I believe this is expected, WPA3 requires that you have 80211w set to
required, though that setting 80211w to optional would be accepted
as well ONLY if you have WPA2-CCMP enabled alongside WPA3.
At any rate, the WPA3 connection itself must use PMF AFAIK and
that's something some drivers seem to still have instability issues
with. Though I know that ath9k+ and iwlmvm work fine, haven't
had any luck with MediaTek and Broadcomm drivers; but those
generally have issues more glaring than 80211w not working :)
On 5/18/23 23:23, Robert Senger wrote:
Thanks. No, I was not aware that WPA3-EAP only supports certificate
based authentication. So I keep this for later and concentrate on WPA3-
PSK for now.
Well, even WPA3-PSK does not work, at least not as intended.
I managed to set up a working WPA3-PSK connection by running
wpa_supplicant and dhclient in a terminal on the client machine, and by
setting wpa_passphrase=<secretpassword> in hostapd.conf on the AP.
But NetworkManager failed locally on the client when trying to connect.
It turned out that this was caused by the Intel wifi driver, which does
not support PMF. But NetworkManager insists on ieee80211w=2 (required).
So I patched NetworkManager to set ieee80211w=1 (optional) in
wpa_supplicant configuration, now NetworkManager can connect to the
WPA3-PSK AP. This is not the best solution, of course...
The other problem is on the AP side. Only setting a single
wpa_passphrase=<somepassword> in hostapd.conf works. Connection fails
with "authentication denied" message on the client side when I try to
use a file, e.g. wpa_psk_file=/etc/hostapd/hostapd.psk, or when I try
to use the freeradius server for authentication. Both, file and radius,
works fine with WPA2-PSK.
So, WPA3-PSK works basically. I will start a new thread about the
question why hostapd fails to obtain passwords from a file or from the
radius server for WPA3-PSK, while it succeeds for WPA2-PSK.
Thanks for now!
Robert
Am Mittwoch, dem 17.05.2023 um 20:36 +0300 schrieb rany:
You have to keep in mind that WPA3-EAP only supports certificate
based
authentication.
If your RADIUS setup uses username/password it will not work in WPA3-
EAP
only mode, you need to keep WPA2-EAP support.
At any rate I don't think WPA2-EAP is insecure, I think it is still
fine
for the most part with no real security vulnerabilities; unlike WPA2-
PSK.
You just need to enable KRACK and KRACK-like mitigations on the AP
end
if you aren't sure if the clients are updated.
On 5/17/23 19:55, Robert Senger wrote:
Hi all,
I am trying to set up APs with WPA3, but can't get it to work. WPA2
works fine on the same hardware and software since more that 10
years. This is my third try with WPA3 in the past 3 years...
This is my setup:
__access_points__
Debian 11 Bullseye
hostapd 2.9.0 (or 2.10 from backports)
Qualcomm Atheros AR922X Wireless Network Adapter
__client_machines__
Debian 11 Bullseye
wpasupplicant 2.9.0 (or 2.10 from backports)
NetworkManager 1.30.6 (or 1.42.4 from backports)
Intel Centrino Advanced-N 6205 Wireless Network Adapter
Neither SAE nor WPA-EAP-SUITE-B-192 work, that means, either
connection
attempts fail (without useful logs), or the SSID is greyed out on
the
client machine. I will post configuration and logs, but first of
all,
if you take a look at the software versions and the hardware above,
is
there a "no-go" somewhere?
Thanks,
Robert
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
