Unable to connect to WPA2-Enterprise since 2.4-r1: WPA_ALG_PMK bug?

Jouni Malinen j
Mon May 4 13:46:21 PDT 2015

On Mon, May 04, 2015 at 06:59:41PM +0200, Ralf Ramsauer wrote:
> Freeradius 2.2.6 fails to connect with
>     May 04 17:43:03 lefay wpa_supplicant[642]: nl80211: Unexpected
>     encryption algorithm 5

That message has nothing to do with this issue. The real error is
identified by the "RSN: no PMKSA entry found - trigger full EAP
authentication" message following the EAP exchange. In practice, this
indicates that the authentication server and wpa_supplicant derived
different MSK from the EAP authentication.

> Freeradius 2.2.7 just works fine.

That's a known issue in earlier FreeRADIUS EAP-TLS/TTLS/PEAP
implementation where the key derivation generated incorrect MSK when TLS
v1.2 was used. It was fixed recently.

> But keep in mind, in most cases people do not have access to the wifi
> backend :)

Maybe so, but the real issue here was in the authentication server and
there is not really much that the client side can do to fix that. If you
want to work around this until the authentication server is fixed, you
can disable TLS v1.2 with phase1="tls_disable_tlsv1_2=1" in
wpa_supplicant network configuration. That said, this does result in
older TLS version being used and that is not really a good long term

> FYI: Today i read that Arch downgraded to wpa_supplicant 2.3 referencing
> on this thread [1]. Initially it was reported at [2] by someone else.
> Some others seem to have experienced the same bug.
> [1]
> https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/wpa_supplicant&id=7562b98bd83fe5bce43e6952e0e922e7791e18b5
> [2] https://bugs.archlinux.org/task/44740

I would not really recommend going back to an older version. This was
fixed as soon as it was reported:

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list