Re: FT authentication fails on FT-SAE

Michael Yartys <michael.yartys@xxxxxxxxxxxxxx> · Fri, 13 Aug 2021 07:34:52 +0000

Hi

I made a test with the iPad where I set up my two laptops with the same FT-SAE network to log any error messages, and I get the following FT failure:

mgmt::auth
authentication: STA=6e:59:ee:22:48:97 auth_alg=2 auth_transaction=1 status_code=0 wep=0 seq_ctrl=0xf6c0
  New STA
ap_sta_add: register ap_handle_timer timeout for 6e:59:ee:22:48:97 (300 seconds - ap_max_inactivity)
nl80211: sta_remove -> DEL_STATION wlp18s0 6e:59:ee:22:48:97 --> -2 (No such file or directory)
nl80211: Add STA 6e:59:ee:22:48:97
  * supported rates - hexdump(len=4): 02 04 0b 16
  * capability=0x0
  * aid=1 (UNASSOC_STA workaround)
  * listen_interval=0
  * flags set=0x0 mask=0xa0
FT: Received authentication frame: STA=6e:59:ee:22:48:97 BSSID=f0:42:1c:c7:0b:6e transaction=1
FT: Received authentication frame IEs - hexdump(len=158): 30 26 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 09 cc 00 01 00 bd 74 21 51 30 fe 82 61 1f c4 69 0f d2 c8 a7 83 36 03 a1 b2 00 37 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 c5 02 32 3d 50 10 c0 6b c3 98 a1 8e 29 b9 96 4a d0 c2 f7 63 52 2d aa 1c 44 5d b8 f6 e1 a1 8b 03 0e 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65 dd 0b 00 17 f2 0a 00 01 04 00 00 00 00
FT: RSNE - hexdump(len=38): 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 09 cc 00 01 00 bd 74 21 51 30 fe 82 61 1f c4 69 0f d2 c8 a7 83
FT: MDE - hexdump(len=3): a1 b2 00
FT: FTE - hexdump(len=98): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 c5 02 32 3d 50 10 c0 6b c3 98 a1 8e 29 b9 96 4a d0 c2 f7 63 52 2d aa 1c 44 5d b8 f6 e1 a1 8b 03 0e 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
FT: FTE-MIC Control - hexdump(len=2): 00 00
FT: FTE-MIC - hexdump(len=16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FT: FTE-ANonce - hexdump(len=32): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FT: FTE-SNonce - hexdump(len=32): c2 c5 02 32 3d 50 10 c0 6b c3 98 a1 8e 29 b9 96 4a d0 c2 f7 63 52 2d aa 1c 44 5d b8 f6 e1 a1 8b
FT: Parse FTE subelements - hexdump(len=16): 03 0e 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
FT: STA R0KH-ID - hexdump(len=14): 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
FT: Requested PMKR0Name - hexdump(len=16): bd 74 21 51 30 fe 82 61 1f c4 69 0f d2 c8 a7 83
FT: PMKR1Name - hexdump(len=16): 9c 36 5d 59 c7 8c ee 9b ee 5b 56 0f 20 2e 12 24
FT: No PMK-R1 available in local cache for the requested PMKR1Name
FT: No matching R0KH found
FT: Did not find R0KH-ID - hexdump(len=14): 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
FT: Did not have matching PMK-R1 and either unknown or blocked R0KH-ID or NAK from R0KH
FT: FT authentication response: dst=6e:59:ee:22:48:97 auth_transaction=2 status=53 (INVALID_PMKID)
FT: Response IEs - hexdump(len=0): [NULL]
authentication reply: STA=6e:59:ee:22:48:97 auth_alg=2 auth_transaction=2 resp=53 (IE len=0) (dbg=auth-ft-finish)

The hostapd config for the laptops can be found below:

--- LAPTOP 1 ---

interface=wlp18s0
driver=nl80211

ssid=test1
hw_mode=g
channel=1

auth_algs=3
wmm_enabled=1

nas_identifier=first_example

wpa=2
wpa_passphrase=testingstuff123
wpa_key_mgmt=SAE FT-SAE
wpa_pairwise=CCMP
ieee80211w=2
sae_pwe=2

mobility_domain=a1b2
ft_over_ds=0
ft_psk_generate_local=0

--- LAPTOP 2 ---

interface=wlp18s0
driver=nl80211

ssid=test1
hw_mode=g
channel=6

auth_algs=3
wmm_enabled=1

nas_identifier=second_example

wpa=2
wpa_passphrase=testingstuff123
wpa_key_mgmt=SAE FT-SAE
wpa_pairwise=CCMP
ieee80211w=2
sae_pwe=2

mobility_domain=a1b2
ft_over_ds=0
ft_psk_generate_local=0

Michael

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Friday, August 13th, 2021 at 08:55, Michael Yartys <michael.yartys@xxxxxxxxxxxxxx> wrote:

> Hi
>
> I'm running an FT-SAE network on two routers with OpenWrt, and I've encountered an issue where clients that attempt to authenticate with FT fail due to an invalid PMKID (at least that's what the AP replies in the authentication response). The routers are running a master build of OpenWrt from 9. August, and the hostapd version is a master build up to and including: https://w1.fi/cgit/hostap/commit/?id=b102f19bcc53c7f7db3951424d4d46709b4f1986
>
> I've tried the following clients:
>
> -- Laptop 1 --
>
> -   Intel 7260AC
> -   Fedora 34
> -   Kernel: 5.13.8-200
> -   wpa_supplicant v2.9
>
>     -- Laptop 2 --
> -   Intel 7260AC
> -   Ubuntu 20.04.2 LTS
> -   Kernel: 5.11.0-25
> -   wpa_supplicant v2.10-devel-hostap_2_9-2285-gc3155a725 (recent snapshot)
>
>     -- iPad --
> -   iPadOS 15 Beta 4
>
>     I can provide logs from wpa_supplicant, hostapd, and packet captures to developers personally.
>
>     Michael

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap