Why no Secure flag when using WPA (not WPA2) in 3/4 and 4/4 EAPOL messages

Jouni Malinen j at w1.fi
Thu Jan 5 06:42:37 PST 2017

On Thu, Jan 05, 2017 at 06:08:32AM -0800, Ben Greear wrote:
> I do not see any further EAPOL messages in the capture that I did.

You are not looking carefully enough.. Based on the frame lengths, the
frames 86 and 88 are most likely EAPOL-Key messages 1/2 and 2/2 from the
group message exchange. They were encrypted here, so if you want to take
a look at the payload, you'd need to decrypt the capture log first.

> When is the group key handshake supposed to happen?

Immediately after the initial 4-way handshake. (And then whenever the AP
decides to rekey GTK.)
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list