[gPXE] WPA2-encrypted wireless booting with ath5k

Joshua Oreman oremanj at rwcr.net
Fri Mar 26 20:17:35 EDT 2010 

On Fri, Mar 26, 2010 at 12:00 PM, Alexander Heinz <mailsanmich at gmx.li> wrote:
> Hello!
>
> I would like to start with thanking you for the features you have
> integrated in the last years.
>
> Some years ago I experimented with Etherboot/PXELinux but that was long
> before gPXE was there. HTTP, iSCSI, AOE and even WiFi ... that is just
> amazing!

I'm glad the new features have been helpful!

> However the link does not come up. I get the following error:
>
> Waiting for link-up on net0...WPA 0x2daf8 ALERT: PMKID mismatch in 1/4
> WPA 0x2daa8 ALERT: PMKID mismatch in 1/4
> last message appears 17 times
>  failed: Permission denied (0x0226603c)
> Could not configure net0: Permission denied (0x0226603c)
>
> I am sorry for not providing a detailed log. This PC does not have any
> serial ports, so I cannot use a NULL modem cable to capture the output.

That's fine; the information you've given is very helpful.

gPXE is not able to verify that the pairwise master key checksum sent
by the wireless access point matches what it would expect from a hash
of the access point's and client's MAC addresses. The PMKID checking
is a new feature in WPA2, so you probably have a fairly recent router;
many routers that support WPA2 encryption don't send PMKIDs, so gPXE
skips this check. The check is done before passphrase validation, so
entering the passphrase incorrectly wouldn't cause it.

It's probably a bug in gPXE, but as I don't have equipment that sends
PMKIDs, it's difficult for me to test this. I'll double-check our code
against what the standard says we should be doing. If there's any
chance you could provide a wireless packet capture of both a
successful authentication (not using gPXE) and gPXE's attempts at
authentication, that would be helpful. You'll need an additional
computer placed near the access point; tune it to the channel the AP
is using, set the wireless NIC in "monitor mode", and capture packets.
This is most easily done with the `aircrack-ng' package on Linux, or
KisMAC on a Macintosh.

Thanks for your help, and I hope we can get this resolved!

-- Josh

More information about the gPXE mailing list