> On Thu, Jun 27, 2024 at 6:34 AM KeithG <ys3al35l@xxxxxxxxx> wrote:
> >
> > On Thu, Jun 27, 2024 at 12:01 AM Arend Van Spriel
> > <arend.vanspriel@xxxxxxxxxxxx> wrote:
> > >
> > > On June 27, 2024 12:47:02 AM KeithG <ys3al35l@xxxxxxxxx> wrote:
> > >
> > > > On Wed, Jun 26, 2024 at 7:30 AM Arend Van Spriel
> > > > <arend.vanspriel@xxxxxxxxxxxx> wrote:
> > > >>
> > > >> On June 26, 2024 2:05:07 PM KeithG <ys3al35l@xxxxxxxxx> wrote:
> > > >>
> > > >>> On Wed, Jun 26, 2024 at 2:48 AM Arend Van Spriel
> > > >>> <arend.vanspriel@xxxxxxxxxxxx> wrote:
> > > >>>>
> > > >>>> On June 21, 2024 2:24:19 PM KeithG <ys3al35l@xxxxxxxxx> wrote:
> > > >>>>
> > > >>>>> On Fri, Jun 21, 2024 at 4:09 AM Arend van Spriel
> > > >>>>> <arend.vanspriel@xxxxxxxxxxxx> wrote:
> > > >>>>>>
> > > >>>>>> + Jouni
> > > >>>>>>
> > > >>>>>> On 6/20/2024 8:25 PM, KeithG wrote:
> > > >>>>>>> 1718907734.308740: wlan0: WPA: AP group 0x10 network profile
> > > >>>>>>> group 0x18; available group 0x10
> > > >>>>>>> 1718907734.308748: wlan0: WPA: using GTK CCMP
> > > >>>>>>> 1718907734.308758: wlan0: WPA: AP pairwise 0x10 network
> > > >>>>>>> profile pairwise 0x10; available pairwise 0x10
> > > >>>>>>> 1718907734.308767: wlan0: WPA: using PTK CCMP
> > > >>>>>>> 1718907734.308772: wlan0: WPA: AP key_mgmt 0x400 network
> > > >>>>>>> profile key_mgmt 0x400; available key_mgmt 0x0
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> I suspect the message above indicates the problem as there is
> > > >>>>>> no available key_mgmt to select so looked it up in the code and here it is:
> > > >>>>>>
> > > >>>>>> sel = ie.key_mgmt & ssid->key_mgmt; #ifdef CONFIG_SAE if
> > > >>>>>> ((!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
> > > >>>>>> !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
> > > >>>>>> wpas_is_sae_avoided(wpa_s, ssid, &ie)) sel &=
> > > >>>>>> ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_SAE_EXT_KEY |
> > > >>>>>> WPA_KEY_MGMT_FT_SAE | WPA_KEY_MGMT_FT_SAE_EXT_KEY); #endif /*
> > > >>>>>> CONFIG_SAE */ #ifdef CONFIG_IEEE80211R if (!(wpa_s->drv_flags
> > > >>>>>> & (WPA_DRIVER_FLAGS_SME |
> > > >>>>>> WPA_DRIVER_FLAGS_UPDATE_FT_IES))) sel &=
> > > >>>>>> ~WPA_KEY_MGMT_FT; #endif /* CONFIG_IEEE80211R */
> > > >>>>>> wpa_dbg(wpa_s, MSG_DEBUG,
> > > >>>>>> "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x;
> > > >>>>>> available key_mgmt 0x%x", ie.key_mgmt, ssid->key_mgmt, sel);
> > > >>>>>>
> > > >>>>>> So 0x400 matches the expectation:
> > > >>>>>>
> > > >>>>>> #define WPA_KEY_MGMT_SAE BIT(10)
> > > >>>>>>
> > > >>>>>> You already confirmed that the driver reports SAE and SAE
> > > >>>>>> offload support. So it seems wpas_is_sae_avoided() must
> > > >>>>>> return true. That will check whether the AP and network
> > > >>>>>> profile are setup to MFP. This seems to be the fact as your
> > > >>>>>> hostapd.conf and wpa_supplicant.conf both have
> > > >>>>>> ieee80211w=2 defined. This function can only return true when
> > > >>>>>> is enabled in configuration file:
> > > >>>>>>
> > > >>>>>> # sae_check_mfp: Require PMF support to select SAE key_mgmt #
> > > >>>>>> 0 = Do not check PMF for SAE (default) # 1 = Limit SAE when
> > > >>>>>> PMF is not enabled # # When enabled SAE will not be selected
> > > >>>>>> if PMF will not be used # for the connection.
> > > >>>>>> # Scenarios where this check will limit SAE:
> > > >>>>>> # 1) ieee80211w=0 is set for the network # 2) The AP does
> > > >>>>>> not have PMF enabled.
> > > >>>>>> # 3) ieee80211w is unset, pmf=1 is enabled globally, and
> > > >>>>>> # the device does not support the BIP cipher.
> > > >>>>>> # Consider the configuration of global parameterss
> > > >>>>>> sae_check_mfp=1,
> > > >>>>>> pmf=1 and a
> > > >>>>>> # network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
> > > >>>>>> # In the example WPA-PSK will be used if the device does not
> > > >>>>>> support # the BIP cipher or the AP has PMF disabled.
> > > >>>>>> # Limiting SAE with this check can avoid failing to associate
> > > >>>>>> to an AP # that is configured with sae_requires_mfp=1 if the
> > > >>>>>> device does # not support PMF due to lack of the BIP cipher.
> > > >>>>>>
> > > >>>>>> The default is not to check it and you wpa_supplicant.conf
> > > >>>>>> does not specify it.
> > > >>>>>>
> > > >>>>>> # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > >>>>>> ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > > >>>>>> update_config=1
> > > >>>>>> network={
> > > >>>>>> ssid="deskSAE"
> > > >>>>>> sae_password="secret123"
> > > >>>>>> proto=RSN
> > > >>>>>> key_mgmt=SAE
> > > >>>>>> pairwise=CCMP
> > > >>>>>> ieee80211w=2
> > > >>>>>> }
> > > >>>>>>
> > > >>>>>> $ cat /etc/hostapd/hostapd.conf # interface and driver
> > > >>>>>> interface=ap0
> > > >>>>>> driver=nl80211
> > > >>>>>>
> > > >>>>>> # WIFI-Config
> > > >>>>>> ssid=deskSAE
> > > >>>>>> channel=1
> > > >>>>>> hw_mode=g
> > > >>>>>>
> > > >>>>>> wpa=2
> > > >>>>>> wpa_key_mgmt=SAE
> > > >>>>>> wpa_pairwise=CCMP
> > > >>>>>> sae_password=secret123
> > > >>>>>> sae_groups=19
> > > >>>>>> ieee80211w=2
> > > >>>>>> sae_pwe=0
> > > >>>>>>
> > > >>>>>> Regards,
> > > >>>>>> Arend
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>> 1718907734.308779: wlan0: WPA: Failed to select
> > > >>>>>>> authenticated key management type
> > > >>>>>>> 1718907734.308787: wlan0: WPA: Failed to set WPA key
> > > >>>>>>> management and encryption suites
> > > >>>>>
> > > >>>>> Arend,
> > > >>>>>
> > > >>>>> I find the wpa_supplicant docs really hard to understand. I
> > > >>>>> have read through your response a few times and am still a bit
> > > >>>>> confused. Does this have to do with a pure wpa3 versus a wpa2/3 AP?
> > > >>>>
> > > >>>> Correct. If I am not mistaken MFP aka PMF aka 802.11w is mandatory for WPA3.
> > > >>>>
> > > >>>>> I have tried editing my hostapd.conf and my
> > > >>>>> wpa_supplicant.conf and still cannot get a connection, so I must be doing something wrong.
> > > >>>>> I commented the ieee80211w line on both and it would not connect.
> > > >>>>> I tried changing the wpa_key_mgmt on both ends to be 'SAE
> > > >>>>> WPA_PSK' and it still would not connect.
> > > >>>>>
> > > >>>>> What *should* the configurations be in the hostapd.conf and
> > > >>>>> wpa_supplicant.conf to negotiate this as a pure wpa3 setup?
> > > >>>>> What should it be to be a wpa2/3 setup? My phone worked fine
> > > >>>>> to connect with the original hostapd setup, but I have no idea
> > > >>>>> what it is doing
> > > >>>>
> > > >>>> As I mentioned in my previous email both config files listed
> > > >>>> above look okay to me (might be wrong though). The problem
> > > >>>> seems to be with wpas_is_sae_avoided(). For it to return true the config should have:
> > > >>>>
> > > >>>> sae_check_mfp=1
> > > >>>>
> > > >>>> But you don't have that and default is 0 so it should check for
> > > >>>> MFP. This is where my trail ends. To learn more I would add additional debug prints.
> > > >>>> Are you comfortable rebuilding wpa_supplicant from source?
> > > >>>>
> > > >>>> Regards,
> > > >>>> Arend
> > > >>>
> > > >>> Arend,
> > > >>>
> > > >>> Thanks for the reply. I could try to rebuild wpa_supplicant from
> > > >>> source. This is on RPi, so debian *.debs which are a pain, but I
> > > >>> think I can do it.
> > > >>>
> > > >>> Do I understand correctly that 'sae_check_mfp=1' is supposed to
> > > >>> be in the hostapd.conf and wpa_supplicant.conf? I can try that
> > > >>> and see if anything changes.
> > > >>
> > > >> Ok. We can try first to put following in wpa_supplicant.conf:
> > > >>
> > > >> sae_check_mfp=0
> > > >>
> > > >> Let me know if that makes any difference.
> > > >>
> > > >>> Why would I have to re-build wpa_supplicant?
> > > >>
> > > >> I would provide a patch with additional debug prints so I get
> > > >> better understanding what is going wrong. Would be great if you
> > > >> can apply that and rebuild.
> > > >>
> > > >> Regards,
> > > >> Arend
> > > > Arend,
> > > >
> > > > I was able to try it this afternoon.
> > > > My hostapd is still:
> > > > # interface and driver
> > > > interface=ap0
> > > > driver=nl80211
> > > >
> > > > # WIFI-Config
> > > > ssid=deskSAE
> > > > channel=1
> > > > hw_mode=g
> > > >
> > > > wpa=2
> > > > wpa_key_mgmt=SAE
> > > > wpa_pairwise=CCMP
> > > > sae_password=secret123
> > > > sae_groups=19
> > > > ieee80211w=2
> > > > sae_pwe=0
> > > >
> > > > and I can still connect from my phone to this AP.
> > > >
> > > > I tried this as my /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > > > update_config=1
> > > > network={
> > > > ssid="deskSAE"
> > > > sae_password="secret123"
> > > > proto=RSN
> > > > key_mgmt=SAE
> > > > pairwise=CCMP
> > > > ieee80211w=2
> > > > sae_check_mfp=1
> > > > }
> > > >
> > > > and when I try to connect, I get:
> > > > # wpa_supplicant -i wlan0 -c
> > > > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > > > Successfully initialized wpa_supplicant Line 10: unknown network
> > > > field 'sae_check_mfp'.
> > > > Line 11: failed to parse network block.
> > >
> > > Right. The setting sae_check_mfp is a global setting like
> > > update_config. So it should be moved outside the network block.
> > >
> > > Regards,
> > > Arend
> > >
> > Arend,
> >
> > Thanks for the hand holding, I am out of my depth here!
> >
> > I tried this config and get a similar result.
> > ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev
> > update_config=1
> > sae_check_mfp=1
> > network={
> > ssid="deskSAE"
> > sae_password="secret123"
> > proto=RSN
> > key_mgmt=SAE
> > pairwise=CCMP
> > ieee80211w=2
> > }
> > # wpa_supplicant -i wlan0 -c
> > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> > Successfully initialized wpa_supplicant Line 3: unknown global field
> > 'sae_check_mfp=1'.
> > Line 3: Invalid configuration line 'sae_check_mfp=1'.
> > Failed to read or parse configuration
> > '/etc/wpa_supplicant/wpa_supplicant-wlan0.conf'.
> > : CTRL-EVENT-DSCP-POLICY clear_all
> >
> > seems it doesn't recognize this parameter.
> >
> > Keith
>
> Replying to my own post.
> I re-built wpa_supplicant from the current git:
> # wpa_supplicant -v
> wpa_supplicant v2.11-devel-hostap_2_10-2215-gc9db4925f
> Copyright (c) 2003-2022, Jouni Malinen <j@xxxxx> and contributors
>
> It now seems to recognize the 'sae_check_mfp' parameter, but still does not connect:
> # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
> Successfully initialized wpa_supplicant
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> auth_failures=1 duration=10 reason=CONN_FAILED
> wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="deskSAE"
> wlan0: BSSID d8:3a:dd:60:a3:0c ignore list count incremented to 2, ignoring for 10 seconds
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: Trying to associate with SSID 'deskSAE'
> wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
> wlan0: Added BSSID d8:3a:dd:60:a3:0c into ignore list, ignoring for 10 seconds
> wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="deskSAE"
> auth_failures=2 duration=20 reason=CONN_FAILED
> ^Cp2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> p2p-dev-wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> nl80211: deinit ifname=p2p-dev-wlan0 disabled_11b_rates=0
> p2p-dev-wlan0: CTRL-EVENT-TERMINATING
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> wlan0: Removed BSSID d8:3a:dd:60:a3:0c from ignore list (clear)
> wlan0: CTRL-EVENT-DSCP-POLICY clear_all
> nl80211: deinit ifname=wlan0 disabled_11b_rates=0
> wlan0: CTRL-EVENT-TERMINATING
>
> I tried setting the 'sae_check_mfp' to both 1 and 0 and still cannot connect with this 'current' version of
> wpa_supplicant.
>
> Keith
>
Hi Keith,
maybe you are missing sae_pwe=2 in your wpa_supplicant.conf
At least in our setup it works.
Regards, Sven
