On June 26, 2024 2:05:07 PM KeithG <ys3al35l@xxxxxxxxx> wrote:
On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote:On June 21, 2024 2:24:19 PM KeithG <ys3al35l@xxxxxxxxx> wrote:On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote:+ Jouni On 6/20/2024 8:25 PM, KeithG wrote:1718907734.308740: wlan0: WPA: AP group 0x10 network profile group 0x18; available group 0x10 1718907734.308748: wlan0: WPA: using GTK CCMP 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile pairwise 0x10; available pairwise 0x10 1718907734.308767: wlan0: WPA: using PTK CCMP 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile key_mgmt 0x400; available key_mgmt 0x0I suspect the message above indicates the problem as there is no available key_mgmt to select so looked it up in the code and here it is: sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) && !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) || wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY | WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /* CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME | WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &= ~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */ wpa_dbg(wpa_s, MSG_DEBUG, "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x; available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel); So 0x400 matches the expectation: #define WPA_KEY_MGMT_SAE BIT(10) You already confirmed that the driver reports SAE and SAE offload support. So it seems wpas_is_sae_avoided() must return true. That will check whether the AP and network profile are setup to MFP. This seems to be the fact as your hostapd.conf and wpa_supplicant.conf both have ieee80211w=2 defined. This function can only return true when is enabled in configuration file: # sae_check_mfp: Require PMF support to select SAE key_mgmt # 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when PMF is not enabled # # When enabled SAE will not be selected if PMF will not be used # for the connection. # Scenarios where this check will limit SAE: # 1) ieee80211w=0 is set for the network # 2) The AP does not have PMF enabled. # 3) ieee80211w is unset, pmf=1 is enabled globally, and # the device does not support the BIP cipher. # Consider the configuration of global parameterss sae_check_mfp=1, pmf=1 and a # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK. # In the example WPA-PSK will be used if the device does not support # the BIP cipher or the AP has PMF disabled. # Limiting SAE with this check can avoid failing to associate to an AP # that is configured with sae_requires_mfp=1 if the device does # not support PMF due to lack of the BIP cipher. The default is not to check it and you wpa_supplicant.conf does not specify it. # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev update_config=1 network={ ssid="deskSAE" sae_password="secret123" proto=RSN key_mgmt=SAE pairwise=CCMP ieee80211w=2 } $ cat /etc/hostapd/hostapd.conf # interface and driver interface=ap0 driver=nl80211 # WIFI-Config ssid=deskSAE channel=1 hw_mode=g wpa=2 wpa_key_mgmt=SAE wpa_pairwise=CCMP sae_password=secret123 sae_groups=19 ieee80211w=2 sae_pwe=0 Regards, Arend1718907734.308779: wlan0: WPA: Failed to select authenticated key management type 1718907734.308787: wlan0: WPA: Failed to set WPA key management and encryption suitesArend, I find the wpa_supplicant docs really hard to understand. I have read through your response a few times and am still a bit confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.I have tried editing my hostapd.conf and my wpa_supplicant.conf and still cannot get a connection, so I must be doing something wrong. I commented the ieee80211w line on both and it would not connect. I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and it still would not connect. What *should* the configurations be in the hostapd.conf and wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What should it be to be a wpa2/3 setup? My phone worked fine to connect with the original hostapd setup, but I have no idea what it is doingAs I mentioned in my previous email both config files listed above look okay to me (might be wrong though). The problem seems to be with wpas_is_sae_avoided(). For it to return true the config should have: sae_check_mfp=1 But you don't have that and default is 0 so it should check for MFP. This is where my trail ends. To learn more I would add additional debug prints. Are you comfortable rebuilding wpa_supplicant from source? Regards, ArendArend, Thanks for the reply. I could try to rebuild wpa_supplicant from source. This is on RPi, so debian *.debs which are a pain, but I think I can do it. Do I understand correctly that 'sae_check_mfp=1' is supposed to be in the hostapd.conf and wpa_supplicant.conf? I can try that and see if anything changes.
Ok. We can try first to put following in wpa_supplicant.conf: sae_check_mfp=0 Let me know if that makes any difference.
Why would I have to re-build wpa_supplicant?
I would provide a patch with additional debug prints so I get better understanding what is going wrong. Would be great if you can apply that and rebuild.
Regards, Arend
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
