Can one STA with EAPOL errors make hostapd drop all clients?

Jouni Malinen j
Mon May 25 01:38:29 PDT 2015

On Mon, May 25, 2015 at 10:17:06AM +0200, Rafa? Mi?ecki wrote:
> Thanks for info, nice to know. Looks like a spec-approved easy to way
> to sabotage an AP ;) You're right about encryption, this problem
> occurs with TKIP only.
> Any idea why my "good" STA can't reconnect after this action? I mean
> these associated/disassociated/unauthorizing port logs in hostapd.
> Unfortunately I didn't grab corresponding wpa_supplicant logs, but I
> can try later if that helps.

TKIP has a relatively weak design as it was only supposed to be a short
term improvement with a limited lifetime (which has long ago expired).
As such, it requires countermeasures that prevent attackers from trying
certain attacks frequently. This results in the AP disabling all use of
TKIP for 60 seconds per each two attempts.

No one should really be using TKIP anymore. What you see here sounds
correct and expected behavior and the best way of getting rid of that is
by disabling use of TKIP completely (i.e., including use of it as the
group cipher).
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list