On August 19, 2019 10:21:55 PM GMT+02:00, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote: >I don't know, try capturing over the air? > >Perhaps the vendor IEs added this way are added *first* before all the >RSN IEs, and that's tripping up your AP, and you'd have to add them >*after* the normal elements? Not really sure where/how they're added? > >johannes The vendor elements are added at the very end of the frame. In fact I tried moving the RSN IE to the end of the frame so that the frame is similar to the one ubnt airos produces. No luck either. One thing I've learned is that ubnt airos assoc req frames have the WMM/WME IE placed before HT Capabilities. But I'm not sure how to move it and also not sure if it would actually work. I am getting 4WAY_HANDSHAKE_TIMEOUT. From capturing I can see the station sends Key (msg 2 of 4) and a bunch of acknowledgements, but it never sends Key (msg 4 of 4) afterwards. I feel like I'm stuck.. What could be the reason for this behaviour? Josef
