Now I managed to get SAE and WPA-EAP-SUITE-B-192 connections to work (with some workarounds and patching on the client side due to hardware and software limitations, and off specification settings on the AP side, but this is a testing environment). I just wonder why you say that WPA3-EAP only supports certificate based authentication, which means eap=tls in my understanding. I found that WPA3-EAP works well with username/password based authentication, e.g. eap=ttls, the same way as WPA2-EAP does. Now the only question still open is why SAE authentication does not work with passwords provides in a file or from radius. But this is a new topic. Thanks again! Robert Am Donnerstag, dem 18.05.2023 um 23:28 +0300 schrieb rany: > I believe this is expected, WPA3 requires that you have 80211w set to > required, though that setting 80211w to optional would be accepted > as well ONLY if you have WPA2-CCMP enabled alongside WPA3. > > At any rate, the WPA3 connection itself must use PMF AFAIK and > that's something some drivers seem to still have instability issues > with. Though I know that ath9k+ and iwlmvm work fine, haven't > had any luck with MediaTek and Broadcomm drivers; but those > generally have issues more glaring than 80211w not working :) > > On 5/18/23 23:23, Robert Senger wrote: > > Thanks. No, I was not aware that WPA3-EAP only supports certificate > > based authentication. So I keep this for later and concentrate on > > WPA3- > > PSK for now. > > > > Well, even WPA3-PSK does not work, at least not as intended. > > > > I managed to set up a working WPA3-PSK connection by running > > wpa_supplicant and dhclient in a terminal on the client machine, > > and by > > setting wpa_passphrase=<secretpassword> in hostapd.conf on the AP. > > > > But NetworkManager failed locally on the client when trying to > > connect. > > It turned out that this was caused by the Intel wifi driver, which > > does > > not support PMF. But NetworkManager insists on ieee80211w=2 > > (required). > > So I patched NetworkManager to set ieee80211w=1 (optional) in > > wpa_supplicant configuration, now NetworkManager can connect to the > > WPA3-PSK AP. This is not the best solution, of course... > > > > The other problem is on the AP side. Only setting a single > > wpa_passphrase=<somepassword> in hostapd.conf works. Connection > > fails > > with "authentication denied" message on the client side when I try > > to > > use a file, e.g. wpa_psk_file=/etc/hostapd/hostapd.psk, or when I > > try > > to use the freeradius server for authentication. Both, file and > > radius, > > works fine with WPA2-PSK. > > > > So, WPA3-PSK works basically. I will start a new thread about the > > question why hostapd fails to obtain passwords from a file or from > > the > > radius server for WPA3-PSK, while it succeeds for WPA2-PSK. > > > > Thanks for now! > > > > Robert > > > > > > Am Mittwoch, dem 17.05.2023 um 20:36 +0300 schrieb rany: > > > You have to keep in mind that WPA3-EAP only supports certificate > > > based > > > authentication. > > > > > > If your RADIUS setup uses username/password it will not work in > > > WPA3- > > > EAP > > > only mode, you need to keep WPA2-EAP support. > > > > > > At any rate I don't think WPA2-EAP is insecure, I think it is > > > still > > > fine > > > for the most part with no real security vulnerabilities; unlike > > > WPA2- > > > PSK. > > > > > > You just need to enable KRACK and KRACK-like mitigations on the > > > AP > > > end > > > if you aren't sure if the clients are updated. > > > > > > On 5/17/23 19:55, Robert Senger wrote: > > > > Hi all, > > > > > > > > I am trying to set up APs with WPA3, but can't get it to work. > > > > WPA2 > > > > works fine on the same hardware and software since more that 10 > > > > years. This is my third try with WPA3 in the past 3 years... > > > > > > > > This is my setup: > > > > > > > > __access_points__ > > > > > > > > Debian 11 Bullseye > > > > hostapd 2.9.0 (or 2.10 from backports) > > > > Qualcomm Atheros AR922X Wireless Network Adapter > > > > > > > > __client_machines__ > > > > > > > > Debian 11 Bullseye > > > > wpasupplicant 2.9.0 (or 2.10 from backports) > > > > NetworkManager 1.30.6 (or 1.42.4 from backports) > > > > Intel Centrino Advanced-N 6205 Wireless Network Adapter > > > > > > > > Neither SAE nor WPA-EAP-SUITE-B-192 work, that means, either > > > > connection > > > > attempts fail (without useful logs), or the SSID is greyed out > > > > on > > > > the > > > > client machine. I will post configuration and logs, but first > > > > of > > > > all, > > > > if you take a look at the software versions and the hardware > > > > above, > > > > is > > > > there a "no-go" somewhere? > > > > > > > > Thanks, > > > > > > > > Robert > > > > > > > _______________________________________________ > > > Hostap mailing list > > > Hostap@xxxxxxxxxxxxxxxxxxx > > > http://lists.infradead.org/mailman/listinfo/hostap > > _______________________________________________ > Hostap mailing list > Hostap@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/hostap -- -- Robert Senger _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
