Mesh Network with SAE authentication is not working.

[srinivasneeli]

Hi, ->I am trying to make a secured mesh.My test setup is given below. Test setup: ->Two linux desktop machine loaded with ath9k modules by which i created mesh virtual interfaces. -> As suggested in the below link,i downloaded the wpa_supplicant and built it for my kernel. https://github.com/cozybit/wpa_supplicant/wiki/wpa_supplicant-and-11s -> For the mesh interface i am running the wpa_supplicant .My wpa_supplicant file look like below network={ ssid="SecuredMesh" mode=5 key_mgmt=SAE psk="securedpassword" } The below command i used for running the wpa_supplicant ./wpa_supplicant -Dnl80211 -i mesh -c wpa.conf

-> Once the above wpa_supplicant command is executed i am able to see beacons with RSN Information element. -> Authentication frames are exchanged for SAE authentication.Able to see PMK is generated in the two machines from wpa_supplicant debug messages. After authentication is done the next phase is peering.None of the linux machines are sending Action frames for peering to be done.And my supplicant debug messages are showing the below error.

SAE: peer-send-confirm 0 AUTH: 04:f0:21:09:7d:98 - event 0 notification Get randomness: len=32 entropy=0 mesh1: MPM authenticating 04:f0:21:09:7d:98 nl80211: Send Action frame (ifindex=9, freq=5805 MHz wait=0 ms no_cck=0) nl80211: CMD_FRAME freq=5805 wait=0 no_cck=0 no_ack=0 offchanok=1 nl80211: Frame command failed: ret=-67 (Link has been severed) (freq=5805 wait=0) mesh1: Mesh MPM: failed to send peering frame

-> When i replaced the wpa_supplicant with key_mgmt=NONE,iam able to create a mesh with out any issue.

Can any one help me how to enable SAE authentication.Any thing i am missing from my configuration,

[chunyeow]

I have observed that your action frame is sent on frequency 5805MHz or channel 161. If you set the frequency on both of the mesh nodes, is this working? such as follow:

network={ ....... frequency=5805 }

[chunyeow]

Also, I think that you need the following patch:

https://git.kernel.org/cgit/linux/kernel/git/linville/wireless-testing.git/patch/?id=ac49e1a8969eeb819c4fc2eced9ee9ef9f35a4a9

[srinivasneeli]

->I added the frequency field in my supplicant file.Some how i missed in the above comment. ->With the patch which you had provided ,i am able to make a secured mesh.Thanks for your support.

[srinivasneeli]

hi, Now i am facing a new issue when i am running the supplicant on two different kernel versions.the following error message is present in the supplicant debug messages. authentication reply: STA=xx:xx:xx:xx:xx:xx auth_alg=3 auth_transaction=1 resp=0 (IE len=98) nl80211: No monitor socket available for wpa_driver_nl80211_send_mntr send_auth_reply: send: Invalid argument nl80211: Event message available nl80211: New peer candidate xx:xx:xx:xx:xx:xx mesh1: Event NEW_PEER_CANDIDATE (51) received mesh1: new peer notification for xx:xx:xx:xx:xx:xx mesh1: Removing interface mesh1

I am missing any thing.Can you help me.

[twpedersen]

Yes, it looks like wpa_supplicant is trying to send a frame before the station entry had been inserted. Did you try with the patch linked by Chun-Yeow applied on both ends?

[chunyeow]

nl80211: No monitor socket available for wpa_driver_nl80211_send_mntr mesh1: Removing interface mesh1

Beside the suggested step from Thomas, did you turn off the connection manager or try to unmanaged your WiFi device used for mesh?

[srinivasneeli]

Hi, Patch you provided,I applied on my two machines.I made the connection manager down with the below command Stop network-manager. Still I have no monitor socket available issue. Can you tell me which version of libnl,and libssl packages I have to install.other than these two any other dependence packages need to be installed?

[chunyeow]

You can apply this patch to try to disable the monitor interface: https://gist.github.com/chunyeow/7745801

I think that it should have "Device supports TX status socket option" for ath9k to disable the monitor interface.

[srinivasneeli]

Hi, Thanks for your support.With your support i am able to create a secured mesh. ->I am able to see SAE authentication phase and Peering phase.All the devices had created MTK and GTK. ->Manually i assigned ip address for the three machines in same subnet and tried to ping each other.I am not able to ping the other mesh peer.I my protocol analyzer i am seeing Encrypted frames which i guess ARP request frames. ->Is the other mesh point not able to respond to the ARP request? ->Even dhcp is not working.Any addition things i have to build/configure.

Thanks for responding for my Questions.

[chunyeow]

What is the hardware that you are using? Hardware encryption may not work for some devices and you may need to load with "no_hwcrypt=1".