On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote: > > On June 27, 2024 12:47:02 AM KeithG <ys3al35l@xxxxxxxxx> wrote: > > > On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel > > <arend.vanspriel@xxxxxxxxxxxx> wrote: > >> > >> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@xxxxxxxxx> wrote: > >> > >>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel > >>> <arend.vanspriel@xxxxxxxxxxxx> wrote: > >>>> > >>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@xxxxxxxxx> wrote: > >>>> > >>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel > >>>>> <arend.vanspriel@xxxxxxxxxxxx> wrote: > >>>>>> > >>>>>> + Jouni > >>>>>> > >>>>>> On 6/20/2024 8:25 PM, KeithG wrote: > >>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile group > >>>>>>> 0x18; available group 0x10 > >>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP > >>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network profile > >>>>>>> pairwise 0x10; available pairwise 0x10 > >>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP > >>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network profile > >>>>>>> key_mgmt 0x400; available key_mgmt 0x0 > >>>>>> > >>>>>> > >>>>>> I suspect the message above indicates the problem as there is no > >>>>>> available key_mgmt to select so looked it up in the code and here it is: > >>>>>> > >>>>>> sel = ie.key_mgmt & ssid->key_mgmt; > >>>>>> #ifdef CONFIG_SAE > >>>>>> if ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) && > >>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) || > >>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie)) > >>>>>> sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY | > >>>>>> WPA_KEY_MGMT_FT_SAE | > >>>>>> WPA_KEY_MGMT_FT_SAE_EXT_KEY); > >>>>>> #endif /* CONFIG_SAE */ > >>>>>> #ifdef CONFIG_IEEE80211R > >>>>>> if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME | > >>>>>> WPA_DRIVER_FLAGS_UPDATE_FT_IES))) > >>>>>> sel &= ~WPA_KEY_MGMT_FT; > >>>>>> #endif /* CONFIG_IEEE80211R */ > >>>>>> wpa_dbg(wpa_s, MSG_DEBUG, > >>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x; > >>>>>> available key_mgmt 0x%x", > >>>>>> ie.key_mgmt, ssid->key_mgmt, sel); > >>>>>> > >>>>>> So 0x400 matches the expectation: > >>>>>> > >>>>>> #define WPA_KEY_MGMT_SAE BIT(10) > >>>>>> > >>>>>> You already confirmed that the driver reports SAE and SAE offload > >>>>>> support. So it seems wpas_is_sae_avoided() must return true. That will > >>>>>> check whether the AP and network profile are setup to MFP. This seems to > >>>>>> be the fact as your hostapd.conf and wpa_supplicant.conf both have > >>>>>> ieee80211w=2 defined. This function can only return true when > >>>>>> is enabled in configuration file: > >>>>>> > >>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt > >>>>>> # 0 = Do not check PMF for SAE (default) > >>>>>> # 1 = Limit SAE when PMF is not enabled > >>>>>> # > >>>>>> # When enabled SAE will not be selected if PMF will not be used > >>>>>> # for the connection. > >>>>>> # Scenarios where this check will limit SAE: > >>>>>> # 1) ieee80211w=0 is set for the network > >>>>>> # 2) The AP does not have PMF enabled. > >>>>>> # 3) ieee80211w is unset, pmf=1 is enabled globally, and > >>>>>> # the device does not support the BIP cipher. > >>>>>> # Consider the configuration of global parameterss sae_check_mfp=1, > >>>>>> pmf=1 and a > >>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK. > >>>>>> # In the example WPA-PSK will be used if the device does not support > >>>>>> # the BIP cipher or the AP has PMF disabled. > >>>>>> # Limiting SAE with this check can avoid failing to associate to an AP > >>>>>> # that is configured with sae_requires_mfp=1 if the device does > >>>>>> # not support PMF due to lack of the BIP cipher. > >>>>>> > >>>>>> The default is not to check it and you wpa_supplicant.conf does not > >>>>>> specify it. > >>>>>> > >>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf > >>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev > >>>>>> update_config=1 > >>>>>> network={ > >>>>>> ssid="deskSAE" > >>>>>> sae_password="secret123" > >>>>>> proto=RSN > >>>>>> key_mgmt=SAE > >>>>>> pairwise=CCMP > >>>>>> ieee80211w=2 > >>>>>> } > >>>>>> > >>>>>> $ cat /etc/hostapd/hostapd.conf > >>>>>> # interface and driver > >>>>>> interface=ap0 > >>>>>> driver=nl80211 > >>>>>> > >>>>>> # WIFI-Config > >>>>>> ssid=deskSAE > >>>>>> channel=1 > >>>>>> hw_mode=g > >>>>>> > >>>>>> wpa=2 > >>>>>> wpa_key_mgmt=SAE > >>>>>> wpa_pairwise=CCMP > >>>>>> sae_password=secret123 > >>>>>> sae_groups=19 > >>>>>> ieee80211w=2 > >>>>>> sae_pwe=0 > >>>>>> > >>>>>> Regards, > >>>>>> Arend > >>>>>> > >>>>>> > >>>>>>> 1718907734.308779: wlan0: WPA: Failed to select authenticated key > >>>>>>> management type > >>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key management and > >>>>>>> encryption suites > >>>>> > >>>>> Arend, > >>>>> > >>>>> I find the wpa_supplicant docs really hard to understand. I have read > >>>>> through your response a few times and am still a bit confused. Does > >>>>> this have to do with a pure wpa3 versus a wpa2/3 AP? > >>>> > >>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3. > >>>> > >>>>> I have tried editing my hostapd.conf and my wpa_supplicant.conf and > >>>>> still cannot get a connection, so I must be doing something wrong. > >>>>> I commented the ieee80211w line on both and it would not connect. > >>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE WPA_PSK' and > >>>>> it still would not connect. > >>>>> > >>>>> What *should* the configurations be in the hostapd.conf and > >>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup? What > >>>>> should it be to be a wpa2/3 setup? My phone worked fine to connect > >>>>> with the original hostapd setup, but I have no idea what it is doing > >>>> > >>>> As I mentioned in my previous email both config files listed above look > >>>> okay to me (might be wrong though). The problem seems to be with > >>>> wpas_is_sae_avoided(). For it to return true the config should have: > >>>> > >>>> sae_check_mfp=1 > >>>> > >>>> But you don't have that and default is 0 so it should check for MFP. This > >>>> is where my trail ends. To learn more I would add additional debug prints. > >>>> Are you comfortable rebuilding wpa_supplicant from source? > >>>> > >>>> Regards, > >>>> Arend > >>> > >>> Arend, > >>> > >>> Thanks for the reply. I could try to rebuild wpa_supplicant from > >>> source. This is on RPi, so debian *.debs which are a pain, but I think > >>> I can do it. > >>> > >>> Do I understand correctly that 'sae_check_mfp=1' is supposed to be in > >>> the hostapd.conf and wpa_supplicant.conf? I can try that and see if > >>> anything changes. > >> > >> Ok. We can try first to put following in wpa_supplicant.conf: > >> > >> sae_check_mfp=0 > >> > >> Let me know if that makes any difference. > >> > >>> Why would I have to re-build wpa_supplicant? > >> > >> I would provide a patch with additional debug prints so I get better > >> understanding what is going wrong. Would be great if you can apply that and > >> rebuild. > >> > >> Regards, > >> Arend > > Arend, > > > > I was able to try it this afternoon. > > My hostapd is still: > > # interface and driver > > interface=ap0 > > driver=nl80211 > > > > # WIFI-Config > > ssid=deskSAE > > channel=1 > > hw_mode=g > > > > wpa=2 > > wpa_key_mgmt=SAE > > wpa_pairwise=CCMP > > sae_password=secret123 > > sae_groups=19 > > ieee80211w=2 > > sae_pwe=0 > > > > and I can still connect from my phone to this AP. > > > > I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf > > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev > > update_config=1 > > network={ > > ssid="deskSAE" > > sae_password="secret123" > > proto=RSN > > key_mgmt=SAE > > pairwise=CCMP > > ieee80211w=2 > > sae_check_mfp=1 > > } > > > > and when I try to connect, I get: > > # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf > > Successfully initialized wpa_supplicant > > Line 10: unknown network field 'sae_check_mfp'. > > Line 11: failed to parse network block. > > Right. The setting sae_check_mfp is a global setting like update_config. So > it should be moved outside the network block. > > Regards, > Arend > Arend, Thanks for the hand holding, I am out of my depth here! I tried this config and get a similar result. ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev update_config=1 sae_check_mfp=1 network={ ssid="deskSAE" sae_password="secret123" proto=RSN key_mgmt=SAE pairwise=CCMP ieee80211w=2 } # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf Successfully initialized wpa_supplicant Line 3: unknown global field 'sae_check_mfp=1'. Line 3: Invalid configuration line 'sae_check_mfp=1'. Failed to read or parse configuration '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'. : CTRL-EVENT-DSCP-POLICY clear_all seems it doesn't recognize this parameter. Keith