[Issue] SSID is visible but cannot join in

[WendySanarwanto]

Synopsis:

When hostapd is configured with WPA-PSK enabled, Passphrase is set and then started, the AP SSID is visible from other devices (e.g.iPhone, macbook, PC). However, when joined the AP SSID, it kept challenging us to enter passphrase, despite we have entered correct passphrase.

When we disable WPA-PSK within /etc/hostapd/hostapd.conf file then re-started hostapd, our devices could join in the network without entering passphrase and all it's good. However, it's not desired since everyone could join in the network which could abuse our AP.

Replication steps:

1. Ensure that DHCP server has been configured & started properly against the wlan0 interface.
2. Configure hostapd.conf file as follow (enabled wpa-psk):

   
   #ctrl_interface=/var/run/hostapd
   #ctrl_interface_group=0
   macaddr_acl=0
   auth_algs=3
   ignore_broadcast_ssid=0

802.11n related stuff

ieee80211n=1 noscan=1 ht_capab=[HT40+][SHORT-GI-20][SHORT-GI-40]

WPA2 settings

wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP

wpa_pairwise=CCMP

rsn_pairwise=CCMP

CHANGE THE PASSPHRASE

wpa_passphrase=12341234

Most modern wireless drivers in the kernel need driver=nl80211

driver=nl80211

driver=rtl871xdrv max_num_sta=8 beacon_int=100 wme_enabled=1

wpa_group_rekey=86400

device_name=RTL8192CU manufacturer=Realtek

set proper interface

interface=wlan0

bridge=lanbr0

hw_mode=g

best channels are 1 6 11 14 (scan networks first to find which slot is free)

channel=1

this is the network name

ssid=Tornberry

3. Run `sudo /usr/sbin/hostapd -dd /etc/hostapd/hostapd.conf` command to start the `hostapd`. Below are the displayed log messages:

random: Trying to read entropy from /dev/random Configuration file: /etc/hostapd/hostapd.conf drv->ifindex=3 l2_sock_recv==l2_sock_xmit=0x0x152e6c0 BSS count 1, BSSID mask 00:00:00:00:00:00 (0 bits) Allowed channel: mode=1 chan=1 freq=2412 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=2 freq=2417 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=3 freq=2422 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=4 freq=2427 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=5 freq=2432 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=6 freq=2437 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=7 freq=2442 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=8 freq=2447 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=9 freq=2452 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=10 freq=2457 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=11 freq=2462 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=12 freq=2467 MHz max_tx_power=0 dBm Allowed channel: mode=1 chan=13 freq=2472 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=1 freq=2412 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=2 freq=2417 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=3 freq=2422 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=4 freq=2427 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=5 freq=2432 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=6 freq=2437 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=7 freq=2442 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=8 freq=2447 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=9 freq=2452 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=10 freq=2457 MHz max_tx_power=0 dBm Allowed channel: mode=0 chan=11 freq=2462 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=36 freq=5180 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=40 freq=5200 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=44 freq=5220 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=48 freq=5240 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=52 freq=5260 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=56 freq=5280 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=60 freq=5300 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=64 freq=5320 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=100 freq=5500 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=104 freq=5520 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=108 freq=5540 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=112 freq=5560 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=116 freq=5580 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=120 freq=5600 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=124 freq=5620 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=128 freq=5640 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=132 freq=5660 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=136 freq=5680 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=140 freq=5700 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=149 freq=5745 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=153 freq=5765 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=157 freq=5785 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=161 freq=5805 MHz max_tx_power=0 dBm Allowed channel: mode=2 chan=165 freq=5825 MHz max_tx_power=0 dBm HT40: control channel: 1 secondary channel: 5 Completing interface initialization Mode: IEEE 802.11g Channel: 1 Frequency: 2412 MHz DFS 0 channels required radar detection RATE[0] rate=10 flags=0x1 RATE[1] rate=20 flags=0x1 RATE[2] rate=55 flags=0x1 RATE[3] rate=110 flags=0x1 RATE[4] rate=60 flags=0x0 RATE[5] rate=90 flags=0x0 RATE[6] rate=120 flags=0x0 RATE[7] rate=180 flags=0x0 RATE[8] rate=240 flags=0x0 RATE[9] rate=360 flags=0x0 RATE[10] rate=480 flags=0x0 RATE[11] rate=540 flags=0x0 hostapd_setup_bss(hapd=0x152ed60 (wlan0), first=1) wlan0: Flushing old station entries wlan0: Deauthenticate all stations +rtl871x_sta_deauth_ops, ff:ff:ff:ff:ff:ff is deauth, reason=2 rtl871x_set_key_ops rtl871x_set_key_ops rtl871x_set_key_ops rtl871x_set_key_ops Using interface wlan0 with hwaddr e8:4e:06:25:d4:88 and ssid "Tornberry" Deriving WPA PSK based on passphrase SSID - hexdump_ascii(len=9): 54 6f 72 6e 62 65 72 72 79 Tornberry
PSK (ASCII passphrase) - hexdump_ascii(len=8): [REMOVED] PSK (from passphrase) - hexdump(len=32): [REMOVED] rtl871x_set_wps_assoc_resp_ie rtl871x_set_wps_beacon_ie rtl871x_set_wps_probe_resp_ie random: Got 20/20 bytes from /dev/random Get randomness: len=32 entropy=0 GMK - hexdump(len=32): [REMOVED] Get randomness: len=32 entropy=0 Key Counter - hexdump(len=32): [REMOVED] WPA: Delay group state machine start until Beacon frames have been configured rtl871x_set_beacon_ops rtl871x_set_hidden_ssid_ops ioctl[RTL_IOCTL_HOSTAPD]: Invalid argument WPA: Start group state machine to set initial keys WPA: group state machine entering state GTK_INIT (VLAN-ID 0) Get randomness: len=16 entropy=0 GTK - hexdump(len=32): [REMOVED] WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0) rtl871x_set_key_ops wlan0: interface state UNINITIALIZED->ENABLED wlan0: AP-ENABLED wlan0: Setup of interface done. ctrl_iface not configured!

4. Turn on the WiFi of any devices such as mobile phones, PCs, or laptops. Confirm that the AP SSID appears on the device's wireless networks screen. 
5. Join the AP SSID , enter correct passphrase and confirm that the screen returns `Incorrect Passphrase` despite we have entered correct passphrase.
6. Turn off `hostapd`, edit the `/etc/hostapd/hostapd.conf` file and comment lines related to WPA-PSK feature to disable this. Re-started `hostapd`.
7. Back to any devices (e.g. phone). re-join the AP SSID/ Confirm that the device could join the AP without entering passphrase.

System Environments:
-------------------------------
1. Machine which runs `hostapd`: Raspberry Pi 2 model B+
2. OS: Raspbian Pixel 2017
3. Kernel version: 4.4.50-v7+
4. Wireless adapter: Edimax , Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter.
5. DHCPD version: 4.3.1, 2004-2014
6. Content of `/etc/network/interfaces`:
```bash
auto lo
iface lo inet loopback
iface eth0 inet dhcp
allow-hotplug wlan0
iface wlan0 inet static
  address 172.24.1.1
  netmask 255.255.255.0

7. Content of /etc/dhcp/dhcpd.conf:

   ddns-update-style none;
   default-lease-time 600;
   max-lease-time 7200;
   authoritative;
   log-facility local7;
   subnet 172.24.1.0 netmask 255.255.255.0 {
   range 172.24.1.10 172.24.1.50;
   option broadcast-address 172.24.1.255;
   option routers 172.24.1.1;
   default-lease-time 600;
   max-lease-time 7200;
   option domain-name "local";
   option domain-name-servers 8.8.8.8, 8.8.4.4;
   }

8. Content of /etc/dhcp/dhclient.conf:

   option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
   send host-name = gethostname();
   request subnet-mask, broadcast-address, time-offset, routers,
   domain-name, domain-name-servers, domain-search, host-name,
   dhcp6.name-servers, dhcp6.domain-search,
   netbios-name-servers, netbios-scope, interface-mtu,
   rfc3442-classless-static-routes, ntp-servers;

9. Content of /etc/dhcpcd.conf:

   hostname
   clientid
   persistent
   option rapid_commit
   option domain_name_servers, domain_name, domain_search, host_name
   option classless_static_routes
   option ntp_servers
   require dhcp_server_identifier
   slaac private
   nohook lookup-hostname

10. Content of /etc/iptables/rules.v4:

    # Generated by iptables-save v1.4.21 on Mon Apr 24 00:15:13 2017
    *filter
    :INPUT ACCEPT [79:5524]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [82:6760]
    -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i wlan0 -o eth0 -j ACCEPT
    -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i wlan0 -o eth0 -j ACCEPT
    -A FORWARD -i ppp0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i wlan0 -o ppp0 -j ACCEPT
    COMMIT
    # Completed on Mon Apr 24 00:15:13 2017
    # Generated by iptables-save v1.4.21 on Mon Apr 24 00:15:13 2017
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [4:248]
    :POSTROUTING ACCEPT [2:96]
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -o ppp0 -j MASQUERADE
    COMMIT
    # Completed on Mon Apr 24 00:15:13 2017

11. Displayed info after running ifconfig:

    
    eth0      Link encap:Ethernet  HWaddr b8:27:eb:ef:77:00  
          inet6 addr: fe80::7993:aba6:c46:942d/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:253 errors:0 dropped:0 overruns:0 frame:0 TX packets:253 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:20560 (20.0 KiB) TX bytes:20560 (20.0 KiB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:10.137.145.95 P-t-P:10.64.64.64 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:17883 errors:0 dropped:0 overruns:0 frame:0 TX packets:18374 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:16792283 (16.0 MiB) TX bytes:2124141 (2.0 MiB)

wlan0 Link encap:Ethernet HWaddr e8:4e:06:25:d4:88
inet addr:172.24.1.1 Bcast:172.24.1.255 Mask:255.255.255.0 inet6 addr: fe80::7e43:9bf2:23ce:79b2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:4 overruns:0 frame:0 TX packets:220 errors:0 dropped:80 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:341281 (333.2 KiB) TX bytes:650141 (634.9 KiB)

[WendySanarwanto]

Hello All,

Some people have encountered this issue since they've upgraded their Raspbian with newest version of linux kernel. The workaround for this issue are explained as follow:

• Uninstall/remove current hostapd: sudo apt-get autoremove hostapd
• Reinstall hostapd version v2.3 or above : sudo apt-get install hostapd
• Create a file 8192cu.conf inside /etc/modprobe.d/ directory and paste this string inside the file:

  options 8192cu rtw_power_mgnt=0 rtw_enusbss=0 rtw_hwpwrp_detect=0 rtw_ips_mode=1

  Then save the changes.

• Modify /etc/hostapd/hostapd.conf by commenting #driver=rtl871xdrv and re-added driver=nl80211 entry. Here's the working sample of this file:

  
  ## Basic setup

interface=wlan0

bridge=br1

driver=rtl871xdrv

driver=nl80211 hw_mode=g channel=1 macaddr_acl=0 country_code=ID

ieee80211n=1 # 802.11n support wmm_enabled=1 # QoS support ieee80211d=1 # limit the frequencies used to those allowed in the country

ssid=PiAP auth_algs=1 # 1=wpa, 2=wep, 3=both wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP wpa_passphrase=12341234

- Reboot the system. Confirm that the Raspberry Pi is turned as a proper internet Hotspot AP, secured by WPA-PSK now.

Hereby, I suggested this issue can be closed, and hopefully this finding could be useful for other people whom are stumbled with this problem.

Cheers.

Reference: https://www.raspberrypi.org/forums/viewtopic.php?f=28&t=152603&p=1009804