RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1490885 - NetworkManager's mac randomization can lead into MSK mismatch with hostapd and 802.1x
Summary: NetworkManager's mac randomization can lead into MSK mismatch with hostapd an...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: wpa_supplicant
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Beniamino Galvani
QA Contact: Ken Benoit
URL:
Whiteboard:
Depends On:
Blocks: 1582508
TreeView+ depends on / blocked
 
Reported: 2017-09-12 12:24 UTC by Vladimir Benes
Modified: 2018-10-30 09:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1582508 (view as bug list)
Environment:
Last Closed: 2018-10-30 09:48:39 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
wpa_supplicant log (133.84 KB, text/x-vhdl)
2017-09-12 12:42 UTC, Beniamino Galvani
no flags Details
hostapd log (95.04 KB, text/x-vhdl)
2017-09-12 12:42 UTC, Beniamino Galvani
no flags Details
NetworkManager log (963.50 KB, text/plain)
2017-09-12 12:43 UTC, Beniamino Galvani
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3107 0 None None None 2018-10-30 09:49:25 UTC

Description Vladimir Benes 2017-09-12 12:24:18 UTC
Description of problem:
when using mac80211_hwsim wifi devices and hostapd with 8021.x authentication sometimes there is an error:

wlan0: RSN: PMKID mismatch - authentication server may have derived different MSK?!

this is caused by mac randomization in NM. Once this is turned of it works well.

Version-Release number of selected component (if applicable):


How reproducible:
NetworkManager-1.8.0-9.el7.x86_64
wpa_supplicant-2.6-5.el7.x86_64

it's reproducible with any test from simwifi area:
https://github.com/NetworkManager/NetworkManager-ci/blob/devel/vb/hostapd_wireless2/nmcli/features/wifi.feature#L30

Comment 1 Beniamino Galvani 2017-09-12 12:42:33 UTC
Created attachment 1324867 [details]
wpa_supplicant log

Comment 2 Beniamino Galvani 2017-09-12 12:42:57 UTC
Created attachment 1324868 [details]
hostapd log

Comment 3 Beniamino Galvani 2017-09-12 12:43:58 UTC
Created attachment 1324869 [details]
NetworkManager log

Comment 4 Beniamino Galvani 2017-09-12 12:47:48 UTC
Looking at logs, it can be seen that wpa_supplicant still thinks the
interface has the scan random MAC address 66:20:cf:ab:8c:dc, while
hostapd considers 02:00:00:00:00:00 as the STA MAC, leading to a
mismatch of the PMKID:

Sep 12 07:43:41 r5s11 hostapd[5241]: WPA: PMK from EAPOL state machine (MSK len=64 PMK len=32)
Sep 12 07:43:41 r5s11 hostapd[5241]: WPA: 02:00:00:00:00:00 WPA_PTK entering state PTKSTART
Sep 12 07:43:41 r5s11 hostapd[5241]: wlan1: STA 02:00:00:00:00:00 WPA: sending 1/4 msg of 4-Way Handshake
Sep 12 07:43:41 r5s11 hostapd[5241]: #### WPA: aa              - hexdump(len=6): 02 00 00 00 01 00
Sep 12 07:43:41 r5s11 hostapd[5241]: #### WPA: spa             - hexdump(len=6): 02 00 00 00 00 00
Sep 12 07:43:41 r5s11 hostapd[5241]: #### WPA: PMK             - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7
Sep 12 07:43:41 r5s11 hostapd[5241]: #### WPA: computed PMKID  - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23
Sep 12 07:43:41 r5s11 hostapd[5241]: WPA: Send EAPOL(version=1 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=22 keyidx=0 encr=0)

Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: WPA: RX message 1 of 4-Way Handshake from 02:00:00:00:01:00 (ver=1)
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: WPA: PMKID in EAPOL-Key - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: RSN: PMKID from Authenticator - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: RSN: no matching PMKID found
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: EAPOL: Successfully fetched key (len=32)
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED]
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: #### WPA: aa              - hexdump(len=6): 02 00 00 00 01 00
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: #### WPA: spa             - hexdump(len=6): 66 20 cf ab 8c dc
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: #### WPA: PMK             - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: #### WPA: computed PMKID  - hexdump(len=16): ea 73 67 b1 8e 5f 18 43 58 24 e8 1c 47 23 87 71
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: RSN: Replace PMKSA entry for the current AP and any PMKSA cache entry that was based on the old PMK
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: nl80211: Delete PMKID for 02:00:00:00:01:00
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: RSN: PMKSA cache entry free_cb: 02:00:00:00:01:00 reason=1
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: RSN: Added PMKSA cache entry for 02:00:00:00:01:00 network_ctx=0x5630bf85a270
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: nl80211: Add PMKID for 02:00:00:00:01:00
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: RSN: PMKID mismatch - authentication server may have derived different MSK?!
Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: Request to deauthenticate - bssid=02:00:00:00:01:00 pending_bssid=00:00:00:00:00:00 reason=1 state=4WAY_HANDSHAKE

Comment 5 Beniamino Galvani 2017-09-15 12:39:33 UTC
Posted patch upstream:

http://lists.infradead.org/pipermail/hostap/2017-September/037936.html

Comment 6 Beniamino Galvani 2018-04-03 08:32:46 UTC
Patch applied upstream:

https://w1.fi/cgit/hostap/commit/?id=77a020a118168e05e7cc0d28a7bf661772e531af

Comment 8 Ken Benoit 2018-09-21 12:17:05 UTC
Vladimir has run 300 loops of testing against wpa_supplicant-2.6-12.el7 and not had the issue initially reported. His testing against wpa_supplicant-2.6-9.el7 had failures every 20-50 runs. Given his results I'm going to mark this as verified. Thanks.

Comment 10 errata-xmlrpc 2018-10-30 09:48:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3107


Note You need to log in before you can comment on or make changes to this bug.