Prioritizing authentication pkts & resending failed EAPOL pkts?

Björn Smedman bjorn.smedman
Tue Feb 8 03:44:09 PST 2011 

On Fri, Feb 4, 2011 at 11:43 PM, Jouni Malinen <j at w1.fi> wrote:
> On Fri, Feb 04, 2011 at 10:44:53PM +0100, Bj?rn Smedman wrote:
>> As soon as I get a chance I'm going to try
>>
>> ?+static const u32 eapol_key_timeout_first = 1; /* ms */
>> ?+static const u32 eapol_key_timeout_subseq = 1000; /* ms */
>>
>> on my home router. If I understand correctly this should waste
>> bandwidth and time but still work with a sane supplicant, no?
>
> Correct, that would likely be fast enough on making hostapd send out two
> EAPOL-Key msg 1/4 frames before the response to the first one is
> received. This should still work, but sure, it uses about twice the
> bandwidth and CPU.

I just tried the 1 ms first timeout thing. For Mac OS X supplicant
your prediction seems 100% correct. But my WinXP laptop fails to
associate. The log on the hostapd side looks like this:

Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 IEEE 802.11: authentication OK (open system)
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 MLME:
MLME-AUTHENTICATE.indication(00:13:02:36:ab:37, OPEN_SYSTEM)
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 MLME: MLME-DELETEKEYS.request(00:13:02:36:ab:37)
Jan  1 00:16:01 OpenWrt daemon.info hostapd: wlan0: STA
00:13:02:36:ab:37 IEEE 802.11: authenticated
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 IEEE 802.11: association OK (aid 3)
Jan  1 00:16:01 OpenWrt daemon.info hostapd: wlan0: STA
00:13:02:36:ab:37 IEEE 802.11: associated (aid 3)
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 MLME: MLME-ASSOCIATE.indication(00:13:02:36:ab:37)
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 MLME: MLME-DELETEKEYS.request(00:13:02:36:ab:37)
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: event 1 notification
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: start authentication
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 IEEE 802.1X: unauthorizing port
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: sending 1/4 msg of 4-Way Handshake
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: EAPOL-Key timeout
Jan  1 00:16:01 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: sending 1/4 msg of 4-Way Handshake
Jan  1 00:16:02 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: received EAPOL-Key frame (2/4 Pairwise)
Jan  1 00:16:02 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: sending 3/4 msg of 4-Way Handshake
Jan  1 00:16:02 OpenWrt daemon.info hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: received EAPOL-Key 2/4 Pairwise with unexpected
replay counter
Jan  1 00:16:02 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: EAPOL-Key timeout
Jan  1 00:16:02 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: sending 3/4 msg of 4-Way Handshake
Jan  1 00:16:03 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: EAPOL-Key timeout
Jan  1 00:16:03 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: sending 3/4 msg of 4-Way Handshake
Jan  1 00:16:04 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: EAPOL-Key timeout
Jan  1 00:16:04 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: sending 3/4 msg of 4-Way Handshake
Jan  1 00:16:05 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 WPA: EAPOL-Key timeout
Jan  1 00:16:05 OpenWrt daemon.debug hostapd: wlan0: STA
00:13:02:36:ab:37 IEEE 802.1X: unauthorizing port
Jan  1 00:16:05 OpenWrt daemon.info hostapd: wlan0: STA
00:13:02:36:ab:37 IEEE 802.11: deauthenticated due to local deauth
request

To me it looks like WinXP is expecting the negotiation to continue
from its last sent EAPOL-Key 2/4 whereas hostapd continues from the
first. I have a tcpdump file for this I can send you in private if you
think it helps.

Any thoughts on how hostapd could help a less robust supplicant
survive some latency?

Best regards,

Bj?rn

More information about the Hostap mailing list