On Thu, Jan 01, 2026 at 01:12:35AM +0000, Vitaliy Makkoveev wrote:
> On Wed, Dec 31, 2025 at 10:37:44PM +0100, Stefan Sperling wrote:
> > Please send a pcap file which contains beacons from the AP:
> >
> > tcpdump -n -i iwx0 -y IEEE802_11_RADIO -s 4096 -w /tmp/iwx0.pcap
> >
> > Put the interface down, start tcpdump, put the interface up, wait until
> > a transition from SCAN to AUTH or RUN is shown in dmesg debug output,
> > then stop tcpdump and the file should contain what we need.
> >
>
> Sure, see attachment.
Not sure what is going wrong there.
My best guess is that this AP is buggy and does not like the
PFM-capabale bit being set in our assoc request.
Does this patch help?
blob - 1ffd981a6fe179bc9f0689caaaad2af30277b453
file + ieee80211_output.c
--- ieee80211_output.c
+++ ieee80211_output.c
@@ -1062,7 +1062,8 @@ ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211
/* write RSN Capabilities field */
rsncaps = (ni->ni_rsncaps & (IEEE80211_RSNCAP_PTKSA_RCNT_MASK |
IEEE80211_RSNCAP_GTKSA_RCNT_MASK));
- if (ic->ic_caps & IEEE80211_C_MFP) {
+ if ((ic->ic_caps & IEEE80211_C_MFP) &&
+ (ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC)) {
rsncaps |= IEEE80211_RSNCAP_MFPC;
if (ic->ic_flags & IEEE80211_F_MFPR)
rsncaps |= IEEE80211_RSNCAP_MFPR;
@@ -1079,7 +1080,8 @@ ieee80211_add_rsn_body(u_int8_t *frm, struct ieee80211
frm += IEEE80211_PMKID_LEN;
}
- if (!(ic->ic_caps & IEEE80211_C_MFP))
+ if (!(ic->ic_caps & IEEE80211_C_MFP) ||
+ !(ni->ni_rsncaps & IEEE80211_RSNCAP_MFPC))
return frm;
if ((ni->ni_flags & IEEE80211_NODE_PMKID) == 0) {
