Description of problem: when using mac80211_hwsim wifi devices and hostapd with 8021.x authentication sometimes there is an error: wlan0: RSN: PMKID mismatch - authentication server may have derived different MSK?! this is caused by mac randomization in NM. Once this is turned of it works well. Version-Release number of selected component (if applicable): How reproducible: NetworkManager-1.8.0-9.el7.x86_64 wpa_supplicant-2.6-5.el7.x86_64 it's reproducible with any test from simwifi area: https://github.com/NetworkManager/NetworkManager-ci/blob/devel/vb/hostapd_wireless2/nmcli/features/wifi.feature#L30
Created attachment 1324867 [details] wpa_supplicant log
Created attachment 1324868 [details] hostapd log
Created attachment 1324869 [details] NetworkManager log
Looking at logs, it can be seen that wpa_supplicant still thinks the interface has the scan random MAC address 66:20:cf:ab:8c:dc, while hostapd considers 02:00:00:00:00:00 as the STA MAC, leading to a mismatch of the PMKID: Sep 12 07:43:41 r5s11 hostapd[5241]: WPA: PMK from EAPOL state machine (MSK len=64 PMK len=32) Sep 12 07:43:41 r5s11 hostapd[5241]: WPA: 02:00:00:00:00:00 WPA_PTK entering state PTKSTART Sep 12 07:43:41 r5s11 hostapd[5241]: wlan1: STA 02:00:00:00:00:00 WPA: sending 1/4 msg of 4-Way Handshake Sep 12 07:43:41 r5s11 hostapd[5241]: #### WPA: aa - hexdump(len=6): 02 00 00 00 01 00 Sep 12 07:43:41 r5s11 hostapd[5241]: #### WPA: spa - hexdump(len=6): 02 00 00 00 00 00 Sep 12 07:43:41 r5s11 hostapd[5241]: #### WPA: PMK - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7 Sep 12 07:43:41 r5s11 hostapd[5241]: #### WPA: computed PMKID - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 Sep 12 07:43:41 r5s11 hostapd[5241]: WPA: Send EAPOL(version=1 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=22 keyidx=0 encr=0) Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: WPA: RX message 1 of 4-Way Handshake from 02:00:00:00:01:00 (ver=1) Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: WPA: PMKID in EAPOL-Key - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: RSN: PMKID from Authenticator - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: RSN: no matching PMKID found Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: EAPOL: Successfully fetched key (len=32) Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED] Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: #### WPA: aa - hexdump(len=6): 02 00 00 00 01 00 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: #### WPA: spa - hexdump(len=6): 66 20 cf ab 8c dc Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: #### WPA: PMK - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: #### WPA: computed PMKID - hexdump(len=16): ea 73 67 b1 8e 5f 18 43 58 24 e8 1c 47 23 87 71 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: RSN: Replace PMKSA entry for the current AP and any PMKSA cache entry that was based on the old PMK Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: nl80211: Delete PMKID for 02:00:00:00:01:00 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: RSN: PMKSA cache entry free_cb: 02:00:00:00:01:00 reason=1 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: RSN: Added PMKSA cache entry for 02:00:00:00:01:00 network_ctx=0x5630bf85a270 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: nl80211: Add PMKID for 02:00:00:00:01:00 Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: RSN: PMKID mismatch - authentication server may have derived different MSK?! Sep 12 07:43:41 r5s11 wpa_supplicant[5214]: wlan0: Request to deauthenticate - bssid=02:00:00:00:01:00 pending_bssid=00:00:00:00:00:00 reason=1 state=4WAY_HANDSHAKE
Posted patch upstream: http://lists.infradead.org/pipermail/hostap/2017-September/037936.html
Patch applied upstream: https://w1.fi/cgit/hostap/commit/?id=77a020a118168e05e7cc0d28a7bf661772e531af
Vladimir has run 300 loops of testing against wpa_supplicant-2.6-12.el7 and not had the issue initially reported. His testing against wpa_supplicant-2.6-9.el7 had failures every 20-50 runs. Given his results I'm going to mark this as verified. Thanks.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3107