Configuring access control for mixed WPA2-PSK and WPA3-SAE modes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello everyone,
I have a question about configuring access control and password usage in `hostapd` for mixed WPA2-PSK and WPA3-SAE modes. 

I would expect the following AP behavior:

    WPA2-PSK clients
        Should connect using the WPA password (`wpa_passphrase`).
        Should not use the SAE password (even if specified in `sae_password_file`), as that would imply WPA3-SAE compatibility. 

    WPA3-SAE clients
        Should connect using either the WPA password (`wpa_passphrase`) or the SAE password (if specified in `sae_password_file`).
I attempted to configure `hostapd` to achieve this, but I could not find any combination of settings that worked as described. Specifically:
If I specified the SAE password to allow a client to connect using WPA3-SAE only, the client would indeed need to use the SAE password. However, the same password could also be used to connect using WPA2-PSK, which bypasses the intended access control. I do not consider this behavior to be correct.
Could you confirm whether this is a limitation of `hostapd`, a misunderstanding or error in my configuration, or a potential bug? 

Any response would be greatly appreciated.

Best regards,
Tomáš Vostřel


Configuration file
```
interface=wlan0
driver=nl80211
ctrl_interface=/var/run/wifi/hostapd
logger_syslog=0
ssid=Test Wi-Fi
country_code=US
ieee80211d=1
hw_mode=a# cat /var/run/wifi/hostapd.conf
interface=wlan0
driver=nl80211
ctrl_interface=/var/run/wifi/hostapd
logger_syslog=0
ssid=Test Wi-Fi
country_code=US
ieee80211d=1
hw_mode=a
channel=36
ieee80211n=1
ieee80211ac=1
ht_capab=[SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
macaddr_acl=1
accept_mac_file=/var/run/wifi/hostapd.acl
wpa=2
wpa_passphrase=0123456789
wpa_key_mgmt=WPA-PSK SAE
wpa_pairwise=CCMP
group_cipher=CCMP
ieee80211w=1
ocv=1
sae_password_file=/var/run/wifi/hostapd.sae
```

File /var/run/wifi/hostapd.acl
```
00:1A:2B:3C:4D:5E
```

File /var/run/wifi/hostapd.sae
```
9876543210|mac=00:1A:2B:3C:4D:5E
```

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux