+ Jouni On 6/20/2024 8:25 PM, KeithG wrote:
1718907734.308740: wlan0: WPA: AP group 0x10 network profile group 0x18; available group 0x10 1718907734.308748: wlan0: WPA: using GTK CCMP 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile pairwise 0x10; available pairwise 0x10 1718907734.308767: wlan0: WPA: using PTK CCMP 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile key_mgmt 0x400; available key_mgmt 0x0
I suspect the message above indicates the problem as there is no available key_mgmt to select so looked it up in the code and here it is:
sel = ie.key_mgmt & ssid->key_mgmt;
#ifdef CONFIG_SAE
if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
!(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
wpas_is_sae_avoided(wpa_s, ssid, &ie))
sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
WPA_KEY_MGMT_FT_SAE |
WPA_KEY_MGMT_FT_SAE_EXT_KEY);
#endif /* CONFIG_SAE */
#ifdef CONFIG_IEEE80211R
if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
sel &= ~WPA_KEY_MGMT_FT;
#endif /* CONFIG_IEEE80211R */
wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
available key_mgmt 0x%x",
ie.key_mgmt, ssid->key_mgmt, sel);
So 0x400 matches the expectation:
#define WPA_KEY_MGMT_SAE BIT(10)
You already confirmed that the driver reports SAE and SAE offload
support. So it seems wpas_is_sae_avoided() must return true. That will
check whether the AP and network profile are setup to MFP. This seems to
be the fact as your hostapd.conf and wpa_supplicant.conf both have
ieee80211w=2 defined. This function can only return true when
sae_check_mfp is enabled in configuration file:
# sae_check_mfp: Require PMF support to select SAE key_mgmt # 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when PMF is not enabled # # When enabled SAE will not be selected if PMF will not be used # for the connection. # Scenarios where this check will limit SAE: # 1) ieee80211w=0 is set for the network # 2) The AP does not have PMF enabled. # 3) ieee80211w is unset, pmf=1 is enabled globally, and # the device does not support the BIP cipher.# Consider the configuration of global parameterss sae_check_mfp=1, pmf=1 and a
# network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK. # In the example WPA-PSK will be used if the device does not support # the BIP cipher or the AP has PMF disabled. # Limiting SAE with this check can avoid failing to associate to an AP # that is configured with sae_requires_mfp=1 if the device does # not support PMF due to lack of the BIP cipher.The default is not to check it and you wpa_supplicant.conf does not specify it.
# cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="deskSAE"
sae_password="secret123"
proto=RSN
key_mgmt=SAE
pairwise=CCMP
ieee80211w=2
}
$ cat /etc/hostapd/hostapd.conf
# interface and driver
interface=ap0
driver=nl80211
# WIFI-Config
ssid=deskSAE
channel=1
hw_mode=g
wpa=2
wpa_key_mgmt=SAE
wpa_pairwise=CCMP
sae_password=secret123
sae_groups=19
ieee80211w=2
sae_pwe=0
Regards,
Arend
1718907734.308779: wlan0: WPA: Failed to select authenticated key management type 1718907734.308787: wlan0: WPA: Failed to set WPA key management and encryption suites
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
