wpa_supplicant: secured mesh and WiLink8 issue

Bob Copeland me at bobcopeland.com
Fri Nov 4 11:19:42 PDT 2016 

On Fri, Nov 04, 2016 at 01:54:10PM +0100, Jeroen Roovers wrote:
> I tried your advice in
> https://bobcopeland.com/blog/2016/10/encrypted-mesh-psa/ . I am using
> a 3.4 kernel and trying out wpa_supplicant 2.6, so I added
> ieee80211w=2 to the configuration:
> 
> %< snip >%
> user_mpm=1
> update_config=1
> 
> network={
>         mode=5
>         ssid="secret"
>         frequency=2412
>         proto=RSN
>         pairwise=CCMP
>         key_mgmt=SAE
>         group=CCMP
>         psk="secret"
> }
> %< snip >%

(I don't see ieee80211w here?)

> The first mesh node that went up initially showed this:
> 
> 2016-11-04T12:33:06.987105+00:00 AirFi wpa_supplicant[476]: AP-ENABLED
> 2016-11-04T12:33:07.004874+00:00 AirFi wpa_supplicant[476]: wlan1:
> joining mesh "<secret>"
> 2016-11-04T12:33:07.006015+00:00 AirFi wpa_supplicant[476]: wlan1:
> mesh join error=-114

Hmm -EALREADY, I guess this one was already operating?

> After restarting wpa_supplicant (with two other nodes running already)
> I instead got this:

[snip]

> 2016-11-04T12:40:22.923110+00:00 AirFi wpa_supplicant[1019]: wlan1:
> new peer notification for xx:xx:xx:xx:xx:55
> 2016-11-04T12:40:23.438482+00:00 AirFi wpa_supplicant[1019]: wlan1:
> new peer notification for xx:xx:xx:xx:xx:6c
> 2016-11-04T12:40:36.131965+00:00 AirFi wpa_supplicant[1019]: wlan1:
> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:55
> 2016-11-04T12:40:39.639177+00:00 AirFi wpa_supplicant[1019]: wlan1:
> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:6c

So two were running already, same wpa_s version?

> 2016-11-04T12:40:53.579341+00:00 AirFi wpa_supplicant[1019]: wlan1:
> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:55
> 2016-11-04T12:40:54.826637+00:00 AirFi wpa_supplicant[1019]: wlan1:
> MESH-SAE-AUTH-FAILURE addr=xx:xx:xx:xx:xx:6c

...but SAE authentication failed.  This happens before even peering,
so it sounds like this is something other than the encryption change.
Just to be sure, the password and SAE group configurations are the
same across all nodes?

To be clear, the sequence goes like this:

SAE authentication (derives PMK from password)
    ---> AMPE peering (derives MTK from PMK, MGTK generated and exchanged)
        ---> HWMP route establishment (uses keys from previous step)

The changes referred to in my blog post happened at steps 2 and 3, while
looks like your failure happened at step 1.

> So maybe your advice needs some extra good bits for specific situations.
> 
> Kind regards,
>     jer

-- 
Bob Copeland %% http://bobcopeland.com/

More information about the Hostap mailing list