Connection problems with WPA2-EAP (Linksys WRT3200ACM)

Hello together,

I have connection problems, when I am connected with my wifi network. I am using the encryption method "WPA2-EAP" and a seperated Windows RADIUS-Server. I am loosing the connection and my IP after 1 or 2 hours. I have to wait a few minutes and then I am reconnected. The AP (Linksys WRT3200ACM) is only a pass-through to the RADIUS-Server. I also have two other networks (BYOD & Guests) with the encryption method "WPA2-PSK" and there are no connection problems. I am using "OpenWrt 18.06.4 r7808-ef686b7292" and "wpad 2018-05-21-62566bc2-6". I also checked the logs form the Windows RADIUS-Server and there a no errors.

My wireless config:

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid 'RADIUS-NETWORK'
	option network '115_RADIUS'
	option disassoc_low_ack '0'
	option encryption 'wpa2+ccmp'
	option auth_server 'XXX'
	option auth_secret 'XXX'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option nasid 'AccessPoint5'

System Log:




Mon Sep  2 09:10:48 2019 daemon.info hostapd: wlan1: STA 18:3d:a2:66:3a:80 IEEE 802.11: associated (aid 1)
Mon Sep  2 09:10:48 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-EAP-STARTED 18:3d:a2:66:3a:80
Mon Sep  2 09:10:48 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Mon Sep  2 09:10:51 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT 18:3d:a2:66:3a:80
Mon Sep  2 09:10:51 2019 daemon.info hostapd: wlan1: STA 18:3d:a2:66:3a:80 IEEE 802.11: authenticated
Mon Sep  2 09:10:57 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT 18:3d:a2:66:3a:80
Mon Sep  2 09:11:09 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT 18:3d:a2:66:3a:80
Mon Sep  2 09:11:29 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT 18:3d:a2:66:3a:80
Mon Sep  2 09:11:49 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT 18:3d:a2:66:3a:80
Mon Sep  2 09:12:09 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-EAP-RETRANSMIT 18:3d:a2:66:3a:80
Mon Sep  2 09:12:09 2019 daemon.notice hostapd: wlan1: CTRL-EVENT-EAP-TIMEOUT-FAILURE 18:3d:a2:66:3a:80
Mon Sep  2 09:12:11 2019 kern.debug kernel: [3338862.064627] ieee80211 phy1: staid 3 deleted
Mon Sep  2 09:12:14 2019 daemon.info hostapd: wlan1: STA 18:3d:a2:66:3a:80 IEEE 802.11: deauthenticated due to local deauth request
Mon Sep  2 13:37:57 2019 daemon.info hostapd: wlan1: STA 18:3d:a2:66:3a:80 IEEE 802.11: disassociated due to inactivity
Mon Sep  2 13:37:58 2019 daemon.info hostapd: wlan1: STA 18:3d:a2:66:3a:80 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

I would bet you found just another bug in the wifi drivers for that router: https://github.com/kaloz/mwlwifi/issues

I made an bug-report on [https://bugs.openwrt.org/]. I will try to report that on github too.

Are there any workarounds at the moment? Should I try to use a linux RADIUS-Server?

This looks exactly like what I have on my Openwrt router, so chances are you have the same issue:

When using WPA-EAP the PTK key is automatically being rekey each hour if you do not override it with a special config setting. The result is, that when you are use WPA-EAP you also have enabled PSK rekeying each hour without any additional setting. And without hostapd/wpa_supplicant debugging there are no log messages when rekeying. (There is now a warning in kernel >= 5.20 when it's considered dangerous.)

And PSK-rekeying is really broken. Starting from the IEEE-802.11 specification (impossible to rekey a busy connection without frame losses) down to most drivers (not doing it right) . The result is, that rekey only works in a few device/driver combinations OR if the link is idle when rekeying. If either the AP or the STA don't get it right any traffic between AP and the STA while rekeying has an excellent change the trick the replay protection of at least one station to drop all packets till the connection is rekeyed again. I've found and opened a bug for that three years ago: https://dev.archive.openwrt.org/ticket/18966

The only "simple" fix for that is to disable the rekeying at the moment. For that we have to add the hostapd config option "eap_reauth_period=0" to out hostapd config. (In the past I was able to simple configure it via uci, but on my Openwrt 18.06.2 the setting is not added to the hostapd.conf and therefore without effect. Have to dig deeper to figure out why that is no longer working.)

To test if you really have a rekey issue try enabling rekey also for PSK, that is still working:

root@sam:~# uci set wireless.@wifi-iface[2].wpa_pair_rekey='30'
root@sam:~# uci show wireless.@wifi-iface[2]
wireless.cfg053579=wifi-iface
wireless.cfg053579.device='radio0'
wireless.cfg053579.mode='ap'
wireless.cfg053579.ssid='mywlan'
wireless.cfg053579.network='WLAN2'
wireless.cfg053579.encryption='psk2+ccmp'
wireless.cfg053579.key='********'
wireless.cfg053579.wpa_pair_rekey='30'
root@sam:~# uci commit
root@sam:~# wifi
root@sam:~# grep rekey /var/run/hostapd-phy0.conf
wpa_ptk_rekey=30
root@sam:~# 

This sets the rekey interval to 30s. Start streaming a video and ping your default GW. You should have multiple 30s long connection losses within 5min. Probably a 30s working/30s broken loop.
But that depends on many factors and it may sometimes work for some rekeys. (The outages should all 30s long, through)

Mac80211 from 4.20 kernel has a important - but still incomplete - fix for the issue. So trunk or Openwrt 19.07 could fix the issue is some cases.

1 Like

On this device, rekeying is particularly broken, and will break any WDS connection.

@alexw65500 Thank you for that advice! It works for me!
@eduperez Also thank to you!