FT authentication fails on FT-SAE
Michael Yartys
michael.yartys at protonmail.com
Fri Aug 13 00:34:52 PDT 2021
Hi
I made a test with the iPad where I set up my two laptops with the same FT-SAE network to log any error messages, and I get the following FT failure:
mgmt::auth
authentication: STA=6e:59:ee:22:48:97 auth_alg=2 auth_transaction=1 status_code=0 wep=0 seq_ctrl=0xf6c0
New STA
ap_sta_add: register ap_handle_timer timeout for 6e:59:ee:22:48:97 (300 seconds - ap_max_inactivity)
nl80211: sta_remove -> DEL_STATION wlp18s0 6e:59:ee:22:48:97 --> -2 (No such file or directory)
nl80211: Add STA 6e:59:ee:22:48:97
* supported rates - hexdump(len=4): 02 04 0b 16
* capability=0x0
* aid=1 (UNASSOC_STA workaround)
* listen_interval=0
* flags set=0x0 mask=0xa0
FT: Received authentication frame: STA=6e:59:ee:22:48:97 BSSID=f0:42:1c:c7:0b:6e transaction=1
FT: Received authentication frame IEs - hexdump(len=158): 30 26 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 09 cc 00 01 00 bd 74 21 51 30 fe 82 61 1f c4 69 0f d2 c8 a7 83 36 03 a1 b2 00 37 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 c5 02 32 3d 50 10 c0 6b c3 98 a1 8e 29 b9 96 4a d0 c2 f7 63 52 2d aa 1c 44 5d b8 f6 e1 a1 8b 03 0e 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65 dd 0b 00 17 f2 0a 00 01 04 00 00 00 00
FT: RSNE - hexdump(len=38): 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 09 cc 00 01 00 bd 74 21 51 30 fe 82 61 1f c4 69 0f d2 c8 a7 83
FT: MDE - hexdump(len=3): a1 b2 00
FT: FTE - hexdump(len=98): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 c5 02 32 3d 50 10 c0 6b c3 98 a1 8e 29 b9 96 4a d0 c2 f7 63 52 2d aa 1c 44 5d b8 f6 e1 a1 8b 03 0e 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
FT: FTE-MIC Control - hexdump(len=2): 00 00
FT: FTE-MIC - hexdump(len=16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FT: FTE-ANonce - hexdump(len=32): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FT: FTE-SNonce - hexdump(len=32): c2 c5 02 32 3d 50 10 c0 6b c3 98 a1 8e 29 b9 96 4a d0 c2 f7 63 52 2d aa 1c 44 5d b8 f6 e1 a1 8b
FT: Parse FTE subelements - hexdump(len=16): 03 0e 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
FT: STA R0KH-ID - hexdump(len=14): 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
FT: Requested PMKR0Name - hexdump(len=16): bd 74 21 51 30 fe 82 61 1f c4 69 0f d2 c8 a7 83
FT: PMKR1Name - hexdump(len=16): 9c 36 5d 59 c7 8c ee 9b ee 5b 56 0f 20 2e 12 24
FT: No PMK-R1 available in local cache for the requested PMKR1Name
FT: No matching R0KH found
FT: Did not find R0KH-ID - hexdump(len=14): 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
FT: Did not have matching PMK-R1 and either unknown or blocked R0KH-ID or NAK from R0KH
FT: FT authentication response: dst=6e:59:ee:22:48:97 auth_transaction=2 status=53 (INVALID_PMKID)
FT: Response IEs - hexdump(len=0): [NULL]
authentication reply: STA=6e:59:ee:22:48:97 auth_alg=2 auth_transaction=2 resp=53 (IE len=0) (dbg=auth-ft-finish)
The hostapd config for the laptops can be found below:
--- LAPTOP 1 ---
interface=wlp18s0
driver=nl80211
ssid=test1
hw_mode=g
channel=1
auth_algs=3
wmm_enabled=1
nas_identifier=first_example
wpa=2
wpa_passphrase=testingstuff123
wpa_key_mgmt=SAE FT-SAE
wpa_pairwise=CCMP
ieee80211w=2
sae_pwe=2
mobility_domain=a1b2
ft_over_ds=0
ft_psk_generate_local=0
--- LAPTOP 2 ---
interface=wlp18s0
driver=nl80211
ssid=test1
hw_mode=g
channel=6
auth_algs=3
wmm_enabled=1
nas_identifier=second_example
wpa=2
wpa_passphrase=testingstuff123
wpa_key_mgmt=SAE FT-SAE
wpa_pairwise=CCMP
ieee80211w=2
sae_pwe=2
mobility_domain=a1b2
ft_over_ds=0
ft_psk_generate_local=0
Michael
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, August 13th, 2021 at 08:55, Michael Yartys <michael.yartys at protonmail.com> wrote:
> Hi
>
> I'm running an FT-SAE network on two routers with OpenWrt, and I've encountered an issue where clients that attempt to authenticate with FT fail due to an invalid PMKID (at least that's what the AP replies in the authentication response). The routers are running a master build of OpenWrt from 9. August, and the hostapd version is a master build up to and including: https://w1.fi/cgit/hostap/commit/?id=b102f19bcc53c7f7db3951424d4d46709b4f1986
>
> I've tried the following clients:
>
> -- Laptop 1 --
>
> - Intel 7260AC
> - Fedora 34
> - Kernel: 5.13.8-200
> - wpa_supplicant v2.9
>
> -- Laptop 2 --
> - Intel 7260AC
> - Ubuntu 20.04.2 LTS
> - Kernel: 5.11.0-25
> - wpa_supplicant v2.10-devel-hostap_2_9-2285-gc3155a725 (recent snapshot)
>
> -- iPad --
> - iPadOS 15 Beta 4
>
> I can provide logs from wpa_supplicant, hostapd, and packet captures to developers personally.
>
> Michael
More information about the Hostap
mailing list