Ettore Dreucci
Failed to Configure IGTK
21 Aug 2019
Ettore Dreucci
3 minute read

[troubleshooting]: Troubleshooting Fedora WiFi authentication issue: IGTK, PMF and 802.11w

Background

Yesterday a client called me, saying that after he changed ISP in his house, one of his devices could no long connect to the WiFi. Troubleshooting the problem on the phone is never easy but I could figure out that the new ISP gave him a crap WiFi Modem/Router combo, that the incriminated device was a work-laptop running Fedora 28 and that when trying to authenticate to the new wireless network the NetworkManager threw the error Connection activation failed and nothing more.

Troubleshooting

Today I arrived at the client and after the standard troubleshooting I tried connecting with nmcli which stated: Error: Connection activation failed: (5) IP configuration could not be reserved (no available address, timeout, etc.).

I tried connecting to another WiFi network and it worked so I disabled the authentication to the client AP and tried again, this time with luck.

Logs

I then looked at the logs of both NetworkManager and wpa_supplicant while trying to connect to the AP.

$ journalctl -u NetworkManager.service -u wpa_supplicant -f
...
wpa_supplicant[630]: wlp1s0: WPA: Failed to configure IGTK to the driver
wpa_supplicant[630]: wlp1s0: RSN: Failed to configure IGTK
...
NetworkManager[506]: <warn>  [1545883565.5802] sup-iface[0x559849a87da0,wlp1s0]: connection disconnected (reason -1)
...

NetworkManager logs weren’t of any help but wpa_supplicant ones pointed at the right direction:

802.11w

In 2009 the IEEE approved an amendment to the 802.11 standard to increase the security of the management frames exchanged between stations providing a method of authentication: PMF or “Protected Management Frames”.

PMF use is optional and negotiated between the AP and the client and it protects TKIP/AES frames sent after key establishment, so after the four-way handshake.

IGTK, or “Integrated Group Temporal Key” is a key used in RSN for integrity check of broadcast/multicast management frames introduced with the 802.11w

NetworkManager

On Fedora the NetworkManager with version 1.10 exposes a property to configure PMF per WiFi connection. PMF support is determined by wireless driver implementation and chipset capabilities and it’s possible to verify the support of the algorithms used for integrity check with iw:

$ iw phy0 info | grep -A5 'Supported Ciphers'
    Supported Ciphers:
        * WEP40 (00-0f-ac:1)
        * WEP104 (00-0f-ac:5)
        * TKIP (00-0f-ac:2)
        * CCMP-128 (00-0f-ac:4)
    Available Antennas: TX 0 RX 0

wpa_supplicant behavior

As of version 2.6-15.fc28 wpa_supplicant has compile-time support for PMF and at every connection to a PMF-capable AP it tries to install the IGTK in the driver.

Some drivers however don’t support any of the cipher required and any attemp to connect to the AP fails if PMF is negotiated.

Solution

The fastest solution is to instruct the NM to disable PMF using the nmcli utility:

//Obtain the connection name with
$ nmcli connection show

//Disable PMF per connection with
$ nmcli connection modify CON_NAME wifi-sec.pmf disable

//Reconnect
nmcli connection up CON_NAME

Otherwise is should be possible to disable PMF globally setting the pmf=0 directive in /etc/wpa_supplicant.conf

In the meantime both NetworkManager and wpa_supplicant have been updated and the bugs resolved so ugrading your system should resolve the issue. Yay!

END.


back EdgeRouter Wireshark capture
Pure-FTPd, Let's Encrypt and Certbot hooks next
github linkedin keybase email rss