Candela Technologies Logo
Network Testing and Emulation Solutions

Corrupting EAPOL-Key 3/4 Handshake Message RSNXE WPA-Key Information Elements

Goal: Manually override RSN-Extension-Element (RSNXE) of 3 of 4-way EAPOL authentication handshake messages sent by a LANforge system in AP Mode for testing purposes.

The rsnxe_override_eapol field in LANforge Custom WiFi Parameters provides capability to corrupt specific information elements of EAPOL-Key Message 3 of 4 of WPA3 authentication sequence using SAE with encrypted management frames (802.11w). The Robust Security Network Extension Element (RSNXE), used to communicate and confirm certain aspects of security negotiation such as "SAE-hash-to-element", must be consistent between Beacon frames and EAPOL-Key messages; this method corrupts this RSNXE IE, provoking authentication failure with a distinctive response message: WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4.
 
  1. Initial Setup for WPA3-Authentication Testing with Simultaneous Authentication of Equals (SAE).
    The setup requires AP and station NIC drivers capable of enabling SAE encryption (this example uses MediaTEK radios with ath10k(988x) driver), enabling encrypted management frames (802.11w), enabling WPA3 and disabling WPA2-PSK authentication in both station and AP.
    1. Set up a virtual AP for testing.
      In this test, it is named vap0000 on parent device wiphy0.

      For more information see Create VAP in Bridge Mode

    2. On a separate radio, create a station to authenticate with vap0000:
      In the Port Manager tab, select wiphy1 and click Create; select WiFi STA, then click Apply.
      In this test, the station is named wlan1 on parent device wiphy1.

      For more information see Generating Traffic for WLAN Testing

    3. Configure vap0000 and wlan1 to use WPA3-SAE encrypted authentication.
      Ensure that 802.11w is enabled, since it is required for WPA3.

      For more information see Setting up WPA3

    4. Configure vap0000 and wlan1 with SSID test-wpa2-psk and Keyphrase qwertyuiop.
    5. Create a Monitor Port on its own radio to sniff wireless packets.
      In this test, the monitor port is named moni3a.

      For more information see Using Wireshark to Sniff WiFi Monitors

  2. Control (No Change):

    1. Configure Custom WiFi in vap0000:
      Select vap0000 and click Modify.
      Navigate to the Custom WiFi tab.
      Ensure that no sae_commit_override parameter is set in User-Specified supplicant/hostapd configuration text.
      Click Apply then OK.
    2. Set the vAP down and back up to allow changes to take effect:
      In the Port Manager tab, select vap0000.
      Admin all selected interfaces DOWN (CTRL-PLUS).
      Admin all selected interfaces UP (CTRL-MINUS).
    3. Sniff packets to observe the authentication behavior:
      On the observation system in the Port Manager tab, select only moni3a:
      Click Sniff Packets.
    4. Observe the results, which should be similar to the following:
      - The station wlan1 succeeds in authenticating with vap0000.
      - LANforge WiFi Messages shows WPA: Key negotiation completed.
    5. Example results:
      1. Behavior in LANforge Wifi Messages: Control Test screenshot
  3. RSNXE Mismatch in EAPOL-Key Message 3/4:
    1. Configure Custom WiFi in vap0000:
      Select vap0000 and click Modify.
      Navigate to the Custom WiFi tab.
      In the User-Specified supplicant/hostapd configuration text field, write:
      rsnxe_override_eapol=F40100.
      Click Apply then OK.
    2. Reset ports and sniff packets:
      Repeat steps B through D of Step 2.
    3. Observe the results, which should be similar to the following:
      - Message 2/4 shows only encrypted in Wireshark due to having enabled 802.11w.
      - The station wlan1 fails to authenticate with vap0000.
      - LANforge Wifi-Messages recognizes WPA:RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 and gives CTRL-EVENT-DISCONNECTED for reason 17: Information element in 4-way handshake different from (Re-)associate request/Probe response/Beacon.
      - Deauthentication management frame is sent by the station with Reason code: Information element in 4-way Handshake different from (Re)Association Request/Probe Response/Beacon frame (0x0011).
      - Compare EAPOL-Key Message 3 of 4 and BEACON RSNXE information for mismatch.
    4. Example results:
      1. Behavior in LANforge Wifi Messages: RSNXE Override Test screenshot
      2. Deauthentication: RSNXE Override Test screenshot
      3. EAPOL-Key Message 3 of 4: RSNXE Override Test screenshot
      4. BEACON: RSNXE Override Test screenshot
Candela  Technologies, 2417 Main Street, Suite 201, Ferndale, WA 98248, USA
www.candelatech.com | sales@candelatech.com | +1.360.380.1618
Facebook | LinkedIn | Blog