Hi all, I am new to this mailing list so feel free to correct me if I am doing something wrong. I am trying to connect a STA to an AP with WPA3-Personal security, but can't get it working. Here's my stack wpa_supplicant v2.10 kernel 5.19.17-rt Intel Wi-Fi 6 AX201 160MHz, REV=0x351 I setup the network with the following parameters: key_mgmt=SAE ieee80211w=1 Unfortunately, the connection fails when IGTK is received. If I am not terribly wrong, IGTK is used for Management Frame Protection (MFP/PMF). To make sure my kernel is configured correctly, I checked /sys/kernel/debug/ieee80211/ph y0/hwflags for MFP_CAPABLE. According to some reports I found online, MFP capability requires hardware crypto. So I made sure I wasn't running iwlwifi with swcrypto enabled and I checked /sys/module/iwlwifi/parameters/swcrypto is 0. My AP supports WPA2 + WPA3 transition mode so I was curious if I can connect WPA2 with MFP enabled, key_mgmt=WPA-PSK & ieee80211w=1, and still got the same error. I also tried the same parameters from another machine to make sure my AP was configured correctly and had no issue connecting to it. Here I am posting the error messages (I am posting -dd output with the hope that would be useful to identify the issue, sorry for the noise) wpa_supplicant[829]: wlan0: State: 4WAY_HANDSHAKE -> 4WAY_HANDSHAKE wpa_supplicant[829]: wlan0: WPA: RX message 3 of 4-Way Handshake from 48:5d:35:db:3e:a4 (ver=0) wpa_supplicant[829]: WPA: IE KeyData - hexdump(len=80): 30 18 01 00 00 0f ac 04 01 00 00 0f ac 04 02 00 00 0f ac 02 00 0f ac 08 8c 00 dd 16 00 0f ac 01 01 00 06 a6 79 ec c5 d3 a4 d4 f9 10 e2 69 7b 87 47 a0 dd 1c 00 0f ac 09 04 00 5d 00 00 00 00 00 5b 2f 28 45 89 7e c8 40 07 b1 62 9f 63 c4 3f d7 wpa_supplicant[829]: WPA: RSN IE in EAPOL-Key - hexdump(len=26): 30 18 01 00 00 0f ac 04 01 00 00 0f ac 04 02 00 00 0f ac 02 00 0f ac 08 8c 00 wpa_supplicant[829]: WPA: GTK in EAPOL-Key - hexdump(len=24): [REMOVED] wpa_supplicant[829]: WPA: IGTK in EAPOL-Key - hexdump(len=30): [REMOVED] wpa_supplicant[829]: wlan0: WPA: Sending EAPOL-Key 4/4 wpa_supplicant[829]: WPA: Send EAPOL-Key frame to 48:5d:35:db:3e:a4 ver=0 mic_len=16 key_mgmt=0x400 wpa_supplicant[829]: WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - SAE) wpa_supplicant[829]: WPA: KCK - hexdump(len=16): [REMOVED] wpa_supplicant[829]: WPA: Derived Key MIC - hexdump(len=16): 53 62 d5 cc 96 84 5c 1a 8d 96 a3 73 d2 82 2e 6e wpa_supplicant[829]: WPA: TX EAPOL-Key - hexdump(len=99): 01 03 00 5f 02 03 08 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 62 d5 cc 96 84 5c 1a 8d 96 a3 73 d2 82 2e 6e 00 00 wpa_supplicant[829]: nl80211: Send over control port dest=48:5d:35:db:3e:a4 proto=0x888e len=99 no_encrypt=1 wpa_supplicant[829]: nl80211: tx_control_port cookie=0xc wpa_supplicant[829]: wlan0: WPA: Installing PTK to the driver wpa_supplicant[829]: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=3 addr=0x14728a0 key_idx=0 set_tx=1 seq_len=6 key_len=16 key_flag=0x2c wpa_supplicant[829]: nl80211: NEW_KEY wpa_supplicant[829]: nl80211: KEY_DATA - hexdump(len=16): [REMOVED] wpa_supplicant[829]: nl80211: KEY_SEQ - hexdump(len=6): 00 00 00 00 00 00 wpa_supplicant[829]: addr=48:5d:35:db:3e:a4 wpa_supplicant[829]: pairwise key kernel:[ 356.464036] iwlwifi 0000:00:14.3: Unhandled alg: 0x707 kernel:[ 356.465322] iwlwifi 0000:00:14.3: Unhandled alg: 0x707 kernel:[ 356.466575] iwlwifi 0000:00:14.3: Unhandled alg: 0x707 kernel:[ 356.467829] iwlwifi 0000:00:14.3: Unhandled alg: 0x707 kernel:[ 356.469094] iwlwifi 0000:00:14.3: Unhandled alg: 0x707 kernel:[ 356.470312] iwlwifi 0000:00:14.3: Unhandled alg: 0x707 kernel:[ 356.471529] iwlwifi 0000:00:14.3: Unhandled alg: 0x707 kernel:[ 356.472742] iwlwifi 0000:00:14.3: Unhandled alg: 0x707 wpa_supplicant[829]: EAPOL: External notification - portValid=1 wpa_supplicant[829]: EAPOL: SUPP_PAE entering state AUTHENTICATED wpa_supplicant[829]: EAPOL: Supplicant port status: Authorized wpa_supplicant[829]: nl80211: Set supplicant port authorized for 48:5d:35:db:3e:a4 wpa_supplicant[829]: EAPOL authentication completed - result=SUCCESS wpa_supplicant[829]: wlan0: State: 4WAY_HANDSHAKE -> GROUP_HANDSHAKE wpa_supplicant[829]: wlan0: Determining shared radio frequencies (max len 2) wpa_supplicant[829]: wlan0: Shared frequencies (len=1): completed iteration wpa_supplicant[829]: wlan0: freq[0]: 5260, flags=0x1 wpa_supplicant[829]: P2P: Add operating class 81 wpa_supplicant[829]: P2P: Channels - hexdump(len=13): 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d wpa_supplicant[829]: P2P: Add operating class 124 wpa_supplicant[829]: P2P: Channels - hexdump(len=4): 95 99 9d a1 wpa_supplicant[829]: P2P: Add operating class 125 wpa_supplicant[829]: P2P: Channels - hexdump(len=5): 95 99 9d a1 a5 wpa_supplicant[829]: P2P: Add operating class 126 wpa_supplicant[829]: P2P: Channels - hexdump(len=2): 95 9d wpa_supplicant[829]: P2P: Add operating class 127 wpa_supplicant[829]: P2P: Channels - hexdump(len=2): 99 a1 wpa_supplicant[829]: P2P: Add operating class 130 wpa_supplicant[829]: P2P: Channels - hexdump(len=5): 95 99 9d a1 a5 wpa_supplicant[829]: P2P: Update channel list wpa_supplicant[829]: P2P: channels: 81:1,2,3,4,5,6,7,8,9,10,11,12,13 124:149,153,157,161 125:149,153,157,161,165 126:149,157 127:153,161 130:149,153,157,161,165 wpa_supplicant[829]: P2P: cli_channels: wpa_supplicant[829]: RSN: received GTK in pairwise handshake - hexdump(len=18): [REMOVED] wpa_supplicant[829]: WPA: Group Key - hexdump(len=16): [REMOVED] wpa_supplicant[829]: wlan0: WPA: Installing GTK to the driver (keyidx=1 tx=0 len=16) wpa_supplicant[829]: WPA: RSC - hexdump(len=6): 5d 00 00 00 00 00 wpa_supplicant[829]: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=3 addr=0x5e47c0 key_idx=1 set_tx=0 seq_len=6 key_len=16 key_flag=0x14 wpa_supplicant[829]: nl80211: NEW_KEY wpa_supplicant[829]: nl80211: KEY_DATA - hexdump(len=16): [REMOVED] wpa_supplicant[829]: nl80211: KEY_SEQ - hexdump(len=6): 5d 00 00 00 00 00 wpa_supplicant[829]: broadcast key wpa_supplicant[829]: wlan0: WPA: IGTK keyid 4 pn 5d0000000000 wpa_supplicant[829]: WPA: IGTK - hexdump(len=16): [REMOVED] wpa_supplicant[829]: wpa_driver_nl80211_set_key: ifindex=3 (wlan0) alg=4 addr=0x5e47c0 key_idx=4 set_tx=0 seq_len=6 key_len=16 key_flag=0x14 wpa_supplicant[829]: nl80211: NEW_KEY wpa_supplicant[829]: nl80211: KEY_DATA - hexdump(len=16): [REMOVED] wpa_supplicant[829]: nl80211: KEY_SEQ - hexdump(len=6): 5d 00 00 00 00 00 wpa_supplicant[829]: broadcast key wpa_supplicant[829]: nl80211: kernel reports: key addition failed wpa_supplicant[829]: nl80211: set_key failed; err=-2 No such file or directory wpa_supplicant[829]: wlan0: WPA: Failed to configure IGTK to the driver wpa_supplicant[829]: CTRL-DEBUG: ctrl_sock-sendmsg: sock=14 sndbuf=212992 outq=0 send_len=43 wpa_supplicant[829]: CTRL_IFACE monitor sent successfully to /tmp/wpa_ctrl_834-2\x00 wpa_supplicant[829]: wlan0: RSN: Failed to configure IGTK wpa_supplicant[829]: CTRL-DEBUG: ctrl_sock-sendmsg: sock=14 sndbuf=212992 outq=768 send_len=29 wpa_supplicant[829]: CTRL_IFACE monitor sent successfully to /tmp/wpa_ctrl_834-2\x00 wpa_supplicant[829]: wlan0: Request to deauthenticate - bssid=48:5d:35:db:3e:a4 pending_bssid=00:00:00:00:00:00 reason=1 (UNSPECIFIED) state=GROUP_HANDSHAKE wpa_supplicant[829]: TDLS: Tear down peers wpa_supplicant[829]: wpa_driver_nl80211_deauthenticate(addr=48:5d:35:db:3e:a4 reason_code=1) kernel:[ 356.497509] wlan0: deauthenticating from 48:5d:35:db:3e:a4 by local choice (Reason: 1=UNSPECIFIED) wpa_supplicant[829]: wlan0: Event DEAUTH (11) received wpa_supplicant[829]: wlan0: Deauthentication notification wpa_supplicant[829]: wlan0: * reason 1 (UNSPECIFIED) locally_generated=1 wpa_supplicant[829]: Deauthentication frame IE(s) - hexdump(len=0): [NULL] wpa_supplicant[829]: wlan0: CTRL-EVENT-DISCONNECTED bssid=48:5d:35:db:3e:a4 reason=1 locally_generated=1 If I understand from the source code correctly (not a wifi expert here at all), the first failure, "Unhandled alg: 0x707", due to not having the key installed yet and handled gracefully. Whereas the second one causes disconnects, "kernel reports: key addition failed" and "RSN: Failed to configure IGTK to the driver". When I investigated the code that adds the new key in kernel code, the logic for the error message "key addition failed", I found a TODO, "net/mac80211/cfg.c" @ ieee80211_add_key, /* * The ASSOC test makes sure the driver is ready to * receive the key. When wpa_supplicant has roamed * using FT, it attempts to set the key before * association has completed, this rejects that attempt * so it will set the key again after association. * * TODO: accept the key if we have a station entry and * add it to the device after the station. */ According to this comment, the author claims wpa_supplicant will attempt to set the key again after ASSOC. Seems like this is not true. According to the code here, https://w1.fi/cgit/hostap/tree/src/rsn_supp/wpa.c#n2748, and seems like wpa_supplicant deauthenticate if set_key fails. After looking at this issue for several days and getting no progress, I decided to post my findings here and hope that I can find some help. As I mentioned before, I am not an expert in wifi or any wireless technologies but according to the TODO comment, how can I make sure in this case wpa_supplicant to connect with PMF enabled? Please let me know if I should provide more information. Best Regards, C. Sina Dogru _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
