FT authentication fails on FT-SAE
Michael Yartys
michael.yartys at protonmail.com
Sun Aug 15 12:58:24 PDT 2021
I made a mistake in the test by setting ft_psk_generate_local=0, which causes the same test to fail even with FT-PSK (WPA2 with 802.11r). However, even though setting it equal to 1 fixes FT-PSK it doesn't fix FT-SAE. I get pretty much the same log output:
mgmt::auth
authentication: STA=6e:59:ee:22:48:97 auth_alg=2 auth_transaction=1 status_code=0 wep=0 seq_ctrl=0x8930 retry
New STA
ap_sta_add: register ap_handle_timer timeout for 6e:59:ee:22:48:97 (300 seconds - ap_max_inactivity)
nl80211: sta_remove -> DEL_STATION wlp18s0 6e:59:ee:22:48:97 --> -2 (No such file or directory)
nl80211: Add STA 6e:59:ee:22:48:97
* supported rates - hexdump(len=4): 02 04 0b 16
* capability=0x0
* aid=1 (UNASSOC_STA workaround)
* listen_interval=0
* flags set=0x0 mask=0xa0
FT: Received authentication frame: STA=6e:59:ee:22:48:97 BSSID=22:22:22:22:22:21 transaction=1
FT: Received authentication frame IEs - hexdump(len=156): 30 26 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 09 cc 00 01 00 10 c8 45 d8 2f d8 74 55 bc a5 55 6c 94 08 1e 25 36 03 a1 b2 00 37 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cb b2 28 81 3f 0e 3c 6e 06 ff 1f 62 ee 2c bc 0c d1 fa a4 f2 bf ed 5c 5c 03 72 32 6f f7 55 8f a0 03 0c 32 32 32 32 32 32 32 32 32 32 32 32 dd 0b 00 17 f2 0a 00 01 04 00 00 00 00
FT: RSNE - hexdump(len=38): 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 09 cc 00 01 00 10 c8 45 d8 2f d8 74 55 bc a5 55 6c 94 08 1e 25
FT: MDE - hexdump(len=3): a1 b2 00
FT: FTE - hexdump(len=96): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cb b2 28 81 3f 0e 3c 6e 06 ff 1f 62 ee 2c bc 0c d1 fa a4 f2 bf ed 5c 5c 03 72 32 6f f7 55 8f a0 03 0c 32 32 32 32 32 32 32 32 32 32 32 32
FT: FTE-MIC Control - hexdump(len=2): 00 00
FT: FTE-MIC - hexdump(len=16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FT: FTE-ANonce - hexdump(len=32): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FT: FTE-SNonce - hexdump(len=32): cb b2 28 81 3f 0e 3c 6e 06 ff 1f 62 ee 2c bc 0c d1 fa a4 f2 bf ed 5c 5c 03 72 32 6f f7 55 8f a0
FT: Parse FTE subelements - hexdump(len=14): 03 0c 32 32 32 32 32 32 32 32 32 32 32 32
FT: STA R0KH-ID - hexdump(len=12): 32 32 32 32 32 32 32 32 32 32 32 32
FT: Requested PMKR0Name - hexdump(len=16): 10 c8 45 d8 2f d8 74 55 bc a5 55 6c 94 08 1e 25
FT: PMKR1Name - hexdump(len=16): bf 01 db d7 f2 5e 2a b4 5d 3f 45 be ea f0 19 f9
FT: No PMK-R1 available in local cache for the requested PMKR1Name
FT: No matching R0KH found
FT: Did not find R0KH-ID - hexdump(len=12): 32 32 32 32 32 32 32 32 32 32 32 32
FT: Did not have matching PMK-R1 and either unknown or blocked R0KH-ID or NAK from R0KH
FT: FT authentication response: dst=6e:59:ee:22:48:97 auth_transaction=2 status=53 (INVALID_PMKID)
FT: Response IEs - hexdump(len=0): [NULL]
authentication reply: STA=6e:59:ee:22:48:97 auth_alg=2 auth_transaction=2 resp=53 (IE len=0) (dbg=auth-ft-finish)
Michael
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, August 13th, 2021 at 09:34, Michael Yartys <michael.yartys at protonmail.com> wrote:
> Hi
>
> I made a test with the iPad where I set up my two laptops with the same FT-SAE network to log any error messages, and I get the following FT failure:
>
> mgmt::auth
>
> authentication: STA=6e:59:ee:22:48:97 auth_alg=2 auth_transaction=1 status_code=0 wep=0 seq_ctrl=0xf6c0
>
> New STA
>
> ap_sta_add: register ap_handle_timer timeout for 6e:59:ee:22:48:97 (300 seconds - ap_max_inactivity)
>
> nl80211: sta_remove -> DEL_STATION wlp18s0 6e:59:ee:22:48:97 --> -2 (No such file or directory)
>
> nl80211: Add STA 6e:59:ee:22:48:97
>
> - supported rates - hexdump(len=4): 02 04 0b 16
> - capability=0x0
> - aid=1 (UNASSOC_STA workaround)
> - listen_interval=0
> - flags set=0x0 mask=0xa0
>
> FT: Received authentication frame: STA=6e:59:ee:22:48:97 BSSID=f0:42:1c:c7:0b:6e transaction=1
>
> FT: Received authentication frame IEs - hexdump(len=158): 30 26 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 09 cc 00 01 00 bd 74 21 51 30 fe 82 61 1f c4 69 0f d2 c8 a7 83 36 03 a1 b2 00 37 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 c5 02 32 3d 50 10 c0 6b c3 98 a1 8e 29 b9 96 4a d0 c2 f7 63 52 2d aa 1c 44 5d b8 f6 e1 a1 8b 03 0e 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65 dd 0b 00 17 f2 0a 00 01 04 00 00 00 00
>
> FT: RSNE - hexdump(len=38): 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 09 cc 00 01 00 bd 74 21 51 30 fe 82 61 1f c4 69 0f d2 c8 a7 83
>
> FT: MDE - hexdump(len=3): a1 b2 00
>
> FT: FTE - hexdump(len=98): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 c5 02 32 3d 50 10 c0 6b c3 98 a1 8e 29 b9 96 4a d0 c2 f7 63 52 2d aa 1c 44 5d b8 f6 e1 a1 8b 03 0e 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
>
> FT: FTE-MIC Control - hexdump(len=2): 00 00
>
> FT: FTE-MIC - hexdump(len=16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> FT: FTE-ANonce - hexdump(len=32): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> FT: FTE-SNonce - hexdump(len=32): c2 c5 02 32 3d 50 10 c0 6b c3 98 a1 8e 29 b9 96 4a d0 c2 f7 63 52 2d aa 1c 44 5d b8 f6 e1 a1 8b
>
> FT: Parse FTE subelements - hexdump(len=16): 03 0e 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
>
> FT: STA R0KH-ID - hexdump(len=14): 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
>
> FT: Requested PMKR0Name - hexdump(len=16): bd 74 21 51 30 fe 82 61 1f c4 69 0f d2 c8 a7 83
>
> FT: PMKR1Name - hexdump(len=16): 9c 36 5d 59 c7 8c ee 9b ee 5b 56 0f 20 2e 12 24
>
> FT: No PMK-R1 available in local cache for the requested PMKR1Name
>
> FT: No matching R0KH found
>
> FT: Did not find R0KH-ID - hexdump(len=14): 73 65 63 6f 6e 64 5f 65 78 61 6d 70 6c 65
>
> FT: Did not have matching PMK-R1 and either unknown or blocked R0KH-ID or NAK from R0KH
>
> FT: FT authentication response: dst=6e:59:ee:22:48:97 auth_transaction=2 status=53 (INVALID_PMKID)
>
> FT: Response IEs - hexdump(len=0): [NULL]
>
> authentication reply: STA=6e:59:ee:22:48:97 auth_alg=2 auth_transaction=2 resp=53 (IE len=0) (dbg=auth-ft-finish)
>
> The hostapd config for the laptops can be found below:
>
> --- LAPTOP 1 ---
>
> interface=wlp18s0
>
> driver=nl80211
>
> ssid=test1
>
> hw_mode=g
>
> channel=1
>
> auth_algs=3
>
> wmm_enabled=1
>
> nas_identifier=first_example
>
> wpa=2
>
> wpa_passphrase=testingstuff123
>
> wpa_key_mgmt=SAE FT-SAE
>
> wpa_pairwise=CCMP
>
> ieee80211w=2
>
> sae_pwe=2
>
> mobility_domain=a1b2
>
> ft_over_ds=0
>
> ft_psk_generate_local=0
>
> --- LAPTOP 2 ---
>
> interface=wlp18s0
>
> driver=nl80211
>
> ssid=test1
>
> hw_mode=g
>
> channel=6
>
> auth_algs=3
>
> wmm_enabled=1
>
> nas_identifier=second_example
>
> wpa=2
>
> wpa_passphrase=testingstuff123
>
> wpa_key_mgmt=SAE FT-SAE
>
> wpa_pairwise=CCMP
>
> ieee80211w=2
>
> sae_pwe=2
>
> mobility_domain=a1b2
>
> ft_over_ds=0
>
> ft_psk_generate_local=0
>
> Michael
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On Friday, August 13th, 2021 at 08:55, Michael Yartys michael.yartys at protonmail.com wrote:
>
> > Hi
> >
> > I'm running an FT-SAE network on two routers with OpenWrt, and I've encountered an issue where clients that attempt to authenticate with FT fail due to an invalid PMKID (at least that's what the AP replies in the authentication response). The routers are running a master build of OpenWrt from 9. August, and the hostapd version is a master build up to and including: https://w1.fi/cgit/hostap/commit/?id=b102f19bcc53c7f7db3951424d4d46709b4f1986
> >
> > I've tried the following clients:
> >
> > -- Laptop 1 --
> >
> > - Intel 7260AC
> >
> > - Fedora 34
> >
> > - Kernel: 5.13.8-200
> >
> > - wpa_supplicant v2.9
> >
> > -- Laptop 2 --
> >
> > - Intel 7260AC
> >
> > - Ubuntu 20.04.2 LTS
> >
> > - Kernel: 5.11.0-25
> >
> > - wpa_supplicant v2.10-devel-hostap_2_9-2285-gc3155a725 (recent snapshot)
> >
> > -- iPad --
> >
> > - iPadOS 15 Beta 4
> >
> > I can provide logs from wpa_supplicant, hostapd, and packet captures to developers personally.
> >
> > Michael
> >
More information about the Hostap
mailing list