Can one STA with EAPOL errors make hostapd drop all clients?

Rafał Miłecki zajec5
Mon May 25 01:40:39 PDT 2015

On 25 May 2015 at 10:38, Jouni Malinen <j at> wrote:
> On Mon, May 25, 2015 at 10:17:06AM +0200, Rafa? Mi?ecki wrote:
>> Thanks for info, nice to know. Looks like a spec-approved easy to way
>> to sabotage an AP ;) You're right about encryption, this problem
>> occurs with TKIP only.
>> Any idea why my "good" STA can't reconnect after this action? I mean
>> these associated/disassociated/unauthorizing port logs in hostapd.
>> Unfortunately I didn't grab corresponding wpa_supplicant logs, but I
>> can try later if that helps.
> TKIP has a relatively weak design as it was only supposed to be a short
> term improvement with a limited lifetime (which has long ago expired).
> As such, it requires countermeasures that prevent attackers from trying
> certain attacks frequently. This results in the AP disabling all use of
> TKIP for 60 seconds per each two attempts.
> No one should really be using TKIP anymore. What you see here sounds
> correct and expected behavior and the best way of getting rid of that is
> by disabling use of TKIP completely (i.e., including use of it as the
> group cipher).

Thanks for explaining this to me!


More information about the Hostap mailing list