broadcast arp, spanning tree traffic not getting through

Michael Gwin oksijun
Sat Sep 9 11:03:18 PDT 2006 

I posted a bug ( http://hostap.epitest.fi/bugz/show_bug.cgi?id=172 ) a
while back about spanning tree traffic not being encrypted properly
with hostapd. I didn't receive any response to this - is anyone else
having the same problem or am I doing something drastically wrong ?

The symptoms are the following message being produced on the client
every time the bridge containing the wireless interface on the
access point sends a hello message:

CCMP: decrypt failed: STA=[mac address of AP wireless interface]

I also tried with TKIP as group cipher which gives: 

TKIP: ICV error detected: STA=[mac address of AP wireless interface]

Since I first posted the bug, I have since noticed that this also
prevents ARP from working properly as broadcast arp requests do not get
received by wireless clients, thus making it impossible for any other
hosts to retrieve their mac address. So I get the impression that it's
not just about spanning tree but rather special ethernet addresses
(bridges, broadcast, etc...)

Some info on the setup:

Access point:

madwifi 0.9.1, hostapd 0.5.4. I have a wired ethernet interface and a
netgear wg311T atheros chipset-based card bridged into interface br0.

-hostapd.conf:

interface=ath0
bridge=br0
driver=madwifi
logger_syslog=-1
logger_syslog_level=1
logger_stdout=-1
logger_stdout_level=2
debug=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=THESSID
macaddr_acl=0
accept_mac_file=/etc/hostapd/hostapd.accept
deny_mac_file=/etc/hostapd/hostapd.deny
ieee8021x=1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=THESECRET
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP (also tried CCMP alone) 
wpa_group_rekey=600
wpa_gmk_rekey=86400

The client is a intel ipw2200 card (driver version 1.1.3), using
wpa_supplicant 0.4.8 with the following configuration:

wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
network={
        ssid="THESSID"
        proto=RSN
        key_mgmt=WPA-EAP
        eap=TLS
        identity="client.domain.tld"
        ca_cert="/etc/certs/cacert.pem"
        client_cert="/etc/certs/clientcert.pem"
        private_key="/etc/certs/clientkey.pem"
        private_key_passwd="THEPASSWORD"
}

Can anyone shed any light on this? 

Thanks,
Mike

More information about the Hostap mailing list