Unable to connect to WPA2-Enterprise since 2.4-r1: WPA_ALG_PMK bug?

Ralf Ramsauer ralf+hostap
Mon Apr 27 09:01:43 PDT 2015

Hey Juoni, Dan,

in the meanwhile I get more and more bug reports from people using the same WiFi 

I also tried another WPA2-Enterprise WiFi which uses TTLS/PAP instead of PEAP/MSCHAPv2 - same problem here.

so here's what you need.

These are affirmed affected cards:
03:00.0 Network controller: Intel Corporation Centrino Ultimate-N 6300 (rev 35) <- my own card / iwlwifi module
03:00.0 Network controller: Intel Corporation Ultimate N WiFi Link 5300
02:00.0 Network controller: Intel Corporation Wireless 7265 (rev 33)
03:00.0 Network controller: Intel Corporation PRO/Wireless 4965 AG or AGN [Kedron] Network Connection (rev 61)
02:00.0 Network controller: Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01)

So this problem seems to be independent of the driver - the Atheros card definitely does not use the iwlwifi module.

Dan, thanks to your tip, this saved me hours of manpage reading 

wpa_supplicant logs are attached. I only had to remove identity information.

userA_wpa_supplicant_2_3  - http://pastebin.com/1P7Yfesn
userA_wpa_supplicant_2_4  - http://pastebin.com/DmSUisrh
userA_wpa_supplicant_diff - http://pastebin.com/Kiub8b7h
userB_wpa_supplicant_2_4  - http://pastebin.com/y9TfwPx2


On 04/27/2015 03:34 PM, Jouni Malinen wrote:
> On Mon, Apr 27, 2015 at 02:54:00PM +0200, Ralf Ramsauer wrote:
>> After connecting to a WPA2-Enterprise network (wpa_supplicant 2.4-r1,
>> PEAP/MSCHAPv2) I got the following messages in my journal (suspicious
>> line highlighted):
>>     *Apr 27 13:45:49 lefay wpa_supplicant[638]: nl80211: Unexpected
>>     encryption algorithm 5*
> It looks like this gets printed even when the driver does not support
> vendor extensions for configuring PMK for offloading operations. I guess
> this could be cleaned up a bit by removing that call when the driver did
> not indicate support for it. Anyway, this should not cause any
> difference in behavior since the error from this operation is ignored.
>>     Apr 27 13:45:49 lefay NetworkManager[545]: <info>  (wlp3s0):
>>     supplicant interface state: associated -> 4-way handshake
>>     Apr 27 13:46:11 lefay NetworkManager[545]: <warn>  (wlp3s0):
>>     Activation: (wifi) association took too long
> I would need to see more details on this to be able to determine what
> happened. Can you run wpa_supplicant manually (i.e., without
> NetworkManager) and add -dd on the command line?
>> So 2.4-r1 seems to use a 4 way handshake, 2.2 uses a three way
>> handshake? Why did it change?
> I'm not sure what you are referring to with "three way handshake". There
> has been no changes in the protocol design between those versions.
>> So I recompiled wpa_supplicant 2.4-r1 with debugging symbols and started
>> analyzing.
>> The suspicious line "*nl80211: Unexpected encryption algorithm 5*" is
>> thrown in driver_nl80211.c line 2399. It is a switch-case on the
>> algorithm for WPA_ALG_PMK, which is ... not supported?
>> Hum?
> This is unlikely to be the main reason for the failure to complete
> connection since the code path ends up trying to set a key which is
> using unsupported algorithm. I'll remove this if the driver does not
> indicate explicitly support for key management offload. Anyway, I don't
> think that that change would fix the main issue here..
> Which driver are you using?

More information about the Hostap mailing list