WPA && WDS

Mohamed Tamer Refaei mohamed.refaei
Thu Apr 28 13:29:55 PDT 2005


Hi all,

I am still attempting to get WDS to work on with WPA.  I have this setup that I expected to work but it is not:

- Using Two APs (AP1 and AP2) running hostap 0.3.7
- Establish a WDS link between 2 APs
- Run hostapd 0.3.7 with the "rsn_preauth=1 and rsn_preauth_interfaces=wlan0wds0"
- Associate and authenticate two client, one with each AP (C-AP1 and C-AP2), using EAP-PSK

When I attempt to ping C-AP2 from C-AP1 I get the following message at AP2
"TKIP ICV error detected: STA={MAC address of AP1}
wifi0: decryption failed (SA={MAC address of AP1}) res=-5".  

This has been reported before, that data on the WDS link is encrypted using AP individual keys.  Since these keys are not shared they are unable to decrypt the packets.

Using hostap_crypt_conf I created manual entries for each of the APs with encryption algorithm set to NULL
- At AP 1: 

> hostap_crypt_conf -p wlan0 {MAC of AP 2} NULL
> hostap_crypt_conf -l wlan0, would show
Keys for {MAC of AP 2}
  algorithm: NULL
  TX key idx: 1
  key 1:
  key 2:
  key 3:
  key 4:

same thing for AP 2

I tried to ping again.  My packet capture indicate that the ping packets are sent unencrypted over the WDS link.  However, I see at AP2 
"wlan0wds0: dropped frame from unauthorized port (IEEE 802.1X): ethertype=0x0800)"

Even though "rsn_preauth_interfaces=wlan0wds0" is set the stations still drop packets from wlan0wds0 interface.  Am I missing something here? Is there something wrong in this setup?

thanks much
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20050428/e2511ae1/attachment.htm 



More information about the Hostap mailing list