#18343: WPA2 802.1x with 4addr mode hangs on rekey
-------------------------------------------------+-------------------------
Reporter: Vittorio G (VittGam) <openwrt@…> | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone:
Component: base system | Version: Trunk
Keywords: hostapd, wpa-supplicant, wpa2, |
802.1x, 4addr |
-------------------------------------------------+-------------------------
Hi everyone,
I'm having a problem with 4addr mode on a WPA2 802.1x setup.
AP is an ar71xx based Dragino 2 using OpenWrt BB r42853. STA is an
unmodified wr703n using OpenWrt BB r42625 (that is, hardware is
unmodified, software of course is :P ).
Sometimes when there is a key handshake the connection will partially
drop. Packets still flow in one direction but not in the other. (TODO:
determine the exact direction, but should be AP->STA working and STA->AP
not working)
Logs and config follow. Connection stopped working at 18:12:08. It started
working again at 18:22:31.
On the AP I provide optional ieee80211w Management Frames Protection. On
the STA I enforce it with `ieee80211w = 2`.
Please note that the AP is also a STA connected to an Open network (just
fyi, there is policy based routing that uses this insecure connection only
to connect to a VPN, which then serves br-lan).
This is happening with an unplugged eth0 on the STA, I haven't tested if
it happens with a plugged eth0 too. The br-lan only contains eth0 and
wlan0 though.
== AP log ==
{{{
Fri Nov 14 18:12:08 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
WPA: group key handshake completed (RSN)
Fri Nov 14 18:22:08 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
WPA: group key handshake completed (RSN)
Fri Nov 14 18:22:12 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
RADIUS: starting accounting session 12345678-00000000
Fri Nov 14 18:22:12 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
IEEE 802.1X: authenticated - EAP type: 13 (TLS)
Fri Nov 14 18:22:21 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
IEEE 802.11: deauthenticated due to local deauth request
Fri Nov 14 18:22:21 2014 kern.info kernel: [357807.510000] device
wlan0.sta1 left promiscuous mode
Fri Nov 14 18:22:21 2014 kern.info kernel: [357807.520000] br-lan: port
4(wlan0.sta1) entered disabled state
Fri Nov 14 18:22:28 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
IEEE 802.11: authenticated
Fri Nov 14 18:22:28 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
IEEE 802.11: associated (aid 1)
Fri Nov 14 18:22:28 2014 kern.info kernel: [357814.230000] device
wlan0.sta1 entered promiscuous mode
Fri Nov 14 18:22:28 2014 kern.info kernel: [357814.240000] br-lan: port
4(wlan0.sta1) entered forwarding state
Fri Nov 14 18:22:28 2014 kern.info kernel: [357814.240000] br-lan: port
4(wlan0.sta1) entered forwarding state
Fri Nov 14 18:22:29 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
WPA: pairwise key handshake completed (RSN)
Fri Nov 14 18:22:29 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
RADIUS: starting accounting session 12345678-00000001
Fri Nov 14 18:22:29 2014 daemon.info hostapd: wlan0: STA cc:cc:cc:cc:cc:cc
IEEE 802.1X: authenticated - EAP type: 13 (TLS) (PMKSA cache)
Fri Nov 14 18:22:30 2014 kern.info kernel: [357816.240000] br-lan: port
4(wlan0.sta1) entered forwarding state
}}}
== STA log ==
{{{
Fri Nov 14 18:22:27 2014 kern.info kernel: [ 6495.770000] wlan0:
deauthenticating from aa:aa:aa:aa:aa:aa by local choice (Reason:
2=PREV_AUTH_NOT_VALID)
Fri Nov 14 18:22:27 2014 kern.info kernel: [ 6495.790000] br-lan: port
2(wlan0) entered disabled state
Fri Nov 14 18:22:27 2014 daemon.notice netifd: Network device 'wlan0' link
is down
Fri Nov 14 18:22:28 2014 kern.info kernel: [ 6496.570000] wlan0:
authenticate with aa:aa:aa:aa:aa:aa
Fri Nov 14 18:22:28 2014 kern.info kernel: [ 6496.590000] wlan0: send auth
to aa:aa:aa:aa:aa:aa (try 1/3)
Fri Nov 14 18:22:28 2014 kern.info kernel: [ 6496.590000] wlan0:
authenticated
Fri Nov 14 18:22:28 2014 kern.info kernel: [ 6496.610000] wlan0: associate
with aa:aa:aa:aa:aa:aa (try 1/3)
Fri Nov 14 18:22:28 2014 kern.info kernel: [ 6496.610000] wlan0: RX
AssocResp from aa:aa:aa:aa:aa:aa (capab=0x431 status=0 aid=1)
Fri Nov 14 18:22:28 2014 kern.info kernel: [ 6496.620000] wlan0:
associated
Fri Nov 14 18:22:28 2014 daemon.notice netifd: Network device 'wlan0' link
is up
Fri Nov 14 18:22:28 2014 daemon.notice netifd: Bridge 'br-lan' link is
down
Fri Nov 14 18:22:28 2014 daemon.notice netifd: Interface 'lan' has link
connectivity loss
Fri Nov 14 18:22:29 2014 kern.info kernel: [ 6497.630000] br-lan: port
2(wlan0) entered forwarding state
Fri Nov 14 18:22:29 2014 kern.info kernel: [ 6497.640000] br-lan: port
2(wlan0) entered forwarding state
Fri Nov 14 18:22:29 2014 daemon.notice netifd: Bridge 'br-lan' link is up
Fri Nov 14 18:22:29 2014 daemon.notice netifd: Interface 'lan' has link
connectivity
Fri Nov 14 18:22:31 2014 kern.info kernel: [ 6499.640000] br-lan: port
2(wlan0) entered forwarding state
}}}
== AP wireless config ==
{{{
config wifi-device 'radio0'
option type 'mac80211'
option channel '0'
option hwmode '11ng'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
option noscan '1'
option country 'IT'
option distance '3000'
option txpower '20'
option disabled '0'
config wifi-iface 'wifiap'
option device 'radio0'
option ifname 'wlan0'
option network 'lan'
option mode 'ap'
option ssid 'VittGam.net'
option rsn_preauth '0'
option wds '1'
option encryption 'wpa2+ccmp'
option auth_server '1.2.3.4'
option auth_secret 'blah'
option auth_cache '1'
option macaddr 'aa:aa:aa:aa:aa:aa'
option hidden '0'
option disabled '0'
option isolate '0'
option ieee80211w '1'
config wifi-iface 'wifista'
option device 'radio0'
option ifname 'wlan0-1'
option network 'wwan'
option mode 'sta'
option ssid 'Open Insecure Wifi Network'
option macaddr 'aa:aa:aa:aa:aa:ab' # device has 2 mac addresses
assigned but mac80211 sees only the first one... TODO FIXME in the mach
file
option bssid '12:34:56:78:90:12'
option encryption 'none'
option disabled '0'
option ieee80211w '1'
}}}
== STA wireless config ==
{{{
config wifi-device 'radio0'
option type 'mac80211'
option channel '0'
option hwmode '11ng'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
option noscan '1'
option country 'IT'
option distance '3000'
option txpower '20'
option disabled '0'
config wifi-iface 'wifista'
option device 'radio0'
option network 'lan'
option mode 'sta'
option ssid 'VittGam.net'
option rsn_preauth '0'
option wds '1'
option encryption 'wpa2+ccmp'
option ca_cert '/root/wifistacerts/cacert.pem'
option eap_type 'tls'
option identity 'blah'
option client_cert '/root/wifistacerts/clientcert.pem'
option priv_key '/root/wifistacerts/clientkey.pem'
option bssid 'aa:aa:aa:aa:aa:aa'
option macaddr 'cc:cc:cc:cc:cc:cc'
option hidden '0'
option disabled '0'
option ieee80211w '2'
}}}
== Relevant AP network config ==
{{{
config interface 'lan'
option ifname 'eth0 eth1'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '1.2.4.1'
option netmask '255.255.255.0'
option ip6addr 'aaaa::1/64'
option ip6assign '64'
option ip6class 'vpn'
}}}
== Relevant STA network config ==
{{{
config interface 'lan'
option ifname 'eth0'
option force_link '1'
option type 'bridge'
option proto 'dhcp'
}}}
Thank you for your help,
Vittorio G
--
Ticket URL: <https://dev.openwrt.org/ticket/18343>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
