[FS#3857] WPA2 Enterprise auth fails for Apple devices on mt76

Sun Jun 6 13:21:27 PDT 2021

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Jonathan Rudenberg (titanous) 

Attached to Project - OpenWrt/LEDE Project
Summary - WPA2 Enterprise auth fails for Apple devices on mt76
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Critical
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - There appears to be a regression caused by the recent [[https://github.com/openwrt/openwrt/commit/eefed841b05c3cd4c65a78b50ce0934d879e6acf|hostapd upgrade]].

I have a Linksys E8450 (mt7622) AP that was working well before the hostapd version upgrade (I bisected to confirm) but now my Apple devices fail to authenticate via WPA2 EAP-TLS. A Chromebook can authenticate and connect with no issues, and WPA2-PSK works fine for all devices.

Notably there are no issues when connecting to an ath10k AP when running the same revision, so it seems like this issue may be specific to the combination of WPA2 Enterprise, mt76, and Apple clients. Log snippet below, the key error appears to be "received EAPOL-Key 2/4 Pairwise with unexpected replay counter".

hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx IEEE 802.1X: decapsulated EAP packet (code=3 id=133 len=4) from RADIUS server: EAP Success
hostapd: wlan1: CTRL-EVENT-EAP-SUCCESS2 6a:dd:0a:xx:xx:xx
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx IEEE 802.1X: Sending EAP Packet (identifier 133)
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: sending 1/4 msg of 4-Way Handshake
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: EAPOL-Key timeout
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: sending 1/4 msg of 4-Way Handshake
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: EAPOL-Key timeout
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: sending 1/4 msg of 4-Way Handshake
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: received EAPOL-Key frame (2/4 Pairwise)
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: sending 3/4 msg of 4-Way Handshake
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: Process SNonce update from STA based on retransmitted EAPOL-Key 1/4
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: received EAPOL-Key frame (2/4 Pairwise)
hostapd: wlan0: STA 7a:dd:0a:xx:xx:xx WPA: sending 3/4 msg of 4-Way Handshake
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: received EAPOL-Key 2/4 Pairwise with unexpected replay counter
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: EAPOL-Key timeout
hostapd: wlan0: STA 6a:dd:0a:xx:xx:xx WPA: sending 3/4 msg of 4-Way Handshake

More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=3857

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.