linksys WRT54GX2 replay counter bug?

[Jouni Malinen]

On Sun, Sep 03, 2006 at 08:07:18AM -0700, Chuck T. wrote:
> I'm having a problem with wpa_supplicant and a WRT54GX2 w/ the latest 
> firmware.  Sometimes it works, but most of the time the reply_counter of "RX 
> message 1 of Group Key Handshake" is the same as that of the "RX message 3 
> of 4-Way Handshake".  As a result wpa_supplicant fails (correctly) with a 
> "WPA: EAPOL-Key Replay Counter did not increase - dropping packet" error.

Could you please send a wpa_supplicant debug log showing this behavior?
I would like to see the exact message sequence that is seen at the
supplicant.

> When it works the reply_counter advance by 1 between the 4-Way handshake 
> rather than the 2 that the spec appears to require.  I also have a WRT54G 
> (non x2) which works correctly every time and does advance the reply_counter 
> by 2.

What is this comment about spec requiring replay counter jumping by
based on? The counter needs to increment for each new EAPOL-Key frame,
but I'm not aware of any requirement for it to increase by two.

-- 
Jouni Malinen                                            PGP id EFC895FA