I found that using `nmcli con modify test_ssid wifi-sec.pmf disable` prevents wpa_supplicant from offering SAE, which allows the M1 MBP to join, so my original question is answered. However, please let me know if there is something else I can try to enable SAE. Seems possible to me that the QCA6174 just doesn't support it, but I don't know. Thanks, Theron On Fri, Mar 17, 2023, at 4:49 PM, Theron Spiegl wrote: > I see at https://askubuntu.com/questions/497540/where-is-my-wpa-supplicant-conf that if I'm on a machine with NetworkManager (which is assumed for my purposes) that the configurations are at /etc/NetworkManager/system-connections/. So I created a connection like the earlier script, but then edited /etc/NetworkManager/system-connections/test_ssid.nmconnection to add a `ieee80211=1` line to the `[wifi-security]` section. This allowed the M1 MBP to actually try to connect, rather than failing instantly, which I interpreted as progress, but it still couldn't join. Using `wifi-sec.key-mgmt sae` results in the same "802.1X supplicant took too long to authenticate" message, as does using `wifi-sec.key-mgmt wpa-psk` with `wifi-sec.pmf required`. Using `wifi-sec.key-mgmt wpa-psk` with `wifi-sec.pmf optional` allows the hotspot to stand up, but still doesn't allow the MBP to join. I see that these nmcli options add lines like `pmf=3` to the .nmconnection config files. > Thanks, > Theron > > On Fri, Mar 17, 2023, at 4:02 PM, Theron Spiegl wrote: > > Where would I check the value of `ieee80211w` or `pmf` on a stock Linux Mint 21 or Ubuntu 22.04 machine, and how would I modify it? I'd like to be able to change what I need to through `nmcli` if possible. > > Thanks, > > Theron > > > > On Fri, Mar 17, 2023, at 4:00 AM, Jouni Malinen wrote: > > > On Thu, Mar 16, 2023 at 07:15:02PM -0500, Theron Spiegl wrote: > > > > Hi, I'm using a Qualcomm Atheros QCA6174 with wpa_supplicant v2.10. When I start a hotspot with the commands below, it can be joined by most devices (Linux, Windows, iOS) but not an M1 MacBook Pro. I've determined that this is because of SAE/WPA3 support: if I run macOS's `airport` CLI utility, I see that the wpa_supplicant 2.10 hotspot offers `WPA(PSK/AES/AES) RSN(PSK,PSK-SHA256,SAE/AES/AES)` in the Security column. When I use wpa_supplicant 2.9, it offers `WPA(PSK/AES/AES) RSN(PSK,PSK-SHA256/AES/AES)`, and the MacBook can join. > > > > > > > > Is there a way to disable SAE and force the use of WPA2-PSK with AES on wpa_supplicant 2.10? (Whether through nmcli or wpa_cli or something else?) > > > > > > I would strongly discourage doing that and instead, figure out why there > > > is no WPA3-Personal (SAE) connection. The current MacBook Pro devices > > > should be able to use SAE. > > > > > > Do you have management frame protection (a.k.a. PMF) enabled in > > > wpa_supplicant configuration? This could be enabled with ieee80211w=1 > > > with the particular network profile for the AP mode operation or pmf=1 > > > as a global parameter to enable it by default for all networks. > > > > > > -- > > > Jouni Malinen PGP id EFC895FA > > > _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
