Need clarification on WPS IE support

CHui CHui
Thu Apr 13 12:03:49 PDT 2006 

> > When I configure the access point (Cisco 1200 series 1232AG) to
> > support two SSIDs on the same radio, wpa_supplicant started to fail
> > to connect to the second SSID which is not broadcast in the 802.11
> > beacon management frame.
>
> How does it fail?  Debug logs would be good.  What ap_scan mode are you
> using in the config file?
>

I have included the wpa_suplicant.conf and output of the wpa_supplicant
debug logs.  The first debug log used ap_scan=1 and scan_ssid=1.  The second
log used ap_scan=2 which caused wpa_suplicant core dump.  

***** wpa_supplicant.conf
  ##### wpa_supplicant configuration file ###############################
  ctrl_interface=/var/run/wpa_supplicant
  ctrl_interface_group=0
  eapol_version=1
  ap_scan=1
  fast_reauth=1
  # network block
  network={
	ssid="employee"
	mode=0
	scan_ssid=1
	proto=WPA
	key_mgmt=WPA-EAP
	pairwise=TKIP
	group=TKIP
	eap=TTLS
	identity="xxxxxxxxxx"
	password="XXXXXXXXXX"
	phase2="auth=PAP"
	ca_cert="/usr/local/etc/lsgCA_cert.cer"
  }

***** wpa_supplicant debug logs with ap_scan=1
wpa_supplicant -iath0 -c wpa_supplicant.conf -dd

Initializing interface 'ath0' conf 'wpa_supplicant.conf' driver 'default'
ctrl_interface 'N/A' bridge 'N/A'
Configuration file 'wpa_supplicant.conf' -> '/root/wpa_supplicant.conf'
Reading configuration file '/root/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1
Line: 264 - start of a new network block
ssid - hexdump_ascii(len=8):
     65 6d 70 6c 6f 79 65 65                           employee        
mode=0 (0x0)
scan_ssid=1 (0x1)
proto: 0x1
key_mgmt: 0x1
pairwise: 0x8
group: 0x8
eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=10):
     XX XX XX XX XX XX XX XX XX XX                     xxxxxxxxxx      
password - hexdump_ascii(len=8): [REMOVED]
phase2 - hexdump_ascii(len=8):
     61 75 74 68 3d 50 41 50                           auth=PAP        
ca_cert - hexdump_ascii(len=29):
     2f 75 73 72 2f 6c 6f 63 61 6c 2f 65 74 63 2f 6c   /usr/local/etc/l
     73 67 43 41 5f 63 65 72 74 2e 63 65 72            sgCA_cert.cer   
Priority group 0
   id=0 ssid='employee'
Initializing interface (2) 'ath0'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
Own MAC address: 00:40:96:a9:a0:15
wpa_driver_bsd_set_wpa: enabled=1
wpa_driver_bsd_del_key: keyidx=0
wpa_driver_bsd_del_key: keyidx=1
wpa_driver_bsd_del_key: keyidx=2
wpa_driver_bsd_del_key: keyidx=3
wpa_driver_bsd_set_countermeasures: enabled=0
wpa_driver_bsd_set_drop_unencrypted: enabled=1
Setting scan request: 0 sec 100000 usec
Added interface ath0
State: DISCONNECTED -> SCANNING
Starting AP scan (specific SSID)
Scan SSID - hexdump_ascii(len=8):
     65 6d 70 6c 6f 79 65 65                           employee        
Trying to get current scan results first without requesting a new scan to
speed up initial association
Received 0 bytes of scan results (0 BSSes)
Scan results: 0
Selecting BSS from priority group 0
No suitable AP found.
Setting scan request: 0 sec 0 usec
Starting AP scan (broadcast SSID)
Received 0 bytes of scan results (2 BSSes)
Scan results: 2
Selecting BSS from priority group 0
0: 00:15:f9:79:cf:70 ssid='visitor' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
   skip - no WPA/RSN IE
1: 00:16:46:b8:7a:30 ssid='visitor' wpa_ie_len=0 rsn_ie_len=0 caps=0x21
   skip - no WPA/RSN IE
No suitable AP found.
Setting scan request: 5 sec 0 usec
Starting AP scan (specific SSID)
Scan SSID - hexdump_ascii(len=8):
     65 6d 70 6c 6f 79 65 65                           employee        
Received 0 bytes of scan results (2 BSSes)
Scan results: 2
Selecting BSS from priority group 0
0: 00:15:f9:79:cf:70 ssid='employee' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
   skip - no WPA/RSN IE
1: 00:16:46:b8:7a:30 ssid='employee' wpa_ie_len=0 rsn_ie_len=0 caps=0x21
   skip - no WPA/RSN IE
No suitable AP found.
Setting scan request: 5 sec 0 usec
Starting AP scan (broadcast SSID)
Received 0 bytes of scan results (3 BSSes)
Scan results: 3
Selecting BSS from priority group 0
0: 00:15:f9:79:cf:70 ssid='visitor' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
   skip - no WPA/RSN IE
1: 00:16:46:b8:7a:30 ssid='visitor' wpa_ie_len=0 rsn_ie_len=0 caps=0x21
   skip - no WPA/RSN IE
2: 00:0b:85:5f:ff:8e ssid='EECS' wpa_ie_len=0 rsn_ie_len=0 caps=0x31
   skip - no WPA/RSN IE
No suitable AP found.
Setting scan request: 5 sec 0 usec
^CCTRL-EVENT-TERMINATING - signal 2 received
Removing interface ath0
State: SCANNING -> DISCONNECTED
No keys have been configured - skip key clearing
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
wpa_driver_bsd_set_wpa: enabled=0
wpa_driver_bsd_set_drop_unencrypted: enabled=0
wpa_driver_bsd_set_countermeasures: enabled=0
No keys have been configured - skip key clearing
Cancelling scan request


***** wpa_supplicant debug logs with ap_scan=2
wpa_supplicant -iath0 -c wpa_supplicant.conf -dd

Initializing interface 'ath0' conf 'wpa_supplicant.conf' driver 'default'
ctrl_interface 'N/A' bridge 'N/A'
Configuration file 'wpa_supplicant.conf' -> '/root/wpa_supplicant.conf'
Reading configuration file '/root/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group=0
eapol_version=1
ap_scan=2
fast_reauth=1
Line: 264 - start of a new network block
ssid - hexdump_ascii(len=8):
     65 6d 70 6c 6f 79 65 65                           employee        
mode=0 (0x0)
scan_ssid=1 (0x1)
proto: 0x1
key_mgmt: 0x1
pairwise: 0x8
group: 0x8
eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=10):
     XX XX XX XX XX XX XX XX XX XX                     xxxxxxxxxx      
password - hexdump_ascii(len=8): [REMOVED]
phase2 - hexdump_ascii(len=8):
     61 75 74 68 3d 50 41 50                           auth=PAP        
ca_cert - hexdump_ascii(len=29):
     2f 75 73 72 2f 6c 6f 63 61 6c 2f 65 74 63 2f 6c   /usr/local/etc/l
     73 67 43 41 5f 63 65 72 74 2e 63 65 72            sgCA_cert.cer   
Priority group 0
   id=0 ssid='employee'
Initializing interface (2) 'ath0'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
Own MAC address: 00:40:96:a9:a0:15
wpa_driver_bsd_set_wpa: enabled=1
wpa_driver_bsd_del_key: keyidx=0
wpa_driver_bsd_del_key: keyidx=1
wpa_driver_bsd_del_key: keyidx=2
wpa_driver_bsd_del_key: keyidx=3
wpa_driver_bsd_set_countermeasures: enabled=0
wpa_driver_bsd_set_drop_unencrypted: enabled=1
Setting scan request: 0 sec 100000 usec
Added interface ath0
State: DISCONNECTED -> SCANNING
Trying to associate with SSID 'employee'
Cancelling scan request
WPA: clearing own WPA/RSN IE
Automatic auth_alg selection: 0x1
WPA: No WPA/RSN IE available from association info
WPA: Set cipher suites based on configuration
WPA: Selected cipher suites: group 8 pairwise 8 key_mgmt 1
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: using GTK TKIP
WPA: using PTK TKIP
WPA: using KEY_MGMT 802.1X
WPA: Set own WPA IE default - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50
f2 02 01 00 00 50 f2 02 01 00 00 50 f2 01
No keys have been configured - skip key clearing
wpa_driver_bsd_set_drop_unencrypted: enabled=1
State: SCANNING -> ASSOCIATING
wpa_driver_bsd_associate
Segmentation fault (core dumped)


> What happens if you configure the AP to have multiple BSSIDs instead of
> using the WPS IE?  That should work with *any* client; the WPS IE only
> works with clients that understand it.  (That's how we have our Cisco
> 1121s and 1231s set up at work, and wpa_supplicant on Windows, using the
> NDIS backend, works fine.)  Though perhaps it's not an option for you...
>
> > Did I miss a configuration option for WPS IE support?  I am running 
> > wpa_supplicant v0.5.2 on FreeBSD 6.0.
>
> Depending on your configuration, and the log that you post, it may not
> have anything to do with wpa_supplicant.  It may be the wireless driver
> that you're using.
>
> I don't think wpa_supplicant handles any of the management frames at
> all.  I believe it does ask the driver what APs are in range, though, so
> the driver would have to add to its internal list of APs based on a WPS
> IE that it gets.  If it doesn't do that, then I don't see any obvious
> way to get wpa_supplicant to work.  (It can't request that the card
> associate to an SSID that it doesn't see in the results.  And the card
> likely won't associate to an SSID that *it* doesn't know about, either,
> so just handling the WPS IE in wpa_supplicant probably won't work.)
>
> That's why multi-BSSID mode is better IMO; you don't have to require
> support for a new IE in the driver or firmware; they just see one beacon
> for each ESSID, each with a different BSSID.  ;-)

I have not given multiple BSSID much thought but it does sound like a viable
option.

More information about the Hostap mailing list