PTK cipher mismatch

Jouni Malinen jkmaline
Wed Jun 21 21:16:10 PDT 2006

On Tue, Jun 13, 2006 at 01:36:18PM +0300, Mihai Maties wrote:
> On Saturday 10 June 2006 07:03, Jouni Malinen wrote:
> > On Fri, Jun 09, 2006 at 09:08:30AM +0300, Mihai Maties wrote:
> > > network={
> > >         ssid="SomeNet"
> > >         key_mgmt=IEEE8021X
> > >         eap=LEAP
> > >         identity="mihai.maties"
> > >         password="mypassword"
> > > }
> > >
> > > I'm pretty sure the wireless network configuration didn't change, the
> > > only things that did change are: the kernel version (2.6.12 -> 2.6.15)
> > > and wpa_supplicant version (0.4.5 -> 0.4.8).
> >
> > This configuration would be using IEEE 802.1X and LEAP with WEP keys and
> > looks fine for that kind of use.
> OK, but how do you explain that it worked in the past with this configuration, 
> but now, after upgrade, it doesn't work anymore ?

How sure are you that the AP configuration did not work? Can you
downgrade to the earlier version of your client (kernel, wpa_supplicant)
that used to work and still get it working?

> > This would be using WPA and LEAP with TKIP or CCMP encryption.
> >
> > > ... but from my point of view the things are pretty much the same: "PTK
> > > cipher mismatch". I attached the debug log, maybe it helps.

The AP is configured to use CKIP based on the Windows tool
configuration. This would also explian the PTK cipher mismatch (AP tries
to use CKIP, wpa_supplicant is configured to accept TKIP or CCMP).

> The wireless profile that is configured automatically on windows workstations 
> is set as described below:
>     Network Authentication: Open
>     Data Encryption: CKIP
>     "Enable 802.1x" is checked
>     Authentication Type: LEAP
>     "Enable Cisco Compatible Extensions" is checked
>         "Enable Radio Management Support" is checked
>         "Enable Mixed Cells Mode" is checked

> What do you suggest ? I did a search of "CKIP" in the sources and got 0 
> matches. Does this mean that wpa_supplicant doesn't support CKIP and it just 
> won't work ? But if that is the case, why did it work in the past ?

CKIP is a Cisco proprietary cipher. wpa_supplicant does not support it
and neither would your driver most likely.. Devicescape has added
support for CCX (including CKIP) into wpa_supplicant, but this
particular configuration would require the driver to support CKIP, too.

I would assume that you used IEEE 802.1X with LEAP and dynamic WEP keys
(not CKIP) before. Either the AP configuration has been changed to
require CKIP now or something in your client is refusing to try to use
WEP now.

Your configuration file (the one that worked before, i.e.
key_mgmt=IEEE8021X) would be valid for the network, assuming dynamic WEP
is allowed. Cisco APs can be configured to accept both WEP (using IEEE
802.1X/LEAP) and CKIP (using WPA IE to advertise the cipher). I don't
remember any changes in this are between wpa_supplicant v0.4.5 and
0.4.8, so I would suggest trying with the old kernel version (the one
that worked before) and your current wpa_supplicant version. If that
works, talk to ipw2200 develops. If not, try downgrading wpa_supplicant
(and let me know if that is enough to fix the problem). If neither one
is enough to fix this, I would re-verify that the AP configuration has
not changed.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list