IEEE 802.11w support in wpa_supplicant ("Management frame protection required, but client did not enable it" error)

Michael Zintakis michael.zintakis
Sat May 5 07:26:07 PDT 2012 

>> I have enabled IEEE 802.11w (management frame protection mode) in my AP 
>> - running hostapd - with "ieee80211w=2" (required/mandatory), but when I 
>> try to connect using wpa_supplicant I get the following error message: 
>> "Management frame protection required, but client did not enable it".
>>     
>
> Which driver are you using on the station?
>   
wl1251 (Android :-( ).

> CONFIG_EAP_GPSK_SHA256=y has nothing to do with IEEE 802.11w, but you do
> indeed need to enable CONFIG_IEEE80211W=y build option for this. I added
> some more documentation here:
> http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=4732ee3a87a1375fa528f9626c57e3ab41f5f110
>   
Thanks - that was very useful! A little snippet:

# ieee80211w: whether management frame protection is enabled
# 0 = disabled (default)
# 1 = optional
# 2 = required
# The most common configuration options for this based on the PMF (protected
# management frames) certification program are:
# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
Aha!

So, if I want to specify "ieee80211w=2" (required) I also need 
"key_mgmt=WPA-EAP-SHA256". I've had "key_mgmt=WPA-EAP" up until now!

So, here is what I tried (the hostapd setting is always "ieee80211w=2"):

1. When I have "ieee80211w=2" and "key_mgmt=WPA-EAP-SHA256" in 
wpa_supplicant.conf I get this in my log (wpa_supplicant side):

E/wpa_supplicant( 1337): Line 30: invalid key_mgmt 'WPA-EAP-SHA256'
E/wpa_supplicant( 1337): Line 30: no key_mgmt values configured.
E/wpa_supplicant( 1337): Line 30: failed to parse key_mgmt 'WPA-EAP-SHA256'.
E/wpa_supplicant( 1337): Line 51: failed to parse network block.

Strange! I do have "CONFIG_EAP_GPSK_SHA256" in my .config file when 
compiling the supplicant. Have I missed something?

2. When I have "ieee80211w=1" and "key_mgmt=WPA-EAP" in 
wpa_supplicant.conf I get this in my log (hostapd as well as 
wpa_supplicant sides):

1336227344.536297: authentication: STA=00:18:41:e7:f6:c0 auth_alg=0 
auth_transaction=1 status_code=0 wep=0
1336227344.536929:   New STA
1336227344.537548: wlan0: STA 00:18:41:e7:f6:c0 IEEE 802.11: 
authentication OK (open system)
1336227344.538208: wlan0: STA 00:18:41:e7:f6:c0 MLME: 
MLME-AUTHENTICATE.indication(00:18:41:e7:f6:c0, OPEN_SYSTEM)
1336227344.539027: wlan0: STA 00:18:41:e7:f6:c0 MLME: 
MLME-DELETEKEYS.request(00:18:41:e7:f6:c0)
1336227344.539106: authentication reply: STA=00:18:41:e7:f6:c0 
auth_alg=0 auth_transaction=2 resp=0 (IE len=0)
1336227344.539553: Add randomness: count=33 entropy=32
1336227344.540386: mgmt::auth cb
1336227344.540667: wlan0: STA 00:18:41:e7:f6:c0 IEEE 802.11: authenticated
1336227344.542507: mgmt::assoc_req
1336227344.542597: association request: STA=00:18:41:e7:f6:c0 
capab_info=0x431 listen_interval=3
1336227344.542679: IEEE 802.11 element parse ignored unknown element 
(id=46 elen=1)
1336227344.542750: WMM IE - hexdump(len=7): 00 50 f2 02 00 01 00
1336227344.542835: Validating WMM IE: OUI 00:50:f2  OUI type 2  OUI 
sub-type 0  version 1  QoS info 0x0
1336227344.542935: Management frame protection required, but client did 
not enable it

V/WifiMonitor(  516): Event [CTRL-EVENT-STATE-CHANGE id=-1 state=2]
V/WifiStateTracker(  516): Connection to supplicant established, 
state=SCANNING
E/wpa_supplicant( 1361): prepare_filter_struct: type=0
E/wpa_supplicant( 1361): prepare_filter_struct: type=1
E/wpa_supplicant( 1361): prepare_filter_struct: type=3
V/WifiStateTracker(  516): Changing supplicant state: SCANNING ==> SCANNING
D/SettingsAppWidgetProvider(  714): Call buildUpdate for widget:11
D/SettingsAppWidgetProvider(  714): buildUpdate done for widget:11
D/dalvikvm(  714): GC_EXPLICIT freed 82K, 44% free 1877K/3335K, external 
0K/0K, paused 70ms
V/WifiMonitor(  516): Event [Trying to associate with 00:23:cd:18:9e:e8 
(SSID='lNUTUuABs2ktivl54xczIE1bAb4yh5eV' freq=2452 MHz)]
V/WifiMonitor(  516): Event [CTRL-EVENT-STATE-CHANGE id=-1 state=3]
V/WifiStateTracker(  516): Changing supplicant state: SCANNING ==> 
ASSOCIATING
V/WifiMonitor(  516): Event [Authentication with 00:23:cd:18:9e:e8 timed 
out.]
V/WifiMonitor(  516): Event [CTRL-EVENT-STATE-CHANGE id=0 state=0]
V/WifiStateTracker(  516): Changing supplicant state: ASSOCIATING ==> 
DISCONNECTED

So, no luck here either - it times out as before! Any help?

More information about the Hostap mailing list