Can one STA with EAPOL errors make hostapd drop all clients?

Krishna Chaitanya chaitanya.mgit
Mon May 25 01:41:36 PDT 2015

On Mon, May 25, 2015 at 1:47 PM, Rafa? Mi?ecki <zajec5 at> wrote:
> On 25 May 2015 at 10:03, Krishna Chaitanya <chaitanya.mgit at> wrote:
>> On Mon, May 25, 2015 at 10:48 AM, Rafa? Mi?ecki <zajec5 at> wrote:
>>> I'm experimenting with various drivers and during my tests I got a
>>> faulty STA. It experiences some Michael failures which causes
>>> wpa_supplicant sending EAPOL errors to AP.
>>> What bothers me is that hostapd drops all STAs after getting the
>>> second "EAPOL-Key Error Request". Instead of just dealing with faulty
>>> STA it breaks connectivity for all other users. Moreover they can't
>>> re-connect for some reason until I disable faulty STA and wait few
>>> minutes.
>> This is expected as per spec, 2 Michael failures and AP should de-authenticate
>> all STA's. For cross checking, you can try CCMP instead of TKIP?
> Thanks for info, nice to know. Looks like a spec-approved easy to way
> to sabotage an AP ;) You're right about encryption, this problem
> occurs with TKIP only.
> Any idea why my "good" STA can't reconnect after this action? I mean
> these associated/disassociated/unauthorizing port logs in hostapd.
> Unfortunately I didn't grab corresponding wpa_supplicant logs, but I
> can try later if that helps.
My guess is as the "bad" STA is causing michale failures (2 in < 1min)
the "good" STA are stuck in the connect-disconnect loop and after which
wpa_supplicant might be blacklisting the ssid.

More information about the Hostap mailing list