On 7/14/2024 8:42 PM, KeithG wrote:
On Sat, Jul 13, 2024 at 7:13 AM Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote:On July 8, 2024 1:33:02 PM "Dembianny Sven (BSH GDE-EDSD5)" <Sven.Dembianny@xxxxxxxx> wrote:On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@xxxxxxxxx> wrote:On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote:On June 27, 2024 12:47:02 AM KeithG <ys3al35l@xxxxxxxxx> wrote:On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote:On June 26, 2024 2:05:07 PM KeithG <ys3al35l@xxxxxxxxx> wrote:On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote:On June 21, 2024 2:24:19 PM KeithG <ys3al35l@xxxxxxxxx> wrote:On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote:+ Jouni On 6/20/2024 8:25 PM, KeithG wrote:1718907734.308740: wlan0: WPA: AP group 0x10 network profile group 0x18; available group 0x10 1718907734.308748: wlan0: WPA: using GTK CCMP 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile pairwise 0x10; available pairwise 0x10 1718907734.308767: wlan0: WPA: using PTK CCMP 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile key_mgmt 0x400; available key_mgmt 0x0I suspect the message above indicates the problem as there is no available key_mgmt to select so looked it up in the code and here it is: sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) && !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) || wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY | WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /* CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME | WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &= ~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */ wpa_dbg(wpa_s, MSG_DEBUG, "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x; available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel); So 0x400 matches the expectation: #define WPA_KEY_MGMT_SAE BIT(10) You already confirmed that the driver reports SAE and SAE offload support. So it seems wpas_is_sae_avoided() must return true. That will check whether the AP and network profile are setup to MFP. This seems to be the fact as your hostapd.conf and wpa_supplicant.conf both have ieee80211w=2 defined. This function can only return true when is enabled in configuration file: # sae_check_mfp: Require PMF support to select SAE key_mgmt # 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when PMF is not enabled # # When enabled SAE will not be selected if PMF will not be used # for the connection. # Scenarios where this check will limit SAE: # 1) ieee80211w=0 is set for the network # 2) The AP does not have PMF enabled. # 3) ieee80211w is unset, pmf=1 is enabled globally, and # the device does not support the BIP cipher. # Consider the configuration of global parameterss sae_check_mfp=1, pmf=1 and a # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK. # In the example WPA-PSK will be used if the device does not support # the BIP cipher or the AP has PMF disabled. # Limiting SAE with this check can avoid failing to associate to an AP # that is configured with sae_requires_mfp=1 if the device does # not support PMF due to lack of the BIP cipher. The default is not to check it and you wpa_supplicant.conf does not specify it. # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev update_config=1 network={ ssid="deskSAE" sae_password="secret123" proto=RSN key_mgmt=SAE pairwise=CCMP ieee80211w=2 } $ cat /etc/hostapd/hostapd.conf # interface and driver interface=ap0 driver=nl80211 # WIFI-Config ssid=deskSAE channel=1 hw_mode=g wpa=2 wpa_key_mgmt=SAE wpa_pairwise=CCMP sae_password=secret123 sae_groups=19 ieee80211w=2 sae_pwe=0 Regards, Arend1718907734.308779: wlan0: WPA: Failed to select authenticated key management type 1718907734.308787: wlan0: WPA: Failed to set WPA key management and encryption suitesArend, I find the wpa_supplicant docs really hard to understand. I have read through your response a few times and am still a bit confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.I have tried editing my hostapd.conf and my wpa_supplicant.conf and still cannot get a connection, so I must be doing something wrong. I commented the ieee80211w line on both and it would not connect. I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and it still would not connect. What *should* the configurations be in the hostapd.conf and wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What should it be to be a wpa2/3 setup? My phone worked fine to connect with the original hostapd setup, but I have no idea what it is doingAs I mentioned in my previous email both config files listed above look okay to me (might be wrong though). The problem seems to be with wpas_is_sae_avoided(). For it to return true the config should have: sae_check_mfp=1 But you don't have that and default is 0 so it should check for MFP. This is where my trail ends. To learn more I would add additional debug prints. Are you comfortable rebuilding wpa_supplicant from source? Regards, ArendArend, Thanks for the reply. I could try to rebuild wpa_supplicant from source. This is on RPi, so debian *.debs which are a pain, but I think I can do it. Do I understand correctly that 'sae_check_mfp=1' is supposed to be in the hostapd.conf and wpa_supplicant.conf? I can try that and see if anything changes.Ok. We can try first to put following in wpa_supplicant.conf: sae_check_mfp=0 Let me know if that makes any difference.Why would I have to re-build wpa_supplicant?I would provide a patch with additional debug prints so I get better understanding what is going wrong. Would be great if you can apply that and rebuild. Regards, ArendArend, I was able to try it this afternoon. My hostapd is still: # interface and driver interface=ap0 driver=nl80211 # WIFI-Config ssid=deskSAE channel=1 hw_mode=g wpa=2 wpa_key_mgmt=SAE wpa_pairwise=CCMP sae_password=secret123 sae_groups=19 ieee80211w=2 sae_pwe=0 and I can still connect from my phone to this AP. I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev update_config=1 network={ ssid="deskSAE" sae_password="secret123" proto=RSN key_mgmt=SAE pairwise=CCMP ieee80211w=2 sae_check_mfp=1 } and when I try to connect, I get: # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf Successfully initialized wpa_supplicant Line 10: unknown network field 'sae_check_mfp'. Line 11: failed to parse network block.Right. The setting sae_check_mfp is a global setting like update_config. So it should be moved outside the network block. Regards, ArendArend, Thanks for the hand holding, I am out of my depth here! I tried this config and get a similar result. ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev update_config=1 sae_check_mfp=1 network={ ssid="deskSAE" sae_password="secret123" proto=RSN key_mgmt=SAE pairwise=CCMP ieee80211w=2 } # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf Successfully initialized wpa_supplicant Line 3: unknown global field 'sae_check_mfp=1'. Line 3: Invalid configuration line 'sae_check_mfp=1'. Failed to read or parse configuration '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'. : CTRL-EVENT-DSCP-POLICY clear_all seems it doesn't recognize this parameter. KeithReplying to my own post. I re-built wpa_supplicant from the current git: # wpa_supplicant -v wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f Copyright (c) 2003-2022, Jouni Malinen <j@xxxxx> and contributors It now seems to recognize the 'sae_check_mfp' parameter, but still does not connect: # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf Successfully initialized wpa_supplicant wlan0: Trying to associate with SSID 'deskSAE' wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) wlan0: Trying to associate with SSID 'deskSAE' wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) wlan0: Trying to associate with SSID 'deskSAE' wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) wlan0: Trying to associate with SSID 'deskSAE' wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE" auth_failures=1 duration=10 reason=CONN_FAILED wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE" wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring for 10 seconds wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) wlan0: Trying to associate with SSID 'deskSAE' wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16 wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE" auth_failures=2 duration=20 reason=CONN_FAILED ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0 p2p-dev-wlan0: CTRL-EVENT-TERMINATING wlan0: CTRL-EVENT-DSCP-POLICY clear_all wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear) wlan0: CTRL-EVENT-DSCP-POLICY clear_all nl80211: deinit ifname=wlan0 disabled_11b_rates=0 wlan0: CTRL-EVENT-TERMINATING I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot connect with this 'current' version of wpa_supplicant. KeithHi Keith, maybe you are missing sae_pwe=2 in your wpa_supplicant.conf At least in our setup it works.I think Keith already reported success in earlier email. @Keith: If I am mistaken let me know. Regards, ArendArend, Yes, I figured it out. As per the link shared: I had to put the latest firmware on and use the latest wpa_supplicant, but with these 2 changes, it did connect.
Good to know. Regards, Arend
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap