOL-Key msg 3/4 -
> hexdump(len=98): 37 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
> 02-18 17:11:39.672 D/wpa_supplicant( 8440): FT: FTIE in (Re)Association
> Response - hexdump(len=135): 37 85 00 03 71 d5 c0 b4 de 75 7b d4 cc 5e 09
> fc fb a2 38 34 78 1e d8 02 90 91 fe b1 6c d2 25 19 ...
> 02-18 17:11:39.673 D/wpa_supplicant( 8440): wlan0: Request to
> deauthenticate - bssid=50:0f:80:93:39:80 pending_bssid=00:00:00:00:00:00
> reason=1 state=4WAY_HANDSHAKE

The AP is misbehaving here. The FTE in the EAPOL-Key msg 3/4 Key Data
field shall be identical to the one the AP sent in the Reassociation
Response frame for this association. As can be seen in the debug dump
here, the AP is clearly sending something else. That long list of zero
octets would imply that the FTE came from initial mobility domain
association and not from the FT protocol reassociation which was the
case in this particular sequence.

> Do we need to reset FT IE in supplicant after receiving eap frame?

No, the AP needs to be fixed to comply with the standard. wpa_supplicant
behavior here is compliant with the standard requirements.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap