[gPXE] WPA2-encrypted wireless booting with ath5k

Joshua Oreman oremanj at rwcr.net
Fri Mar 26 20:37:50 EDT 2010 

On Fri, Mar 26, 2010 at 8:17 PM, Joshua Oreman <oremanj at rwcr.net> wrote:
> On Fri, Mar 26, 2010 at 12:00 PM, Alexander Heinz <mailsanmich at gmx.li> wrote:
>> Hello!
>>
>> I would like to start with thanking you for the features you have
>> integrated in the last years.
>>
>> Some years ago I experimented with Etherboot/PXELinux but that was long
>> before gPXE was there. HTTP, iSCSI, AOE and even WiFi ... that is just
>> amazing!
>
> I'm glad the new features have been helpful!
>
>> However the link does not come up. I get the following error:
>>
>> Waiting for link-up on net0...WPA 0x2daf8 ALERT: PMKID mismatch in 1/4
>> WPA 0x2daa8 ALERT: PMKID mismatch in 1/4
>> last message appears 17 times
>>  failed: Permission denied (0x0226603c)
>> Could not configure net0: Permission denied (0x0226603c)
>>
>> I am sorry for not providing a detailed log. This PC does not have any
>> serial ports, so I cannot use a NULL modem cable to capture the output.
>
> That's fine; the information you've given is very helpful.
>
> gPXE is not able to verify that the pairwise master key checksum sent
> by the wireless access point matches what it would expect from a hash
> of the access point's and client's MAC addresses. The PMKID checking
> is a new feature in WPA2, so you probably have a fairly recent router;
> many routers that support WPA2 encryption don't send PMKIDs, so gPXE
> skips this check. The check is done before passphrase validation, so
> entering the passphrase incorrectly wouldn't cause it.

Sorry, this is incorrect - the pairwire master key is derived from the
passphrase, so it's possible an incorrect passphrase would result in
this error. However, upon reading the 802.11 standard it's not
actually required that one verify the PMKID. Thus, if you would, try
applying the following patch:

diff --git a/src/net/80211/wpa.c b/src/net/80211/wpa.c
index 9bac8fe..d319936 100644
--- a/src/net/80211/wpa.c
+++ b/src/net/80211/wpa.c
@@ -574,7 +574,6 @@ static int wpa_handle_1_of_4 ( struct wpa_common_ctx *ctx,
                                if ( rc < 0 ) {
                                        DBGC ( ctx, "WPA %p ALERT: PMKID "
                                               "mismatch in 1/4\n", ctx );
-                                       return wpa_fail ( ctx, rc );
                                }
                        }

(i.e. remove the "return wpa_fail(ctx, rc);" on line 577 of
gpxe/src/net/80211/wpa.c) and see if you're now able to authenticate,
and if not, what errors you get.

Thanks!

-- Josh

More information about the gPXE mailing list