Could not get PMK

Jouni Malinen j
Fri May 23 23:26:51 PDT 2008

On Fri, May 23, 2008 at 03:29:01PM -0500, David Dudley wrote:

> OK, I've attached my hostapd.conf file, and a log from the last time I
> tried to attach a remote with wpa_supplicant.

It looks like wpa_supplicant was configured to allow any EAP method and
FreeRADIUS ended up suggesting EAP-MD5 as the first alternative and that
method does not provide keying material (MSK / PMK) like Alan mentioned.

I would recommend picking one of the EAP methods and configure
wpa_supplicant only to allow that one to be used (eap-option in the
network block). If you want to use password to authenticate the client
device, you could use either EAP-PEAP or EAP-TTLS. Just remember to
configure ca_cert option in wpa_supplicant to point to a trusted CA
certificate in order to allow the client to authenticate the server,


It looked like the hostapd configuration and maybe also wpa_supplicant
was set to allow WPA-Personal (PSK) to be used. Was that on purpose or
were you planning on using WPA-Enterprise (EAP) authentication for all
devices? If only EAP is going to be used, I would suggest disabling
WPA-PSK in the configuration. Similarly, if you know that all devices
support CCMP, you could disable TKIP as a pairwise cipher in the

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list