When attempting to connect to WPA-EAP (radius) network initial EAP auth succeeds, but the 4-way-handshake does not due to missing PMKSA cache entry. wpa_supplicant then retriggers the full EAP authentication which fail in the same way. The process repeats itself until all available APs become blacklisted. Reproducible: Always Related links: https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/wpa_supplicant&id=7562b98bd83fe5bce43e6952e0e922e7791e18b5 (Reason 2: Inability to connect to WPA2-Enterprise networks) https://forums.gentoo.org/viewtopic-t-1016148-highlight-wpasupplicant.html Relevant log extract: WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED] RSN: Added PMKSA cache entry for 00:24:6c:c8:ac:42 network_ctx=0x226a2d0 nl80211: Add PMKID for 00:24:6c:c8:ac:42 wlan0: RSN: no PMKSA entry found - trigger full EAP authentication wlan0: RSN: Do not reply to msg 1/4 - requesting full EAP authentication
Created attachment 405060 [details] emerge --info
Created attachment 405062 [details] Log with nl80211 driver, 3.14.41 kernel
Created attachment 405064 [details] Log with wext driver, 3.14.41 kernel
wpa_supplicant.conf: ctrl_interface=/var/run/wpa_supplicant network={ ssid="eduroam" identity="XXXXXX@york.ac.uk" anonymous_identity="@york.ac.uk" ca_cert="/etc/ssl/certs/AddTrust_External_Root.pem" key_mgmt=WPA-EAP eap=TLS TTLS phase2="autheap=MSCHAPV2" password=hash:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX }
Seems that someone found the offending commit: http://lists.shmoo.com/pipermail/hostap/2015-April/032721.html
Please disregard my previous comment. I've taken a quick look at the commit mentioned in the linked mail, and also built wpa_supplicant with this change reverted, and I'm pretty sure it isn't the cause of the issue. I won't promise anything, but if I can find the time, I'll bisect myself.
As not promised, here's my bisect result: First bad commit: 35efa2479ff19c3f13e69dc50d2708ce79a99beb OpenSSL: Allow TLS v1.1 and v1.2 to be negotiated by default http://w1.fi/cgit/hostap/commit/?id=35efa2479ff19c3f13e69dc50d2708ce79a99beb And indeed, adding phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" to the network configuration allows me to connect also when using wpa_supplicant-2.4-r3.
Could I get you to report this upstream, so they know how to help other people with it?
I just wrote to the hostap mailing list. Let's see what the devs upstream make of the information.
It is reported upstream, also, it seems like it's a vendor bug in the negotiation. I'm waiting for work to deploy an Aruba update :(
it has been multiple years. if your radius server is still broken, that must suck for you. closing as obsolete.
