WPA3-Personal: wpa_supplicant in AP mode issue

Yegor Yefremov yegorslists at googlemail.com
Wed Apr 6 04:23:26 PDT 2022


Hi Masashi,

On Fri, Apr 1, 2022 at 1:47 AM Masashi Honma <masashi.honma at gmail.com> wrote:
>
> The configuration requires IEEE 802.11w.
>
> network={
>     mode=2
>     ssid="WPA3_AP"
>     proto=RSN
>     key_mgmt=SAE
>     pairwise=CCMP
>     group=CCMP
>     ieee80211w=2 <--- here
>     psk="xxxxxx"
> }
>
> But the Wi-Fi NIC does not support IEEE 802.11w.
>
> Wiphy phy0
>         ...
>         Supported Ciphers:
>                 * WEP40 (00-0f-ac:1)
>                 * WEP104 (00-0f-ac:5)
>                 * TKIP (00-0f-ac:2)
>                 * CCMP-128 (00-0f-ac:4)
>                 * CCMP-256 (00-0f-ac:10)
>                 * GCMP-128 (00-0f-ac:8)
>                 * GCMP-256 (00-0f-ac:9)
>         ...
>
> Missing "CMAC (00-0f-ac:6)".
>
> By spec, WPA3 only AP requires IEEE 802.11w.
> So if you want to publish the AP to official place, you need to
> replace Wi-Fi NIC to IEEE 802.11w supporting one.
> Or, you only just for testing, "ieee80211w=0" will boot the AP.

Thanks for clarification. I could start AP with a Realtek chipset and
after updating the kernel to 5.17, I could even start a RaLink rt2800
dongle with CMAC cipher.

The only problem so far is the TI wl18xx chipset. The fw is already
CMAC capable but the driver not and it is orphaned :-(

Regards,
Yegor

> Regards,
> Masashi Honma.
>
> 2022年3月30日(水) 17:52 Yegor Yefremov <yegorslists at googlemail.com>:
> >
> > Hi,
> >
> > On Tue, Mar 29, 2022 at 11:46 AM Yegor Yefremov
> > <yegorslists at googlemail.com> wrote:
> > >
> > > I am trying to set up an AP using wpa_supplicant only. So far, I could
> > > find only configuration examples for hostapd as WPA3 AP. Is it
> > > possible to achieve this with wpa_supplicant?
> > >
> > > My system: Ubuntu 18.04.3
> > > Kernel: 4.15.0-91-generic
> > > wpa_supplicant (built from git): wpa_supplicant
> > > v2.11-devel-hostap_2_10-165-g1fb907a68
> > >
> > > My wpa_supplicant .config:
> > >
> > > CONFIG_DRIVER_NL80211=y
> > > CONFIG_LIBNL32=y
> > > CONFIG_DRIVER_WIRED=y
> > > CONFIG_DRIVER_MACSEC_LINUX=y
> > > CONFIG_IEEE8021X_EAPOL=y
> > > CONFIG_EAP_MD5=y
> > > CONFIG_EAP_MSCHAPV2=y
> > > CONFIG_EAP_TLS=y
> > > CONFIG_EAP_PEAP=y
> > > CONFIG_EAP_TTLS=y
> > > CONFIG_EAP_FAST=y
> > > CONFIG_EAP_GTC=y
> > > CONFIG_EAP_OTP=y
> > > CONFIG_EAP_PWD=y
> > > CONFIG_EAP_PAX=y
> > > CONFIG_EAP_LEAP=y
> > > CONFIG_EAP_SAKE=y
> > > CONFIG_EAP_GPSK=y
> > > CONFIG_EAP_GPSK_SHA256=y
> > > CONFIG_EAP_TNC=y
> > > CONFIG_WPS=y
> > > CONFIG_EAP_IKEV2=y
> > > CONFIG_MACSEC=y
> > > CONFIG_PKCS12=y
> > > CONFIG_SMARTCARD=y
> > > CONFIG_CTRL_IFACE=y
> > > CONFIG_SAE=y
> > > CONFIG_BACKEND=file
> > > CONFIG_CTRL_IFACE_DBUS_NEW=y
> > > CONFIG_CTRL_IFACE_DBUS_INTRO=y
> > > CONFIG_IEEE80211R=y
> > > CONFIG_DEBUG_FILE=y
> > > CONFIG_DEBUG_SYSLOG=y
> > > CONFIG_IEEE80211AC=y
> > > CONFIG_INTERWORKING=y
> > > CONFIG_HS20=y
> > > CONFIG_AP=y
> > > CONFIG_P2P=y
> > > CONFIG_TDLS=y
> > > CONFIG_WIFI_DISPLAY=y
> > > CONFIG_IBSS_RSN=y
> > > CONFIG_BGSCAN_SIMPLE=y
> > > CONFIG_OWE=y
> > > CONFIG_DPP=y
> > >
> > > wpa_supplicant.conf:
> > >
> > > ctrl_interface=/run/wpa_supplicant
> > > network={
> > >     mode=2
> > >     ssid="WPA3_AP"
> > >     proto=RSN
> > >     key_mgmt=SAE
> > >     pairwise=CCMP
> > >     group=CCMP
> > >     ieee80211w=2
> > >     psk="xxxxxx"
> > > }
> > >
> > > wpa_suplicant output with the error:
> > >
> > > WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)
> > > wpa_driver_nl80211_set_key: ifindex=6 (wlx7cdd9044a583) alg=3
> > > addr=0x55ca32fe92e0 key_idx=1 set_tx=1 seq_len=0 key_len=16
> > > key_flag=0x1a
> > > nl80211: NEW_KEY
> > > nl80211: KEY_DATA - hexdump(len=16): [REMOVED]
> > >    broadcast key
> > > nl80211: NL80211_CMD_SET_KEY - default key
> > > wpa_driver_nl80211_set_key: ifindex=6 (wlx7cdd9044a583) alg=4
> > > addr=0x55ca32fe92e0 key_idx=4 set_tx=1 seq_len=0 key_len=16
> > > key_flag=0x1a
> > > nl80211: NEW_KEY
> > > nl80211: KEY_DATA - hexdump(len=16): [REMOVED]
> > >    broadcast key
> > > nl80211: set_key failed; err=-22 Invalid argument
> > > WPA: group state machine entering state FATAL_FAILURE
> > > wlx7cdd9044a583: Flushing old station entries
> > > nl80211: flush -> DEL_STATION wlx7cdd9044a583 (all)
> > > wlx7cdd9044a583: Deauthenticate all stations
> > > nl80211: send_mlme - da=ff:ff:ff:ff:ff:ff noack=0 freq=0 no_cck=0
> > > offchanok=0 wait_time=0 no_encrypt=0 fc=0xc0 (WLAN_FC_STYPE_DEAUTH)
> > > nlmode=3
> > > nl80211: send_mlme - Use bss->freq=2462
> > > nl80211: send_mlme -> send_frame_cmd
> > > nl80211: CMD_FRAME freq=2462 wait=0 no_cck=0 no_ack=0 offchanok=0
> > > CMD_FRAME - hexdump(len=26): c0 00 00 00 ff ff ff ff ff ff 7c dd 90 44
> > > a5 83 7c dd 90 44 a5 83 00 00 03 00
> > > nl80211: Frame TX command accepted; cookie 0x104
> > > hostapd_free_hapd_data(wlx7cdd9044a583)
> > > Interface initialization failed
> > > wlx7cdd9044a583: interface state UNINITIALIZED->DISABLED
> > > wlx7cdd9044a583: AP-DISABLED
> > > wlx7cdd9044a583: Unable to setup interface.
> > > Failed to initialize AP interface
> > >
> > > WLAN capabilities:
> > >
> > > Wiphy phy0
> > >         max # scan SSIDs: 4
> > >         max scan IEs length: 2257 bytes
> > >         max # sched scan SSIDs: 0
> > >         max # match sets: 0
> > >         max # scan plans: 1
> > >         max scan plan interval: -1
> > >         max scan plan iterations: 0
> > >         Retry short long limit: 2
> > >         Coverage class: 0 (up to 0m)
> > >         Device supports RSN-IBSS.
> > >         Supported Ciphers:
> > >                 * WEP40 (00-0f-ac:1)
> > >                 * WEP104 (00-0f-ac:5)
> > >                 * TKIP (00-0f-ac:2)
> > >                 * CCMP-128 (00-0f-ac:4)
> > >                 * CCMP-256 (00-0f-ac:10)
> > >                 * GCMP-128 (00-0f-ac:8)
> > >                 * GCMP-256 (00-0f-ac:9)
> > >         Available Antennas: TX 0 RX 0
> > >         Supported interface modes:
> > >                  * IBSS
> > >                  * managed
> > >                  * AP
> > >                  * AP/VLAN
> > >                  * monitor
> > >                  * mesh point
> > >         Band 1:
> > >                 Capabilities: 0x17e
> > >                         HT20/HT40
> > >                         SM Power Save disabled
> > >                         RX Greenfield
> > >                         RX HT20 SGI
> > >                         RX HT40 SGI
> > >                         RX STBC 1-stream
> > >                         Max AMSDU length: 3839 bytes
> > >                         No DSSS/CCK HT40
> > >                 Maximum RX AMPDU length 32767 bytes (exponent: 0x002)
> > >                 Minimum RX AMPDU time spacing: 2 usec (0x04)
> > >                 HT TX/RX MCS rate indexes supported: 0-7, 32
> > >                 Bitrates (non-HT):
> > >                         * 1.0 Mbps
> > >                         * 2.0 Mbps (short preamble supported)
> > >                         * 5.5 Mbps (short preamble supported)
> > >                         * 11.0 Mbps (short preamble supported)
> > >                         * 6.0 Mbps
> > >                         * 9.0 Mbps
> > >                         * 12.0 Mbps
> > >                         * 18.0 Mbps
> > >                         * 24.0 Mbps
> > >                         * 36.0 Mbps
> > >                         * 48.0 Mbps
> > >                         * 54.0 Mbps
> > >                 Frequencies:
> > >                         * 2412 MHz [1] (20.0 dBm)
> > >                         * 2417 MHz [2] (20.0 dBm)
> > >                         * 2422 MHz [3] (20.0 dBm)
> > >                         * 2427 MHz [4] (20.0 dBm)
> > >                         * 2432 MHz [5] (20.0 dBm)
> > >                         * 2437 MHz [6] (20.0 dBm)
> > >                         * 2442 MHz [7] (20.0 dBm)
> > >                         * 2447 MHz [8] (20.0 dBm)
> > >                         * 2452 MHz [9] (20.0 dBm)
> > >                         * 2457 MHz [10] (20.0 dBm)
> > >                         * 2462 MHz [11] (20.0 dBm)
> > >                         * 2467 MHz [12] (20.0 dBm) (no IR)
> > >                         * 2472 MHz [13] (20.0 dBm) (no IR)
> > >                         * 2484 MHz [14] (20.0 dBm) (no IR)
> > >         Supported commands:
> > >                  * new_interface
> > >                  * set_interface
> > >                  * new_key
> > >                  * start_ap
> > >                  * new_station
> > >                  * new_mpath
> > >                  * set_mesh_config
> > >                  * set_bss
> > >                  * authenticate
> > >                  * associate
> > >                  * deauthenticate
> > >                  * disassociate
> > >                  * join_ibss
> > >                  * join_mesh
> > >                  * set_tx_bitrate_mask
> > >                  * frame
> > >                  * frame_wait_cancel
> > >                  * set_wiphy_netns
> > >                  * set_channel
> > >                  * set_wds_peer
> > >                  * probe_client
> > >                  * set_noack_map
> > >                  * register_beacons
> > >                  * start_p2p_device
> > >                  * set_mcast_rate
> > >                  * connect
> > >                  * disconnect
> > >                  * set_qos_map
> > >                  * set_multicast_to_unicast
> > >         Supported TX frame types:
> > >                  * IBSS: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80
> > > 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
> > >                  * managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70
> > > 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
> > >                  * AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80
> > > 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
> > >                  * AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70
> > > 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
> > >                  * mesh point: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70
> > > 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
> > >                  * P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70
> > > 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
> > >                  * P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70
> > > 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
> > >                  * P2P-device: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70
> > > 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
> > >         Supported RX frame types:
> > >                  * IBSS: 0x40 0xb0 0xc0 0xd0
> > >                  * managed: 0x40 0xd0
> > >                  * AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
> > >                  * AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
> > >                  * mesh point: 0xb0 0xc0 0xd0
> > >                  * P2P-client: 0x40 0xd0
> > >                  * P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
> > >                  * P2P-device: 0x40 0xd0
> > >         software interface modes (can always be added):
> > >                  * AP/VLAN
> > >                  * monitor
> > >         valid interface combinations:
> > >                  * #{ AP, mesh point } <= 8,
> > >                    total <= 8, #channels <= 1
> > >         HT Capability overrides:
> > >                  * MCS: ff ff ff ff ff ff ff ff ff ff
> > >                  * maximum A-MSDU length
> > >                  * supported channel width
> > >                  * short GI for 40 MHz
> > >                  * max A-MPDU length exponent
> > >                  * min MPDU start spacing
> > >         Device supports TX status socket option.
> > >         Device supports HT-IBSS.
> > >         Device supports SAE with AUTHENTICATE command
> > >         Device supports low priority scan.
> > >         Device supports scan flush.
> > >         Device supports AP scan.
> > >         Device supports per-vif TX power setting
> > >         Driver supports full state transitions for AP/GO clients
> > >         Driver supports a userspace MPM
> > >         Device supports configuring vdev MAC-addr on create.
> >
> > I have the same issue with hostapd:
> >
> > nl80211: Frame TX command accepted; cookie 0x10c
> > WPA: Start group state machine to set initial keys
> > WPA: group state machine entering state GTK_INIT (VLAN-ID 0)
> > Get randomness: len=16 entropy=0
> > GTK - hexdump(len=16): [REMOVED]
> > Get randomness: len=16 entropy=0
> > IGTK - hexdump(len=16): [REMOVED]
> > WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)
> > wpa_driver_nl80211_set_key: ifindex=6 (wlx7cdd9044a583) alg=3
> > addr=0x5582c5bc5b62 key_idx=1 set_tx=1 seq_len=0 key_len=16
> > key_flag=0x1a
> > nl80211: NEW_KEY
> > nl80211: KEY_DATA - hexdump(len=16): [REMOVED]
> >    broadcast key
> > nl80211: NL80211_CMD_SET_KEY - default key
> > wpa_driver_nl80211_set_key: ifindex=6 (wlx7cdd9044a583) alg=4
> > addr=0x5582c5bc5b62 key_idx=4 set_tx=1 seq_len=0 key_len=16
> > key_flag=0x1a
> > nl80211: NEW_KEY
> > nl80211: KEY_DATA - hexdump(len=16): [REMOVED]
> >    broadcast key
> > nl80211: set_key failed; err=-22 Invalid argument
> > WPA: group state machine entering state FATAL_FAILURE
> >
> > I'm using configuration from this article [1]. What am I missing?
> >
> > [1] https://community.silabs.com/s/article/wf-m-200-linux-wpa3-configuration?language=en_US
> >
> > Best regards,
> > Yegor
> >
> > _______________________________________________
> > Hostap mailing list
> > Hostap at lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/hostap



More information about the Hostap mailing list