# Can't connect to hostapd when wpa(2) is enabled

## pa4wdh

Hi All,

I'm trying to setup hostapd by following this guide: http://wireless.kernel.org/en/users/Documentation/hostapd

When i use it as an open AP it works and the client is able to connect and receives an IP address from the running dhcp server. However, when i enable wpa and/or wpa2 it doesn't work at all.

My hardware is a virtualbox instance with a USB Wifi adapter:

Bus 001 Device 006: ID 050d:11f2 Belkin Components ISY Wireless Micro Adapter IWL 2000 [RTL8188CUS]

My current configuration is:

```

interface=wlan0

driver=nl80211

ssid=test

channel=1

hw_mode=g

wme_enabled=1

ieee80211n=1

ht_capab=[HT40+][SHIRT-GI-40][DSSS_CCK-40]

macaddr_acl=0

auth_algs=1

ignore_broadcast_ssid=0

wpa=3

wpa_passphrase=123457890

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP

rsn_pairwise=CCMP

```

I've made some logging with hostapd -dd /etc/hostapd/hostapd-minimal.conf, i've grepped on the client's MAC address and replaced the MAC address itself with CLIENT-MAC-ADDR, if required i can upload the full log file (110KB):

```

authentication: STA=CLIENT-MAC-ADDR auth_alg=0 auth_transaction=1 status_code=0 wep=0

ap_sta_add: register ap_handle_timer timeout for CLIENT-MAC-ADDR (300 seconds - ap_max_inactivity)

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: authentication OK (open system)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-AUTHENTICATE.indication(CLIENT-MAC-ADDR, OPEN_SYSTEM)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-DELETEKEYS.request(CLIENT-MAC-ADDR)

authentication reply: STA=CLIENT-MAC-ADDR auth_alg=0 auth_transaction=2 resp=0 (IE len=0)

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: authenticated

association request: STA=CLIENT-MAC-ADDR capab_info=0x431 listen_interval=1

HT: STA CLIENT-MAC-ADDR HT Capabilities Info: 0x012c

update_sta_ht STA CLIENT-MAC-ADDR - no greenfield, num of non-gf stations 1

update_sta_ht STA CLIENT-MAC-ADDR - 20 MHz HT, num of 20MHz HT STAs 1

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: association OK (aid 1)

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: associated (aid 1)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-ASSOCIATE.indication(CLIENT-MAC-ADDR)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-DELETEKEYS.request(CLIENT-MAC-ADDR)

   addr=CLIENT-MAC-ADDR

wlan0: STA CLIENT-MAC-ADDR WPA: event 1 notification

   addr=CLIENT-MAC-ADDR

wlan0: STA CLIENT-MAC-ADDR WPA: start authentication

WPA: CLIENT-MAC-ADDR WPA_PTK entering state INITIALIZE

   addr=CLIENT-MAC-ADDR

wlan0: STA CLIENT-MAC-ADDR IEEE 802.1X: unauthorizing port

WPA: CLIENT-MAC-ADDR WPA_PTK_GROUP entering state IDLE

WPA: CLIENT-MAC-ADDR WPA_PTK entering state AUTHENTICATION

WPA: CLIENT-MAC-ADDR WPA_PTK entering state AUTHENTICATION2

WPA: CLIENT-MAC-ADDR WPA_PTK entering state INITPSK

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: sending 1/4 msg of 4-Way Handshake

hostapd_new_assoc_sta: reschedule ap_handle_timer timeout for CLIENT-MAC-ADDR (300 seconds - ap_max_inactivity)

nl80211: New station CLIENT-MAC-ADDR

IEEE 802.1X: CLIENT-MAC-ADDR TX status - version=2 type=3 length=95 - ack=1

WPA: EAPOL-Key TX status for STA CLIENT-MAC-ADDR ack=1

wlan0: STA CLIENT-MAC-ADDR WPA: EAPOL-Key timeout

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: sending 1/4 msg of 4-Way Handshake

IEEE 802.1X: CLIENT-MAC-ADDR TX status - version=2 type=3 length=95 - ack=1

WPA: EAPOL-Key TX status for STA CLIENT-MAC-ADDR ack=1

wlan0: STA CLIENT-MAC-ADDR WPA: EAPOL-Key timeout

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: sending 1/4 msg of 4-Way Handshake

IEEE 802.1X: CLIENT-MAC-ADDR TX status - version=2 type=3 length=95 - ack=1

WPA: EAPOL-Key TX status for STA CLIENT-MAC-ADDR ack=1

wlan0: STA CLIENT-MAC-ADDR WPA: EAPOL-Key timeout

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: sending 1/4 msg of 4-Way Handshake

IEEE 802.1X: CLIENT-MAC-ADDR TX status - version=2 type=3 length=95 - ack=1

WPA: EAPOL-Key TX status for STA CLIENT-MAC-ADDR ack=1

wlan0: STA CLIENT-MAC-ADDR WPA: EAPOL-Key timeout

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: PTKSTART: Retry limit 4 reached

WPA: CLIENT-MAC-ADDR WPA_PTK entering state DISCONNECT

wpa_sta_disconnect STA CLIENT-MAC-ADDR

hostapd_wpa_auth_disconnect: WPA authenticator requests disconnect: STA CLIENT-MAC-ADDR reason 2

wlan0: STA CLIENT-MAC-ADDR WPA: event 3 notification

   addr=CLIENT-MAC-ADDR

ap_sta_disconnect: reschedule ap_handle_timer timeout for CLIENT-MAC-ADDR (5 seconds - AP_MAX_INACTIVITY_AFTER_DEAUTH)

WPA: CLIENT-MAC-ADDR WPA_PTK entering state DISCONNECTED

WPA: CLIENT-MAC-ADDR WPA_PTK entering state INITIALIZE

   addr=CLIENT-MAC-ADDR

wlan0: STA CLIENT-MAC-ADDR IEEE 802.1X: unauthorizing port

STA CLIENT-MAC-ADDR acknowledged deauth

Removing STA CLIENT-MAC-ADDR from kernel driver

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-DEAUTHENTICATE.indication(CLIENT-MAC-ADDR, 2)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-DELETEKEYS.request(CLIENT-MAC-ADDR)

   addr=CLIENT-MAC-ADDR

nl80211: Delete station CLIENT-MAC-ADDR

ap_handle_timer: CLIENT-MAC-ADDR flags=0x8a80 timeout_next=3

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: deauthenticated due to local deauth request

ap_free_sta: cancel ap_handle_timer for CLIENT-MAC-ADDR

authentication: STA=CLIENT-MAC-ADDR auth_alg=0 auth_transaction=1 status_code=0 wep=0

ap_sta_add: register ap_handle_timer timeout for CLIENT-MAC-ADDR (300 seconds - ap_max_inactivity)

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: authentication OK (open system)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-AUTHENTICATE.indication(CLIENT-MAC-ADDR, OPEN_SYSTEM)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-DELETEKEYS.request(CLIENT-MAC-ADDR)

authentication reply: STA=CLIENT-MAC-ADDR auth_alg=0 auth_transaction=2 resp=0 (IE len=0)

authentication: STA=CLIENT-MAC-ADDR auth_alg=0 auth_transaction=1 status_code=0 wep=0

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: authentication OK (open system)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-AUTHENTICATE.indication(CLIENT-MAC-ADDR, OPEN_SYSTEM)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-DELETEKEYS.request(CLIENT-MAC-ADDR)

authentication reply: STA=CLIENT-MAC-ADDR auth_alg=0 auth_transaction=2 resp=0 (IE len=0)

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: authenticated

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: authenticated

association request: STA=CLIENT-MAC-ADDR capab_info=0x431 listen_interval=1

HT: STA CLIENT-MAC-ADDR HT Capabilities Info: 0x012c

update_sta_ht STA CLIENT-MAC-ADDR - no greenfield, num of non-gf stations 1

update_sta_ht STA CLIENT-MAC-ADDR - 20 MHz HT, num of 20MHz HT STAs 1

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: association OK (aid 1)

wlan0: STA CLIENT-MAC-ADDR IEEE 802.11: associated (aid 1)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-ASSOCIATE.indication(CLIENT-MAC-ADDR)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-DELETEKEYS.request(CLIENT-MAC-ADDR)

   addr=CLIENT-MAC-ADDR

wlan0: STA CLIENT-MAC-ADDR WPA: event 1 notification

   addr=CLIENT-MAC-ADDR

wlan0: STA CLIENT-MAC-ADDR WPA: start authentication

WPA: CLIENT-MAC-ADDR WPA_PTK entering state INITIALIZE

   addr=CLIENT-MAC-ADDR

wlan0: STA CLIENT-MAC-ADDR IEEE 802.1X: unauthorizing port

WPA: CLIENT-MAC-ADDR WPA_PTK_GROUP entering state IDLE

WPA: CLIENT-MAC-ADDR WPA_PTK entering state AUTHENTICATION

WPA: CLIENT-MAC-ADDR WPA_PTK entering state AUTHENTICATION2

WPA: CLIENT-MAC-ADDR WPA_PTK entering state INITPSK

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: sending 1/4 msg of 4-Way Handshake

hostapd_new_assoc_sta: reschedule ap_handle_timer timeout for CLIENT-MAC-ADDR (300 seconds - ap_max_inactivity)

nl80211: New station CLIENT-MAC-ADDR

IEEE 802.1X: CLIENT-MAC-ADDR TX status - version=2 type=3 length=95 - ack=1

WPA: EAPOL-Key TX status for STA CLIENT-MAC-ADDR ack=1

wlan0: STA CLIENT-MAC-ADDR WPA: EAPOL-Key timeout

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: sending 1/4 msg of 4-Way Handshake

IEEE 802.1X: CLIENT-MAC-ADDR TX status - version=2 type=3 length=95 - ack=1

WPA: EAPOL-Key TX status for STA CLIENT-MAC-ADDR ack=1

wlan0: STA CLIENT-MAC-ADDR WPA: EAPOL-Key timeout

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: sending 1/4 msg of 4-Way Handshake

IEEE 802.1X: CLIENT-MAC-ADDR TX status - version=2 type=3 length=95 - ack=1

WPA: EAPOL-Key TX status for STA CLIENT-MAC-ADDR ack=1

wlan0: STA CLIENT-MAC-ADDR WPA: EAPOL-Key timeout

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: sending 1/4 msg of 4-Way Handshake

IEEE 802.1X: CLIENT-MAC-ADDR TX status - version=2 type=3 length=95 - ack=1

WPA: EAPOL-Key TX status for STA CLIENT-MAC-ADDR ack=1

wlan0: STA CLIENT-MAC-ADDR WPA: EAPOL-Key timeout

WPA: CLIENT-MAC-ADDR WPA_PTK entering state PTKSTART

wlan0: STA CLIENT-MAC-ADDR WPA: PTKSTART: Retry limit 4 reached

WPA: CLIENT-MAC-ADDR WPA_PTK entering state DISCONNECT

wpa_sta_disconnect STA CLIENT-MAC-ADDR

hostapd_wpa_auth_disconnect: WPA authenticator requests disconnect: STA CLIENT-MAC-ADDR reason 2

wlan0: STA CLIENT-MAC-ADDR WPA: event 3 notification

   addr=CLIENT-MAC-ADDR

ap_sta_disconnect: reschedule ap_handle_timer timeout for CLIENT-MAC-ADDR (5 seconds - AP_MAX_INACTIVITY_AFTER_DEAUTH)

WPA: CLIENT-MAC-ADDR WPA_PTK entering state DISCONNECTED

WPA: CLIENT-MAC-ADDR WPA_PTK entering state INITIALIZE

   addr=CLIENT-MAC-ADDR

wlan0: STA CLIENT-MAC-ADDR IEEE 802.1X: unauthorizing port

STA CLIENT-MAC-ADDR acknowledged deauth

Removing STA CLIENT-MAC-ADDR from kernel driver

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-DEAUTHENTICATE.indication(CLIENT-MAC-ADDR, 2)

wlan0: STA CLIENT-MAC-ADDR MLME: MLME-DELETEKEYS.request(CLIENT-MAC-ADDR)

   addr=CLIENT-MAC-ADDR

nl80211: Delete station CLIENT-MAC-ADDR

```

I'm quite unfamiliar with WiFi protocols in general and hostapd any help is greatly appreciated.

----------

## pa4wdh

3 weeks, more than 180 reads and nobody is able to help ?   :Shocked: 

Just to be sure i'm bumping it to give it a second chance.   :Cool: 

Thanks in advance for any help or suggestion.

----------

## Logicien

This is my personnal configuration. country_code=CA and some other options should be change for your country and needs. I use channel=2. I am alone using this channel. I do not interfere with other access points in the wireless network neighborhood.

In /etc/hostapd/hostapd.accept, only the MAC address of allowed wireless cards are listed. In /etc/hostapd/hostapd.deny, I have nothing. Everything work without problem.

Note that the kernel of the access point must forward the packets and the firewall must make the NAT.

/etc/hostapd/hostapd.conf:

```

interface=wlan0

driver=nl80211

logger_syslog=-1

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

dump_file=/tmp/hostapd.dump

ctrl_interface=/var/run/hostapd

ctrl_interface_group=0

ssid=hello

country_code=CA

hw_mode=g

channel=2

beacon_int=100

dtim_period=2

max_num_sta=255

rts_threshold=2347

fragm_threshold=2346

macaddr_acl=1

accept_mac_file=/etc/hostapd/hostapd.accept

auth_algs=1

ignore_broadcast_ssid=0

wmm_enabled=1

wmm_ac_bk_cwmin=4

wmm_ac_bk_cwmax=10

wmm_ac_bk_aifs=7

wmm_ac_bk_txop_limit=0

wmm_ac_bk_acm=0

wmm_ac_be_aifs=3

wmm_ac_be_cwmin=4

wmm_ac_be_cwmax=10

wmm_ac_be_txop_limit=0

wmm_ac_be_acm=0

wmm_ac_vi_aifs=2

wmm_ac_vi_cwmin=3

wmm_ac_vi_cwmax=4

wmm_ac_vi_txop_limit=94

wmm_ac_vi_acm=0

wmm_ac_vo_aifs=2

wmm_ac_vo_cwmin=2

wmm_ac_vo_cwmax=3

wmm_ac_vo_txop_limit=47

wmm_ac_vo_acm=0

eapol_key_index_workaround=0

eap_server=0

wpa=3

wpa_passphrase=hello

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP

rsn_pairwise=CCMP
```

----------

## pa4wdh

Thanks for sharing your configuration. Unfortunately it didn't work out for me. It seems stuck in the same way as with my first post, it seems the AP doesn't receive a response in phase 1/4 of the setup. The client (a phone) just tells me that the passphase was incorrect and offers me to try again. I've set the passphrase to something as easy as possible to avoid typos on the phone so i'm quite sure i entered it correct.

Do you have any suggestions to troubleshoot this ?

----------

## Aiken

From what I can see the rtl8188cus uses the rtl8192cu driver. I have some usb rtl8192cu devices I tried both on client machines and with hostapd on the server. Won't put in print what I think of them.

I think last time I looked at them was around kernel 3.8. On the clients they could not maintain a connection to the ap. When I tried a rtl8192cu with hostapd then clients had trouble connecting and if they did manage to connect the connection dropped out shortly after. A work around that worked for some people was load the rtl8192cu module with the option swenc=1 to force encryption to be done in software. That did not work for me. I have been using usb wna110 and rt5370 devices since.

You having trouble with encryption where unencrypted worked reminded me of this.

----------

## pa4wdh

Thanks for your suggestion Aiken, you are indeed right about the driver.

Since i usually don't use modules i provided the parameter on the kernel commandline, but that didn't work. After that i recompiled the kernel to use modules and loaded the rtl8192 module with the swenc=1 parameter, but that also didn't change the behavior.

----------

## Logicien

You should try to connect as client with your Belkin wireless card who use the rtl8192 module for wlan0. If it can connect to an AP or in Haddoc mode and work, the problem can come the fact that the card cannot act as an Access Point. Did you check in the Supported interface modes if wlan0 can act as an AP  when you do

```
iw list | less
```

----------

## pa4wdh

I'm quite sure it supports AP mode, because that's why i started experimenting with hostapd  :Smile:  I think this is confirmed because it works as an open AP without encryption.

But to be sure: The "iw list" command shows IBSS, managed, AP, AP/VLAN, monitor, P2P-client and P2P-GO as supported interface modes.

Before i started experimenting with hostapd i used it for my daily work and everything worked as expected, so i'm sure the hardware is ok.

----------

