I am currently debugging a WLAN connection problem between a Pixel smartphone (Android 14) and a WLAN access point (IOT device, closed source). The connection setup has been recorded with Wireshark on a third device using monitoring mode.
The WLAN connection uses WPA3 with SAE.
Pixel smartphone (ea:2c:50:6e:f1:55 random mac), WLAN access point (xx:xx:xx:xx:09:1b)
The connection setup looks like this (descriptions for Authentication messages below):
- No 60: Commit
- No 67: Commit with different Scalar and Finite Field Element than 60
- No 74: Commit
- No 76: Confirm
- No 78: Commit with different Scalar and Finite Field Element than 74
- No 80: Confirm
After this recording, the Pixel smartphone does not send any more messages, but the access point sends a few more Confirm messages (+ retransmissions) with increasing Send-Confirm number.
My questions are: Which parameter is used to assign the commit message of the access point to one of the two previous commit messages of the smartphone, or is there no ID available and the commit message always refers to the last received message?
No 67 seems to be sent, as there was no response to No 60 within 300ms. In which specification are these 300ms defined?
A quick search in IEEE Std 802.11™-2016 was unsuccessful. (Although I didn't read through all 3500 pages.) In "12.4.8.6.4 Protocol instance behavior - Committed state" only one timer t0 is discussed, this requires a retransmission, but No 67 is not a retransmission, rather it contains new values for Scalar and Finite Field Element.
My guess is that a race codition occurs here, but I can't tell which side is at fault.