wpa_supplicant: secured mesh and WiLink8 issue

Jeroen Roovers jer at airfi.aero
Mon Nov 7 02:14:17 PST 2016 

On 4 November 2016 at 19:19, Bob Copeland <me at bobcopeland.com> wrote:
>> so I added ieee80211w=2 to the configuration:
>>
>> %< snip >%
>> user_mpm=1
>> update_config=1
>>
>> network={
>>         mode=5
>>         ssid="secret"
>>         frequency=2412
>>         proto=RSN
>>         pairwise=CCMP
>>         key_mgmt=SAE
>>         group=CCMP
>>         psk="secret"
>> }
>> %< snip >%
>
> (I don't see ieee80211w here?)

I did say I *added* it. :)

>> The first mesh node that went up initially showed this:
>>
>> 2016-11-04T12:33:06.987105+00:00 AirFi wpa_supplicant[476]: AP-ENABLED
>> 2016-11-04T12:33:07.004874+00:00 AirFi wpa_supplicant[476]: wlan1:
>> joining mesh "<secret>"
>> 2016-11-04T12:33:07.006015+00:00 AirFi wpa_supplicant[476]: wlan1:
>> mesh join error=-114
>
> Hmm -EALREADY, I guess this one was already operating?

No, three nodes were starting, and this one was the first to be up and
running, ahead by about half a minute. I would expect it to create a
mesh if it cannot join one, but in this case it just gave up without
further explanation, even after other nodes started up. No further
messages ensued so I stopped wpa_supplicant.

>> After restarting wpa_supplicant (with two other nodes running already)
>> I instead got this:
>
> [snip]
>
>> 2016-11-04T12:40:22.923110+00:00 AirFi wpa_supplicant[1019]: wlan1:
>> new peer notification for xx:xx:xx:xx:xx:55
>> 2016-11-04T12:40:23.438482+00:00 AirFi wpa_supplicant[1019]: wlan1:
>> new peer notification for xx:xx:xx:xx:xx:6c
>> 2016-11-04T12:40:36.131965+00:00 AirFi wpa_supplicant[1019]: wlan1:
>> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:55
>> 2016-11-04T12:40:39.639177+00:00 AirFi wpa_supplicant[1019]: wlan1:
>> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:6c
>
> So two were running already, same wpa_s version?

Yes, this is after restarting wpa_supplicant on the first node, and
after the two others had started as well. All run identical software
and configurations.

>> 2016-11-04T12:40:53.579341+00:00 AirFi wpa_supplicant[1019]: wlan1:
>> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:55
>> 2016-11-04T12:40:54.826637+00:00 AirFi wpa_supplicant[1019]: wlan1:
>> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:6c
>
> ...but SAE authentication failed.  This happens before even peering,
> so it sounds like this is something other than the encryption change.
> Just to be sure, the password and SAE group configurations are the
> same across all nodes?

I could go on for a long time about things that are exactly the same
between these different nodes. Everything is the same except MAC
addresses.

Perhaps it's more useful to assume that where I do not mention a
possible difference in hardware or software or configuration you can
think of, there actually isn't one? :)

> To be clear, the sequence goes like this:
>
> SAE authentication (derives PMK from password)
>     ---> AMPE peering (derives MTK from PMK, MGTK generated and exchanged)
>         ---> HWMP route establishment (uses keys from previous step)
>
> The changes referred to in my blog post happened at steps 2 and 3, while
> looks like your failure happened at step 1.

OK, so there is another bug (or backward incompatibility) in wpa_supplicant 2.6?


Kind regards,
     jer

More information about the Hostap mailing list