Unable to connect to WPA2-Enterprise since 2.4-r1: WPA_ALG_PMK bug?

Dan Williams dcbw
Mon Apr 27 07:21:30 PDT 2015

On Mon, 2015-04-27 at 16:34 +0300, Jouni Malinen wrote:
> On Mon, Apr 27, 2015 at 02:54:00PM +0200, Ralf Ramsauer wrote:
> > After connecting to a WPA2-Enterprise network (wpa_supplicant 2.4-r1,
> > PEAP/MSCHAPv2) I got the following messages in my journal (suspicious
> > line highlighted):
> >     *Apr 27 13:45:49 lefay wpa_supplicant[638]: nl80211: Unexpected
> >     encryption algorithm 5*
> It looks like this gets printed even when the driver does not support
> vendor extensions for configuring PMK for offloading operations. I guess
> this could be cleaned up a bit by removing that call when the driver did
> not indicate support for it. Anyway, this should not cause any
> difference in behavior since the error from this operation is ignored.
> >     Apr 27 13:45:49 lefay NetworkManager[545]: <info>  (wlp3s0):
> >     supplicant interface state: associated -> 4-way handshake
> >     Apr 27 13:46:11 lefay NetworkManager[545]: <warn>  (wlp3s0):
> >     Activation: (wifi) association took too long

This just means that the supplicant failed to associate with the AP
within about 15 - 20 seconds.  Usually we have to dig down into
supplicant debug logs to figure out why.

> I would need to see more details on this to be able to determine what
> happened. Can you run wpa_supplicant manually (i.e., without
> NetworkManager) and add -dd on the command line?

Alternatively, it's fine to run with NetworkManager, you can do this as

mv /usr/sbin/wpa_supplicant /
killall -TERM wpa_supplicant
/wpa_supplicant -dddtu  (and redirect to your favorite log file)

After you re-start the supplicant in the last command NM should
automatically attempt to reconnect, and you get all the log output we
need.  To get back to normal you can:

mv /wpa_supplicant /usr/sbin/

and you're good.

(yes, there are dbus commands to change log levels, but not all
distributions enable file logging or have the file in the same place...)


> > So 2.4-r1 seems to use a 4 way handshake, 2.2 uses a three way
> > handshake? Why did it change?
> I'm not sure what you are referring to with "three way handshake". There
> has been no changes in the protocol design between those versions.
> > So I recompiled wpa_supplicant 2.4-r1 with debugging symbols and started
> > analyzing.
> > 
> > The suspicious line "*nl80211: Unexpected encryption algorithm 5*" is
> > thrown in driver_nl80211.c line 2399. It is a switch-case on the
> > algorithm for WPA_ALG_PMK, which is ... not supported?
> > Hum?
> This is unlikely to be the main reason for the failure to complete
> connection since the code path ends up trying to set a key which is
> using unsupported algorithm. I'll remove this if the driver does not
> indicate explicitly support for key management offload. Anyway, I don't
> think that that change would fix the main issue here..
> Which driver are you using?

More information about the Hostap mailing list