[troubleshooting]: Troubleshooting Fedora WiFi authentication issue: IGTK, PMF and 802.11w
Background
Yesterday a client called me, saying that after he changed ISP in his house, one of his devices could no long connect to the WiFi. Troubleshooting the problem on the phone is never easy but I could figure out that the new ISP gave him a crap WiFi Modem/Router combo, that the incriminated device was a work-laptop running Fedora 28 and that when trying to authenticate to the new wireless network the NetworkManager threw the error Connection activation failed
and nothing more.
Troubleshooting
Today I arrived at the client and after the standard troubleshooting I tried connecting with nmcli
which stated: Error: Connection activation failed: (5) IP configuration could not be reserved (no available address, timeout, etc.).
I tried connecting to another WiFi network and it worked so I disabled the authentication to the client AP and tried again, this time with luck.
Logs
I then looked at the logs of both NetworkManager and wpa_supplicant while trying to connect to the AP.
$ journalctl -u NetworkManager.service -u wpa_supplicant -f
...
wpa_supplicant[630]: wlp1s0: WPA: Failed to configure IGTK to the driver
wpa_supplicant[630]: wlp1s0: RSN: Failed to configure IGTK
...
NetworkManager[506]: <warn> [1545883565.5802] sup-iface[0x559849a87da0,wlp1s0]: connection disconnected (reason -1)
...
NetworkManager logs weren’t of any help but wpa_supplicant ones pointed at the right direction:
802.11w
In 2009 the IEEE approved an amendment to the 802.11 standard to increase the security of the management frames exchanged between stations providing a method of authentication: PMF or “Protected Management Frames”.
PMF use is optional and negotiated between the AP and the client and it protects TKIP/AES frames sent after key establishment, so after the four-way handshake.
IGTK, or “Integrated Group Temporal Key” is a key used in RSN for integrity check of broadcast/multicast management frames introduced with the 802.11w
NetworkManager
On Fedora the NetworkManager with version 1.10 exposes a property to configure PMF per WiFi connection. PMF support is determined by wireless driver implementation and chipset capabilities and it’s possible to verify the support of the algorithms used for integrity check with iw
:
$ iw phy0 info | grep -A5 'Supported Ciphers'
Supported Ciphers:
* WEP40 (00-0f-ac:1)
* WEP104 (00-0f-ac:5)
* TKIP (00-0f-ac:2)
* CCMP-128 (00-0f-ac:4)
Available Antennas: TX 0 RX 0
wpa_supplicant behavior
As of version 2.6-15.fc28 wpa_supplicant has compile-time support for PMF and at every connection to a PMF-capable AP it tries to install the IGTK in the driver.
Some drivers however don’t support any of the cipher required and any attemp to connect to the AP fails if PMF is negotiated.
Solution
The fastest solution is to instruct the NM to disable PMF using the nmcli
utility:
//Obtain the connection name with
$ nmcli connection show
//Disable PMF per connection with
$ nmcli connection modify CON_NAME wifi-sec.pmf disable
//Reconnect
nmcli connection up CON_NAME
Otherwise is should be possible to disable PMF globally setting the pmf=0
directive in /etc/wpa_supplicant.conf
In the meantime both NetworkManager and wpa_supplicant have been updated and the bugs resolved so ugrading your system should resolve the issue. Yay!
END.