Unable to connect to WPA2-Enterprise since 2.4-r1: WPA_ALG_PMK bug?

David Woodhouse dwmw2
Wed Jul 8 16:38:54 PDT 2015


On Wed, 2015-07-08 at 22:11 +0300, Jouni Malinen wrote:
> 
> EAP-TLS/TTLS/PEAP workaround for incorrect TLS v1.2 MSK derivation
> 
> Some authentication servers (e.g., FreeRADIUS 2.2.6 or 3.0.7 when built
> with OpenSSL 1.0.2) are known to derive MSK incorrectly with TLS v1.2 is
> used. If WPA2-Enterprise is used with an AP that includes PMKID in
> EAPOL-Key msg 1/4, it is possible to detect this incorrect
> authentication server behavior and work around it by using matching,
> incorrect MSK derivation on the peer side.

That appears to work here. Less trivial to backport to 2.4 though :)

wlo1: SME: Trying to authenticate with 18:33:9d:0c:da:de (SSID='TSNOfficeWLAN' freq=5300 MHz)
wlo1: Trying to associate with 18:33:9d:0c:da:de (SSID='TSNOfficeWLAN' freq=5300 MHz)
wlo1: Associated with 18:33:9d:0c:da:de
wlo1: CTRL-EVENT-EAP-STARTED EAP authentication started
wlo1: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=FR
wlo1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
TLS - SSL error: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
wlo1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
wlo1: CTRL-EVENT-EAP-PEER-CERT depth=3 subject='/C=US/O=Intel Corporation/CN=Intel Root CA'
wlo1: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=Intel Corporation/CN=Intel Intranet Basic Policy CA'
wlo1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=Intel Corporation/CN=Intel Intranet Basic Issuing CA 1A'
wlo1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=ir10d-pra1.ir.intel.com'
wlo1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
wlo1: RSN: PMKID mismatch - authentication server used incorrect MSK derivation with TLS v1.2 - accept that as an interoperability workaround
wlo1: WPA: Key negotiation completed with 18:33:9d:0c:da:de [PTK=CCMP GTK=TKIP]
wlo1: CTRL-EVENT-CONNECTED - Connection to 18:33:9d:0c:da:de completed [id=0 id_str=]

-- 
dwmw2





More information about the Hostap mailing list