On Thu, May 19, 2022 at 10:59:58AM -0700, Sean Li wrote: > We have a tri-band 6G AP product running hostapd with sae_pwe as 2. > We noticed Android Pixel6 was failed to make successful connection due > to warning "SAE: 0c:c4:13:14:16:93 indicates support for SAE H2E, but > did not use it." > From sniffer capture, Pixel6 has status code 0 in AUTH COMMIT message, > H2E bit set in (Re)Assoc Req and hostapd returned > WLAN_STATUS_UNSPECIFIED_FAILURE in (Re)Assoc Resp. Would you be able to share a sniffer capture showing this? Was there any configuration option on the station device for enabling SAE H2E? > Can we get more context on why hostapd instrument the check below? > Is there any spec stating the requirement below? > > SAE: Verify that STA negotiated H2E if it claims to support it > > > > If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in > > the AP configuration, require H2E to be used. This is mainly to prevent downgrade attacks should there be remaining security issues in SAE hunting-and-pecking loop implementations (which seems likely, in general, compared to H2E). IEEE Std 802.11-2020 has a shall requirement on the STA using H2E if it has determined that the peer supports H2E. In case of an infrastructure BSS, i.e., whenever connecting to an AP, this would always be the case if both devices advertise support for SAE H2E. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
