hostapd: RSN 4-way handshake issue with Cisco WET200 client

Jouni Malinen j
Sun Jan 22 02:26:12 PST 2012

On Mon, Jan 16, 2012 at 02:19:00PM +0100, Helmut Schaa wrote:
> I've got a strange problem with a Cisco WET200 wireless bridge connecting
> to a hostapd AP. The AP is configured as WPA2-CCMP and the 4-way HS
> looks like this:
> 1of4: KeyDescriptor=2 (RSN)
> 2of4: KeyDescriptor=2 (RSN)
> 3of4: KeyDescriptor=2 (RSN)
> 4of4: KeyDescriptor=254 (WPA) ???

Well, that sucks. It's unfortunate if that type of broken
implementations are deployed in large number.

> Of course this appears to be a pure client issue but other APs accept that
> strange 4of4 message.

Anything based on hostapd prior to May 2009 would have accepted that..

> Jouni, would it be ok to relax the constraints a bit and allow a WPA
> descriptor type to be used also for WPA2?

It looks like we need to do that taken into account that this issue has
apparently been reported with number of deployed devices. I would have
preferred not doing this, but well, since lack of the validation should
not open security issues, I committed the following change as a
workaround for interoperability issues. Could you please confirm that it
resolves the issue with the station device you tested with?

 commit 74590e710f65134522b9a654609ac38d0ce54852
 Author: Jouni Malinen <j at>
 Date:   Sun Jan 22 12:23:28 2012 +0200

    Work around interop issue with WPA type EAPOL-Key 4/4 in WPA2 mode
    Some deployed station implementations seem to send msg 4/4 with
    incorrect type value in WPA2 mode. Add a workaround to ignore that issue
    so that such stations can interoperate with hostapd authenticator. The
    validation checks were added in commit
    Signed-hostap: Jouni Malinen <j at>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 9da5609..c4d77bf 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -795,7 +795,14 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
 	if (sm->wpa == WPA_VERSION_WPA2) {
-		if (key->type != EAPOL_KEY_TYPE_RSN) {
+		if (key->type == EAPOL_KEY_TYPE_WPA) {
+			/*
+			 * Some deployed station implementations seem to send
+			 * msg 4/4 with incorrect type value in WPA2 mode.
+			 */
+			wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
+				   "with unexpected WPA type in RSN mode");
+		} else if (key->type != EAPOL_KEY_TYPE_RSN) {
 			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
 				   "unexpected type %d in RSN mode",

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list