ral/wpa_supplicant drops after successful WPA negotiation?
Sam Leffler
sam at errno.com
Tue Feb 28 19:28:58 PST 2006
Peter de Rooij wrote:
> This is follow-up to
> http://docs.FreeBSD.org/cgi/mid.cgi?43FA61A4.8030406 (lengthy!)
>
> In short, I am trying to use WPA with the ral driver (ral0: MAC/BBP
> RT2560 (rev 0x04), RF RT2525) on 6.0 RELEASE. wpa_supplicant seems to
> negotiate successfully but then times out (authentication time-out).
> The debug message is "ral0: [XX:XX:XX:XX:XX:XX] send station
> disassociate (reason 8)"
> I also get an error "ioctl[SIOCS80211, op 20, len 7]: Can't assign
> requested address".
I don't see a log from wpa_supplicant. "reason 8" is (from
net80211/ieee80211.h):
IEEE80211_REASON_ASSOC_LEAVE = 8,
Typically this is what wpa_supplicant sends when it fails to complete
the key exchange fast enough--which in the case of enabling all the
debug msgs could easily occur. The ioctl complaint is (op 20):
#define IEEE80211_IOC_DELKEY 20
so likely uninteresting.
>
> Sam gave a suggestion as to the cause:
>> This sort of looks like the race I fixed in HEAD recently that caused
>> the timer used to identify unanswered mgt frame transmits to trigger
>> unexpectedly.
> but further digging showed it wasn't (symptoms didn't match).
>
> Well, I now can add more info: using Kismet from a separate PC I find
> one instance where the authentication times out *after* sending an
> encrypted data package. It's acknowledged (and then further ignored,
> since it's IPv6) by the AP. See frame 252 below. I can provide full
> details if useful.
> Disabling IPv6 does make no difference (auth time-out) so I would
> guess that it's not related to that.
>
> Excerpt from text export of kismet dump (belkin is the FreeBSD host,
> D-Link is the AP; I deleted all beacons and packets from other APs and
> hosts):
> ============================================================
> No. Time Source Destination Protocol Info
> 207 84.392377 Belkin_14:e8:0a Broadcast Probe
> Request Probe Request,SN=1,FN=0, SSID: Broadcast
> 208 84.392790 D-Link_1a:0b:65 (RA)
> Acknowledgement Acknowledgement
> 209 84.393472 D-Link_05:1e:32 Belkin_14:e8:0a Probe
> Response Probe Response,SN=186,FN=0,BI=1000, SSID: "Epsilon3"
> 210 84.393591 D-Link_05:1e:32 (RA)
> Acknowledgement Acknowledgement
> 219 86.993477 Belkin_14:e8:0a D-Link_05:1e:32
> Authentication Authentication,SN=0,FN=0
> 220 86.993651 Belkin_14:e8:0a (RA)
> Acknowledgement Acknowledgement
> 221 86.994076 D-Link_05:1e:32 Belkin_14:e8:0a
> Authentication Authentication,SN=195,FN=0
> 222 86.994624 Belkin_14:e8:0a D-Link_05:1e:32
> Association Request Association Request,SN=1,FN=0, SSID: "Epsilon3"
> 223 86.994791 Belkin_14:e8:0a (RA)
> Acknowledgement Acknowledgement
> 224 86.995288 D-Link_05:1e:32 Belkin_14:e8:0a
> Authentication Authentication,SN=195,FN=0
> 225 86.995409 D-Link_05:1e:32 (RA)
> Acknowledgement Acknowledgement
> 226 86.996484 D-Link_05:1e:32 Belkin_14:e8:0a
> Association Response Association Response,SN=196,FN=0
> 227 86.996964 D-Link_05:1e:32 Belkin_14:e8:0a
> Association Response Association Response,SN=196,FN=0
> 228 86.997088 D-Link_05:1e:32 (RA)
> Acknowledgement Acknowledgement
> 232 88.270387 fe80::211:50ff:fe14:e80a ff02::2:4c46:3d12
> ICMPv6 Multicast listener report
> 233 88.270620 Belkin_14:e8:0a (RA)
> Acknowledgement Acknowledgement
> 236 90.473873 D-Link_05:1e:32 Belkin_14:e8:0a EAPOL Key
> 237 90.474098 D-Link_05:1e:32 (RA)
> Acknowledgement Acknowledgement
> 238 90.474716 Belkin_14:e8:0a D-Link_05:1e:32 EAPOL Key
> 239 90.474951 Belkin_14:e8:0a (RA)
> Acknowledgement Acknowledgement
> 240 90.477506 D-Link_05:1e:32 Belkin_14:e8:0a EAPOL Key
> 241 90.477735 D-Link_05:1e:32 (RA)
> Acknowledgement Acknowledgement
> 242 90.478066 Belkin_14:e8:0a D-Link_05:1e:32 EAPOL Key
> 243 90.478301 Belkin_14:e8:0a (RA)
> Acknowledgement Acknowledgement
> 244 90.480196 D-Link_05:1e:32 Belkin_14:e8:0a Data
> Data,SN=204,FN=0
> 245 90.480814 D-Link_05:1e:32 Belkin_14:e8:0a Data
> Data,SN=204,FN=0
> 246 90.481250 D-Link_05:1e:32 Belkin_14:e8:0a Data
> Data,SN=204,FN=0
> 247 90.482007 D-Link_05:1e:32 Belkin_14:e8:0a Data
> Data,SN=204,FN=0
> 248 90.482705 D-Link_05:1e:32 Belkin_14:e8:0a Data
> Data,SN=204,FN=0
> 252 93.470464 Belkin_14:e8:0a
> IPv6-Neighbor-Discovery_ff:14:e8:0a Data Data,SN=5,FN=0
> 253 93.470688 Belkin_14:e8:0a (RA)
> Acknowledgement Acknowledgement
> 254 93.471615 Belkin_14:e8:0a
> IPv6-Neighbor-Discovery_ff:14:e8:0a Data Data,SN=208,FN=0
> 281 118.677849 Belkin_14:e8:0a Broadcast Probe
> Request Probe Request,SN=41,FN=0, SSID: Broadcast
> ============================================================
> Frames 244-248 are resends of the same encrypted data by the AP.
kismet packet traces are not very informative; I prefer ethereal. It
appears the station associated and setup the PTK. Past that I see
"Data" frames that are presumably encrypted. There should be an
exchange to setup the GTK that is encrypted using the PTK so presumably
that's it. The frames don't appear to be ACK'd by the station (SN is
the sequence number and it looks to be 204 for each frame from the
AP->STA) so presumably the station dropped it. This is possibly related
to the issues I've seen where ral cards appear to be setup with
incorrect IFS parameters (e.g. slot time) and/or generate frames with
wrong duration settings (so other stations in the bss don't set their
NAV long enough and transmit prematurely clobbering ral frames).
>
> Any suggestion what to do next?
> - buy a new wlan card?
> - buy a new AP?
> - install driver or kernel upgrade?
> - install Sam's bug fix even though it doesn't match the symptoms?
> - do something else that might help pinpoint the issue?
>
> (& don't hesitate to tell me I should post this elsewhere!)
ral is hit&miss for me when operating as a station. Unfortunately I
don't have chip specs and I haven't figured out what's wrong with the
driver based on looking at the linux code. If you want to keep the card
you can see if ndis will work. Otherwise you can buy a different card.
Sam
More information about the freebsd-mobile
mailing list