802.11r/FT issue

Wed Oct 18 12:23:31 PDT 2017

Hi,

I’ve built the latest version of hostapd/wpa_supplicant from the master (8e5931f0c777a8abbfce9a299720f5b489b359b7) with 802.11r support. The wpa_supplicant w/EAP-TLS is unable to perform over-the-air FT between APs. It seems to ignore the FT authentication response from the target AP.

AP1: 00:c0:69:d0:0d:11, AP2: 00:06:3d:07:0b:b5, CLIENT: 00:30:1a:4e:0c:39

AP1 ON, AP2 OFF:

The client successfully connects to AP1 w/ FT-EAP:

bssid=00:c0:69:d0:0d:11
freq=2462
ssid=ORBIT-AUTOMATED-TEST
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=FT-EAP
wpa_state=COMPLETED
address=00:30:1a:4e:0c:39
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=13 (EAP-TLS)
eap_tls_version=TLSv1.2
EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384
tls_session_reused=0
eap_session_id=0d1a2298b5286564d2427144de254c118dd33b80ec6c8d4f65a88051fe08c3a4bbb5eb3debad03f09ed016069fb1df9369e8ebef23947869577dc8f5f8d237cce1

AP1 ON, AP2 ON:

Scan and roam to AP2:

scan 
OK
<3>CTRL-EVENT-SCAN-STARTED 
<3>CTRL-EVENT-SCAN-RESULTS 
scan_results
bssid / frequency / signal level / flags / ssid
00:c0:69:d0:0d:11              2462       -63          [WPA2-EAP+FT/EAP-CCMP-preauth][ESS]    ORBIT-AUTOMATED-TEST
00:06:3d:07:0b:b5             2462       -64          [WPA2-EAP+FT/EAP-CCMP-preauth][ESS]    ORBIT-AUTOMATED-TEST

roam 00:06:3d:07:0b:b5
OK
<3>SME: Trying to authenticate with 00:06:3d:07:0b:b5 (SSID='ORBIT-AUTOMATED-TEST' freq=2462 MHz)
<3>CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
<3>CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
<3>CTRL-EVENT-SCAN-STARTED 
<3>CTRL-EVENT-SCAN-RESULTS 
<3>SME: Trying to authenticate with 00:c0:69:d0:0d:11 (SSID='ORBIT-AUTOMATED-TEST' freq=2462 MHz)
<3>Trying to associate with 00:c0:69:d0:0d:11 (SSID='ORBIT-AUTOMATED-TEST' freq=2462 MHz)
<3>Associated with 00:c0:69:d0:0d:11
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
….

Client fails FT with AP2 and falls back to AP1 (does a full EAP handshake with AP1). 

Noticed a set_key error in the ap2.log:

….
FT: Received authentication frame IEs - hexdump(len=148): 30 26 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 03 00 00 01 00 8b 00 5f 74 ad c7 ca f1 1c 79 02 79 ab 0a 5c 73 36 03 01 01 01 37 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 87 87 d8 74 60 5d d0 25 15 b2 38 48 c1 c0 2a 32 81 bd 14 3a c0 a4 5d ff ac 28 ee 0f 5f ff 2f 17 03 11 30 30 3a 63 30 3a 36 39 3a 64 30 3a 30 64 3a 31 31
FT: STA R0KH-ID - hexdump(len=17): 30 30 3a 63 30 3a 36 39 3a 64 30 3a 30 64 3a 31 31
FT: Requested PMKR0Name - hexdump(len=16): 8b 00 5f 74 ad c7 ca f1 1c 79 02 79 ab 0a 5c 73
FT: Derived requested PMKR1Name - hexdump(len=16): bb db d5 68 b9 0d 50 6c 42 da ab 77 a3 d2 39 f3
FT: Selected PMK-R1 - hexdump(len=32): [REMOVED]
Get randomness: len=32 entropy=379
FT: Received SNonce - hexdump(len=32): 87 87 d8 74 60 5d d0 25 15 b2 38 48 c1 c0 2a 32 81 bd 14 3a c0 a4 5d ff ac 28 ee 0f 5f ff 2f 17
FT: Generated ANonce - hexdump(len=32): 6e e8 20 99 76 14 91 d6 b4 84 8c 86 35 ec 6f bb 20 4d 48 3b 37 30 c2 87 09 05 bd 10 77 79 0a b3
FT: KCK - hexdump(len=16): [REMOVED]
FT: KEK - hexdump(len=16): [REMOVED]
FT: TK - hexdump(len=16): [REMOVED]
FT: PTKName - hexdump(len=16): 84 ad 14 7b b4 bc c2 9c e5 6e 7c 81 fd bc b6 95
wpa_driver_nl80211_set_key: ifindex=12 (wlan0) alg=3 addr=0x1bcc428 key_idx=0 set_tx=1 seq_len=0 key_len=16
nl80211: KEY_DATA - hexdump(len=16): [REMOVED]
   addr=00:30:1a:4e:0c:39
nl80211: set_key failed; err=-2 No such file or directory)
FT: Postponed auth callback result for 00:30:1a:4e:0c:39 - status 0
authentication reply: STA=00:30:1a:4e:0c:39 auth_alg=2 auth_transaction=2 resp=0 (IE len=160)
…

Configs, logs and packet traces are attached. I’d appreciate any help in identifying the root cause.

Thanks
Ajay

-------------- next part --------------
A non-text attachment was scrubbed...
Name: WPA2-EAPTLS-80211r-issue-20171018.zip
Type: application/zip
Size: 7338 bytes
Desc: WPA2-EAPTLS-80211r-issue-20171018.zip
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20171018/2fc459ea/attachment.zip>