Re: Possible to disable SAE and force WPA2-PSK-AES on wpa_supplicant v2.10?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I found that using `nmcli con modify test_ssid wifi-sec.pmf disable` prevents wpa_supplicant from offering SAE, which allows the M1 MBP to join, so my original question is answered. However, please let me know if there is something else I can try to enable SAE. Seems possible to me that the QCA6174 just doesn't support it, but I don't know.
Thanks,
Theron

On Fri, Mar 17, 2023, at 4:49 PM, Theron Spiegl wrote:
> I see at https://askubuntu.com/questions/497540/where-is-my-wpa-supplicant-conf that if I'm on a machine with NetworkManager (which is assumed for my purposes) that the configurations are at /etc/NetworkManager/system-connections/. So I created a connection like the earlier script, but then edited /etc/NetworkManager/system-connections/test_ssid.nmconnection to add a `ieee80211=1` line to the `[wifi-security]` section. This allowed the M1 MBP to actually try to connect, rather than failing instantly, which I interpreted as progress, but it still couldn't join. Using `wifi-sec.key-mgmt sae` results in the same "802.1X supplicant took too long to authenticate" message, as does using `wifi-sec.key-mgmt wpa-psk` with `wifi-sec.pmf required`. Using `wifi-sec.key-mgmt wpa-psk` with `wifi-sec.pmf optional` allows the hotspot to stand up, but still doesn't allow the MBP to join. I see that these nmcli options add lines like `pmf=3` to the .nmconnection config files.
> Thanks,
> Theron
> 
> On Fri, Mar 17, 2023, at 4:02 PM, Theron Spiegl wrote:
> > Where would I check the value of `ieee80211w` or `pmf` on a stock Linux Mint 21 or Ubuntu 22.04 machine, and how would I modify it? I'd like to be able to change what I need to through `nmcli` if possible.
> > Thanks,
> > Theron
> > 
> > On Fri, Mar 17, 2023, at 4:00 AM, Jouni Malinen wrote:
> > > On Thu, Mar 16, 2023 at 07:15:02PM -0500, Theron Spiegl wrote:
> > > > Hi, I'm using a Qualcomm Atheros QCA6174 with wpa_supplicant v2.10. When I start a hotspot with the commands below, it can be joined by most devices (Linux, Windows, iOS) but not an M1 MacBook Pro. I've determined that this is because of SAE/WPA3 support: if I run macOS's `airport` CLI utility, I see that the wpa_supplicant 2.10 hotspot offers `WPA(PSK/AES/AES) RSN(PSK,PSK-SHA256,SAE/AES/AES)` in the Security column. When I use wpa_supplicant 2.9, it offers `WPA(PSK/AES/AES) RSN(PSK,PSK-SHA256/AES/AES)`, and the MacBook can join.
> > > > 
> > > > Is there a way to disable SAE and force the use of WPA2-PSK with AES on wpa_supplicant 2.10? (Whether through nmcli or wpa_cli or something else?)
> > > 
> > > I would strongly discourage doing that and instead, figure out why there
> > > is no WPA3-Personal (SAE) connection. The current MacBook Pro devices
> > > should be able to use SAE.
> > > 
> > > Do you have management frame protection (a.k.a. PMF) enabled in
> > > wpa_supplicant configuration? This could be enabled with ieee80211w=1
> > > with the particular network profile for the AP mode operation or pmf=1
> > > as a global parameter to enable it by default for all networks.
> > > 
> > > -- 
> > > Jouni Malinen                                            PGP id EFC895FA
> > > 

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux