On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote: > > On June 21, 2024 2:24:19 PM KeithG <ys3al35l@xxxxxxxxx> wrote: > > > On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel > > <arend.vanspriel@xxxxxxxxxxxx> wrote: > >> > >> + Jouni > >> > >> On 6/20/2024 8:25 PM, KeithG wrote: > >>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group > >>> 0x18; available group 0x10 > >>> 1718907734.308748: wlan0: WPA: using GTK CCMP > >>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile > >>> pairwise 0x10; available pairwise 0x10 > >>> 1718907734.308767: wlan0: WPA: using PTK CCMP > >>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile > >>> key_mgmt 0x400; available key_mgmt 0x0 > >> > >> > >> I suspect the message above indicates the problem as there is no > >> available key_mgmt to select so looked it up in the code and here it is: > >> > >> sel = ie.key_mgmt & ssid->key_mgmt; > >> #ifdef CONFIG_SAE > >> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) && > >> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) || > >> wpas_is_sae_avoided(wpa_s, ssid, &ie)) > >> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY | > >> WPA_KEY_MGMT_FT_SAE | > >> WPA_KEY_MGMT_FT_SAE_EXT_KEY); > >> #endif /* CONFIG_SAE */ > >> #ifdef CONFIG_IEEE80211R > >> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME | > >> WPA_DRIVER_FLAGS_UPDATE_FT_IES))) > >> sel &= ~WPA_KEY_MGMT_FT; > >> #endif /* CONFIG_IEEE80211R */ > >> wpa_dbg(wpa_s, MSG_DEBUG, > >> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x; > >> available key_mgmt 0x%x", > >> ie.key_mgmt, ssid->key_mgmt, sel); > >> > >> So 0x400 matches the expectation: > >> > >> #define WPA_KEY_MGMT_SAE BIT(10) > >> > >> You already confirmed that the driver reports SAE and SAE offload > >> support. So it seems wpas_is_sae_avoided() must return true. That will > >> check whether the AP and network profile are setup to MFP. This seems to > >> be the fact as your hostapd.conf and wpa_supplicant.conf both have > >> ieee80211w=2 defined. This function can only return true when > >> is enabled in configuration file: > >> > >> # sae_check_mfp: Require PMF support to select SAE key_mgmt > >> # 0 = Do not check PMF for SAE (default) > >> # 1 = Limit SAE when PMF is not enabled > >> # > >> # When enabled SAE will not be selected if PMF will not be used > >> # for the connection. > >> # Scenarios where this check will limit SAE: > >> # 1) ieee80211w=0 is set for the network > >> # 2) The AP does not have PMF enabled. > >> # 3) ieee80211w is unset, pmf=1 is enabled globally, and > >> # the device does not support the BIP cipher. > >> # Consider the configuration of global parameterss sae_check_mfp=1, > >> pmf=1 and a > >> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK. > >> # In the example WPA-PSK will be used if the device does not support > >> # the BIP cipher or the AP has PMF disabled. > >> # Limiting SAE with this check can avoid failing to associate to an AP > >> # that is configured with sae_requires_mfp=1 if the device does > >> # not support PMF due to lack of the BIP cipher. > >> > >> The default is not to check it and you wpa_supplicant.conf does not > >> specify it. > >> > >> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf > >> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev > >> update_config=1 > >> network={ > >> ssid="deskSAE" > >> sae_password="secret123" > >> proto=RSN > >> key_mgmt=SAE > >> pairwise=CCMP > >> ieee80211w=2 > >> } > >> > >> $ cat /etc/hostapd/hostapd.conf > >> # interface and driver > >> interface=ap0 > >> driver=nl80211 > >> > >> # WIFI-Config > >> ssid=deskSAE > >> channel=1 > >> hw_mode=g > >> > >> wpa=2 > >> wpa_key_mgmt=SAE > >> wpa_pairwise=CCMP > >> sae_password=secret123 > >> sae_groups=19 > >> ieee80211w=2 > >> sae_pwe=0 > >> > >> Regards, > >> Arend > >> > >> > >>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key > >>> management type > >>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and > >>> encryption suites > > > > Arend, > > > > I find the wpa_supplicant docs really hard to understand. I have read > > through your response a few times and am still a bit confused. Does > > this have to do with a pure wpa3 versus a wpa2/3 AP? > > Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3. > > > I have tried editing my hostapd.conf and my wpa_supplicant.conf and > > still cannot get a connection, so I must be doing something wrong. > > I commented the ieee80211w line on both and it would not connect. > > I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and > > it still would not connect. > > > > What *should* the configurations be in the hostapd.conf and > > wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What > > should it be to be a wpa2/3 setup? My phone worked fine to connect > > with the original hostapd setup, but I have no idea what it is doing > > As I mentioned in my previous email both config files listed above look > okay to me (might be wrong though). The problem seems to be with > wpas_is_sae_avoided(). For it to return true the config should have: > > sae_check_mfp=1 > > But you don't have that and default is 0 so it should check for MFP. This > is where my trail ends. To learn more I would add additional debug prints. > Are you comfortable rebuilding wpa_supplicant from source? > > Regards, > Arend > > Arend, Thanks for the reply. I could try to rebuild wpa_supplicant from source. This is on RPi, so debian *.debs which are a pain, but I think I can do it. Do I understand correctly that 'sae_check_mfp=1' is supposed to be in the hostapd.conf and wpa_supplicant.conf? I can try that and see if anything changes. Why would I have to re-build wpa_supplicant? Keith Keith _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap