On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:
>
> + Jouni
>
> On 6/20/2024 8:25 PM, KeithG wrote:
> > 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group
> > 0x18; available group 0x10
> > 1718907734.308748: wlan0: WPA: using GTK CCMP
> > 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile
> > pairwise 0x10; available pairwise 0x10
> > 1718907734.308767: wlan0: WPA: using PTK CCMP
> > 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile
> > key_mgmt 0x400; available key_mgmt 0x0
>
>
> I suspect the message above indicates the problem as there is no
> available key_mgmt to select so looked it up in the code and here it is:
>
> sel = ie.key_mgmt & ssid->key_mgmt;
> #ifdef CONFIG_SAE
> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> wpas_is_sae_avoided(wpa_s, ssid, &ie))
> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> WPA_KEY_MGMT_FT_SAE |
> WPA_KEY_MGMT_FT_SAE_EXT_KEY);
> #endif /* CONFIG_SAE */
> #ifdef CONFIG_IEEE80211R
> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME |
> WPA_DRIVER_FLAGS_UPDATE_FT_IES)))
> sel &= ~WPA_KEY_MGMT_FT;
> #endif /* CONFIG_IEEE80211R */
> wpa_dbg(wpa_s, MSG_DEBUG,
> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> available key_mgmt 0x%x",
> ie.key_mgmt, ssid->key_mgmt, sel);
>
> So 0x400 matches the expectation:
>
> #define WPA_KEY_MGMT_SAE BIT(10)
>
> You already confirmed that the driver reports SAE and SAE offload
> support. So it seems wpas_is_sae_avoided() must return true. That will
> check whether the AP and network profile are setup to MFP. This seems to
> be the fact as your hostapd.conf and wpa_supplicant.conf both have
> ieee80211w=2 defined. This function can only return true when
> sae_check_mfp is enabled in configuration file:
>
> # sae_check_mfp: Require PMF support to select SAE key_mgmt
> # 0 = Do not check PMF for SAE (default)
> # 1 = Limit SAE when PMF is not enabled
> #
> # When enabled SAE will not be selected if PMF will not be used
> # for the connection.
> # Scenarios where this check will limit SAE:
> # 1) ieee80211w=0 is set for the network
> # 2) The AP does not have PMF enabled.
> # 3) ieee80211w is unset, pmf=1 is enabled globally, and
> # the device does not support the BIP cipher.
> # Consider the configuration of global parameterss sae_check_mfp=1,
> pmf=1 and a
> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> # In the example WPA-PSK will be used if the device does not support
> # the BIP cipher or the AP has PMF disabled.
> # Limiting SAE with this check can avoid failing to associate to an AP
> # that is configured with sae_requires_mfp=1 if the device does
> # not support PMF due to lack of the BIP cipher.
>
> The default is not to check it and you wpa_supplicant.conf does not
> specify it.
>
> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> update_config=1
> network={
> ssid="deskSAE"
> sae_password="secret123"
> proto=RSN
> key_mgmt=SAE
> pairwise=CCMP
> ieee80211w=2
> }
>
> $ cat /etc/hostapd/hostapd.conf
> # interface and driver
> interface=ap0
> driver=nl80211
>
> # WIFI-Config
> ssid=deskSAE
> channel=1
> hw_mode=g
>
> wpa=2
> wpa_key_mgmt=SAE
> wpa_pairwise=CCMP
> sae_password=secret123
> sae_groups=19
> ieee80211w=2
> sae_pwe=0
>
> Regards,
> Arend
>
>
> > 1718907734.308779: wlan0: WPA: Failed to select authenticated key
> > management type
> > 1718907734.308787: wlan0: WPA: Failed to set WPA key management and
> > encryption suites
Arend,
I find the wpa_supplicant docs really hard to understand. I have read
through your response a few times and am still a bit confused. Does
this have to do with a pure wpa3 versus a wpa2/3 AP?
I have tried editing my hostapd.conf and my wpa_supplicant.conf and
still cannot get a connection, so I must be doing something wrong.
I commented the ieee80211w line on both and it would not connect.
I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and
it still would not connect.
What *should* the configurations be in the hostapd.conf and
wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What
should it be to be a wpa2/3 setup? My phone worked fine to connect
with the original hostapd setup, but I have no idea what it is doing.
Regards,
Keith
