wpa_supplicant WPA-PSK pairwise OK, group fails
Dimitris Kogias
dimitris
Tue May 17 20:31:32 PDT 2005
Hi Jouni,
Jouni Malinen wrote:
> On Tue, May 17, 2005 at 09:13:03AM -0700, Dimitris Kogias wrote:
>
>
>>ipw2200 1.0.3
>>wpa_supplicant 0.4.0 (debian unstable package).
>>D-Link DWL-900AP+ access point configured for WPA-PSK.
>
>
> Are you using the latest firmware image on that AP?
Latest one from D-Link, 3.07, dated 30 December 2003. Release notes at
http://support.dlink.com/products/view.asp?productid=DWL%2D900AP%2B%5FrevC
This is an end-of-life product so they probably won't be releasing any
firmware updates for it.
>>While all of the above is going on, I see this in the kernel logs:
>>
>>May 15 18:50:18 0x19 kernel: TKIP: replay detected:
>>STA=00:40:05:5b:3f:34 previous TSC 000000000000 received TSC 000000000000
>
>
> If this is indeed what is happening, the AP sent out two packets with
> the same packet number and the client driver dropped one of them. If
> that one happened to be the Group Key packet, that could explain why it
> was not seen in the wpa_supplicant debug. Another possibility would be
> in the AP sending out the Group Key packets in plaintext.. Would you
> happen to have a way of using a wireless sniffer to capture what packets
> are being sent between the AP and client when this happens?
>
No wireless sniffer, and no other wpa_supplicant capable adapter handy
to tcpdump with, but I ran tcpdump on the same interface while running
wpa_supplicant (with the same results).
00:12:f0:13:51:dc is the laptop station, 00:40:05:5b:3f:34 is the AP:
d at 0x19:~$ sudo tcpdump -i eth1 -s 0 -XX -vv
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size
65535 bytes
20:15:39.240397 00:12:f0:13:51:dc > 00:40:05:5b:3f:34, ethertype Unknown
(0x888e), length 18:
0x0000: 0040 055b 3f34 0012 f013 51dc 888e 0101 . at .[?4....Q.....
0x0010: 0000 ..
20:15:42.395305 00:40:05:5b:3f:34 > 00:12:f0:13:51:dc, ethertype Unknown
(0x888e), length 113:
0x0000: 0012 f013 51dc 0040 055b 3f34 888e 0103 ....Q.. at .[?4....
0x0010: 005f fe00 8900 2000 0000 0000 0000 019d ._..............
0x0020: 6891 6ae4 9f38 f845 531c 59e6 86a5 7da8 h.j..8.ES.Y...}.
0x0030: cf5d 3a0d 0d6b 3d54 7760 fb05 b4de 0200 .]:..k=Tw`......
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 00 .
20:15:59.395266 00:40:05:5b:3f:34 > 00:12:f0:13:51:dc, ethertype Unknown
(0x888e), length 113:
0x0000: 0012 f013 51dc 0040 055b 3f34 888e 0103 ....Q.. at .[?4....
0x0010: 005f fe00 8900 2000 0000 0000 0000 0151 ._.............Q
0x0020: 67b5 e544 04f8 dae7 425e e3db 60c9 7348 g..D....B^..`.sH
0x0030: 9875 84f5 94ad 0a9f 833e 0cc5 3b8c b900 .u.......>..;...
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 00 .
20:15:59.399629 00:12:f0:13:51:dc > 00:40:05:5b:3f:34, ethertype Unknown
(0x888e), length 137:
0x0000: 0040 055b 3f34 0012 f013 51dc 888e 0103 . at .[?4....Q.....
0x0010: 0077 fe01 0900 2000 0000 0000 0000 01db .w..............
0x0020: d333 ef9d a729 2399 7571 7553 0b60 24bf .3...)#.uquS.`$.
0x0030: fc67 c031 ae5e 1004 3665 7cdb 3b5e ed00 .g.1.^..6e|.;^..
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 00ba ................
0x0060: 5ffd 4a30 cb90 9008 f63a 8568 e914 8700 _.J0.....:.h....
0x0070: 18dd 1600 50f2 0101 0000 50f2 0201 0000 ....P.....P.....
0x0080: 50f2 0201 0000 50f2 02 P.....P..
20:15:59.404416 00:40:05:5b:3f:34 > 00:12:f0:13:51:dc, ethertype Unknown
(0x888e), length 139:
0x0000: 0012 f013 51dc 0040 055b 3f34 888e 0103 ....Q.. at .[?4....
0x0010: 0079 fe01 c900 2000 0000 0000 0000 0251 .y.............Q
0x0020: 67b5 e544 04f8 dae7 425e e3db 60c9 7348 g..D....B^..`.sH
0x0030: 9875 84f5 94ad 0a9f 833e 0cc5 3b8c b900 .u.......>..;...
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 00e8 ................
0x0060: f73e eabd 0dbf 23ab b13c f554 9b98 1900 .>....#..<.T....
0x0070: 1add 1800 50f2 0101 0000 50f2 0201 0000 ....P.....P.....
0x0080: 50f2 0201 0000 50f2 0200 00 P.....P....
20:15:59.406376 00:12:f0:13:51:dc > 00:40:05:5b:3f:34, ethertype Unknown
(0x888e), length 113:
0x0000: 0040 055b 3f34 0012 f013 51dc 888e 0103 . at .[?4....Q.....
0x0010: 005f fe01 0900 2000 0000 0000 0000 0200 ._..............
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 00ef ................
0x0060: 9a8c c718 e37a c8e4 ccd2 f2d1 95ee 1d00 .....z..........
0x0070: 00 .
tcpdump: pcap_loop: recvfrom: Network is down
6 packets captured
6 packets received by filter
0 packets dropped by kernel
d at 0x19:~$
As I said the wpa_supplicant results were the same: Intermittent
point-to-point WLAN connectivity, TKIP replay log entries. Today I have
also upgraded to the latest version of the ipw2200 driver, 1.0.4, and I
am seeing this message that I didn't see before, and only on the first
time wpa_supplicant tries to set up WPA:
WPA: RX EAPOL-Key - hexdump(len=99): 01 03 00 5f fe 00 89 00 20 00 00 00
00 00 00 00 01 9d 68 91 6a e4 9f 38 f8 45 53 1c 59 e6 86 a5 7d a8 cf 5d
3a 0d 0d 6b 3d 54 77 60 fb 05 b4 de 02 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
State: ASSOCIATED -> 4WAY_HANDSHAKE
WPA: RX message 1 of 4-Way Handshake from 00:40:05:5b:3f:34 (ver=1)
Invalid group cipher (0).
WPA: Failed to generate WPA IE (for msg 2 of 4).
Authentication with 00:40:05:5b:3f:34 timed out.
I don't remember seeing 'Invalid group cipher(0)' before.
Dimitris.
More information about the Hostap
mailing list