4way-Handshake error occurred in Reauth operation in connected state.

mun-chang jung biting74 at gmail.com
Wed Jun 22 03:37:13 PDT 2022 

hello

Recently, I checked that the Station (wpa_suplicant) connected to the
Synology WiFi Router with WPA-Enterprise is disconnected and
reconnected every 60 minutes.

As a result of the analysis of this phenomenon, it was confirmed that
there was a problem in 4way-HS in the reauthentication process by
receiving the Request identity message from the Router (AP).
(No Session timeout setting in radius)

* During the 4way-HS process, 4way-HS-1/4 ~ 3/4 are encrypted and MSG
is transmitted and received normally.
I've seen 4way-HS-4/4 transmit unencrypted (I think this is a bug).
Discard unencrypted 4way-HS-4/4 MSG and retry 4way-HS-3/4 to AP. Then,
the AP sends disassociate with authentication timeout to disconnect
the station.

Below is a similar case and test environment, and the simplest
reproducible test is case 3.

Is this a bug?


<Test Bed>
================================================================================
<Station>
RaspberryPi 3
WLAN: Netgear WNA1100 USB
Version : Supplicant 2.10

<AP>
Synology MR2200AC
================================================================================


CASE1: WPA2-Enterprise: Synology Router AP MR2200AC
================================================================================
wpa_cli flush
wpa_cli log_level debug
wpa_cli sta_autoconnect 0
wpa_cli add_network
wpa_cli set_network 1 ssid "Synology_MR2200AC_2.4G_ENT"
wpa_cli set_network 1 proto RSN WPA
wpa_cli set_network 1 pairwise CCMP TKIP
wpa_cli set_network 1 key_mgmt WPA-EAP
wpa_cli set_network 1 eap TTLS PEAP
wpa_cli set_network 1 phase2 "auth=MSCHAPV2 GTC"
wpa_cli set_network 1 identity "test"
wpa_cli set_network 1 password "1 at 34Qwer"
wpa_cli select_network 1

After 60 minutes of WiFi connection, reauth is performed by receiving
Request Identity from AP.


AP ==> STA RX: Request Identity (EAP)
...
Request, Protected EAP (EAP-PEAP)

AP <== STA TX: PTK Key Request (EAPOL)
AP ==> STA RX: 4way-HS-1/4
AP <== STA TX: 4way-HS-2/4
AP ==> STA RX: 4way-HS-3/4
          STA: PTK install OK(update)
          STA: GTK not reinstall (KRACK patch)
AP <== STA TX: 4way-HS-4/4
AP ==> STA RX: 4way-HS-3/4 (Retry)
AP ==> STA RX: 4way-HS-3/4 (Retry)
AP ==> STA RX: Disassociate
          STA: Disconnected



CASE2: PTK rekey
================================================================================
WPA2-PSK CCMP
<WPA-PSK>
wpa_cli flush
wpa_cli log_level debug
wpa_cli sta_autoconnect 0
wpa_cli add_network
wpa_cli set_network 0 ssid \"WPA_PTK_KEY_TEST\"
wpa_cli set_network 0 proto RSN
wpa_cli set_network 0 pairwise CCMP
wpa_cli set_network 0 key_mgmt WPA-PSK
wpa_cli set_network 0 psk \"12345678\"
wpa_cli set_network 0 wpa_ptk_rekey 60
wpa_cli select_network 0

1 minute after connection, the connection is disconnected in the PTK
rekey process by sending a Key Request (EAPOL) from the station.
: When sta_autoconnect 1 is set, disconnect and reconnect.

AP <== STA TX: PTK Key Request (EAPOL)
AP ==> STA RX: 4way-HS-1/4
AP <== STA TX: 4way-HS-2/4
AP ==> STA RX: 4way-HS-3/4
          STA: PTK install OK(update)
          STA: GTK not reinstall (KRACK patch)
AP <== STA TX: 4way-HS-4/4
AP ==> STA RX: 4way-HS-3/4 (Retry)
AP ==> STA RX: 4way-HS-3/4 (Retry)
AP ==> STA RX: Disassociate
          STA: Disconnected



CASE3:
================================================================================
<WPA-PSK>
wpa_cli flush
wpa_cli log_level debug
wpa_cli sta_autoconnect 0
wpa_cli add_network
wpa_cli set_network 0 ssid \"WPA_PTK_KEY_TEST\"
wpa_cli set_network 0 proto RSN
wpa_cli set_network 0 pairwise CCMP
wpa_cli set_network 0 key_mgmt WPA-PSK
wpa_cli set_network 0 psk \"12345678\"
wpa_cli set_network 0 wpa_ptk_rekey 0
wpa_cli select_network 0

* Execute reauth request command after connection is complete
wpa_cli reauthenticate


thanks, cheers and best regards
: mun-chang jung

More information about the Hostap mailing list