WPA2 + DumbAP setup causes clients to abort 4-way handshake

EbonySeraphim · August 3, 2021, 12:19am

I generally followed this guide: https://openwrt.org/docs/guide-user/network/wifi/dumbap, on my Nighthawk X6 (Netgear R8000) to set it up as a dumb access point. Almost everything works except wireless clients cannot connect to the AP. After entering the WPA2 key (tried from WIndow 10 laptop, and iPhone) they both say "Connect connect/join this network." It's not a mistyped key because that results in another error. I turned on verbose logging on all of the wifi radios and interfaces so I know the following snippet is relevant:

Mon Aug  2 17:06:48 2021 daemon.info hostapd: wlan2: STA (xx:xx:xx:xx) IEEE 802.11: associated
Mon Aug  2 17:06:48 2021 daemon.debug hostapd: wlan2: STA 6(xx:xx:xx:xx) WPA: event 1 notification
Mon Aug  2 17:06:48 2021 daemon.debug hostapd: wlan2: STA (xx:xx:xx:xx) WPA: start authentication
Mon Aug  2 17:06:48 2021 daemon.debug hostapd: wlan2: STA (xx:xx:xx:xx) IEEE 802.1X: unauthorizing port
Mon Aug  2 17:06:48 2021 daemon.debug hostapd: wlan2: STA (xx:xx:xx:xx) WPA: sending 1/4 msg of 4-Way Handshake
Mon Aug  2 17:06:48 2021 daemon.debug hostapd: wlan2: STA (xx:xx:xx:xx) WPA: received EAPOL-Key frame (2/4 Pairwise)
Mon Aug  2 17:06:48 2021 daemon.debug hostapd: wlan2: STA (xx:xx:xx:xx) WPA: sending 3/4 msg of 4-Way Handshake
Mon Aug  2 17:06:48 2021 daemon.info hostapd: wlan2: STA (xx:xx:xx:xx) IEEE 802.11: disassociated
Mon Aug  2 17:06:48 2021 daemon.debug hostapd: wlan2: STA (xx:xx:xx:xx) WPA: event 2 notification
Mon Aug  2 17:06:48 2021 daemon.debug hostapd: wlan2: STA (xx:xx:xx:xx) IEEE 802.1X: unauthorizing port

After some searching I found this post: https://forum.archive.openwrt.org/viewtopic.php?id=59129 and it seems like hostapd / WPA2 may be improperly interacting with the dumb AP configuration (bridged lan) somehow. If I disable WPA2 and leave the network open, I can connect to the network and internet works just fine.

The linked post seems to suggest getting a patch for hostapd, but I'm really hoping there's an easier answer than build hostapd myself. Any help would be appreciated on how to move past this issue.

16F84 · August 3, 2021, 1:39am

Remove 'wpad-basic' and install 'wpad' or 'wpad-openssl'?

EbonySeraphim · August 3, 2021, 5:29am

Did an opkg remove wpad-basic-wolfssl (which worked), and had to use the web interface to install wpad-openssl; then I rebooted and got the same failure. I wouldn't expect a different libssl/libcrypto to have made a difference with this problem but I am looking at how to configure or change hostapd behavior because it seems to be the orchestrator of the process of getting wireless clients connected to wlan.

Stefan1 · August 3, 2021, 12:02pm

What openwrt version are you using ?

I have the dump ap with wpa2/psk as guest wifi running without problems on 19.07.7.

Have you enabled 802.11w management frame protection ? I have set it to optional, also I did not activate KRACK countermeasures.

If that does not help, please post your wifi config /etc/config/wireless with masked keys/mac addresses... .