Bug#1003907: fails to successfully associate

Masashi Honma masashi.honma at gmail.com
Sun Jan 30 16:07:01 PST 2022 

> Is it possible that wpasupplicant reports that the driver (iwlwifi)
> supports SAE but my hardware does not actually support SAE?

It looks like your device supports SAE.
Because SAE authentication is completed in your log.
----
Jan 18 11:36:02 pluto wpa_supplicant[86593]: SME: SAE completed -
setting PMK for 4-way handshake
----

By your log, wpa_supplicant already recognize that your device does
not support 802.11w (00-0f-ac:6 is missing).
Therefore if wpa_supplicant can recognize your AP requires 802.11w,
wpa_supplicant avoid to connect the AP.
----
Jan 18 11:35:58 pluto wpa_supplicant[86593]: Initializing interface
'wlp3s0' conf 'N/A' driver 'nl80211,wext' ctrl_interface
'/run/wpa_supplicant' bridge 'N/A'
Jan 18 11:35:58 pluto wpa_supplicant[86593]: nl80211: Supported cipher
00-0f-ac:1
Jan 18 11:35:58 pluto wpa_supplicant[86593]: nl80211: Supported cipher
00-0f-ac:5
Jan 18 11:35:58 pluto wpa_supplicant[86593]: nl80211: Supported cipher
00-0f-ac:2
Jan 18 11:35:58 pluto wpa_supplicant[86593]: nl80211: Supported cipher
00-0f-ac:4
Jan 18 11:35:58 pluto wpa_supplicant[86593]: nl80211: Supported cipher
00-0f-ac:10
Jan 18 11:35:58 pluto wpa_supplicant[86593]: nl80211: Supported cipher
00-0f-ac:8
Jan 18 11:35:58 pluto wpa_supplicant[86593]: nl80211: Supported cipher
00-0f-ac:9
Jan 18 11:35:58 pluto wpa_supplicant[86593]: nl80211: Using
driver-based off-channel TX
----

But your AP indicates that the AP is not capable and not required 802.11w.

30 18
01 00
00 0f ac 04
01 00
00 0f ac 04
02 00
00 0f ac 02
00 0f ac 08
80 00 <----- here

----
Jan 18 11:36:01 pluto wpa_supplicant[86593]: 38:10:d5:8f:38:e2
freq=5620 qual=0 noise=-92~ level=-61 snr=31* flags=0xb age=1048
est=135000
Jan 18 11:36:01 pluto wpa_supplicant[86593]: IEs - hexdump(len=439):
00 08 77 67 72 6f 75 74 65 72 01 08 8c 12 98 24 b0 48 60 6c 03 01 7c
07 3c 44 45 20 24 01 17 28 01 17 2c 01 17 30 01 17 34 01 17 38 01 17
3c 01 17 40 01 17 64 01 1e 68 01 1e 6c 01 1e 70 01 1e 74 01 1e 78 01
1e 7c 01 1e 80 01 1e 84 01 1e 88 01 1e 8c 01 1e 20 01 03 0b 05 02 00
01 00 00 46 05 73 d0 00 00 0c 2d 1a ef 09 1b ff ff ff 00 00 00 00 00
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 3d 16 7c 05 04 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 0e 14 00 0a 00 2c
01 c8 00 14 00 05 00 19 00 7f 08 05 00 0f 00 00 00 00 40 bf 0c b2 01
80 33 ea ff 00 00 ea ff 00 00 c0 05 01 7a 00 fc ff c1 06 00 00 00 64
00 00 c3 04 02 3c 3c 3c dd 18 00 50 f2 02 01 01 00 00 03 a4 00 00 27
a4 00 00 42 43 5e 00 62 32 2f 00 dd 09 00 03 7f 01 01 00 00 ff 7f dd
0c 00 04 0e 01 01 02 01 00 00 00 00 00 dd 16 8c fd f0 04 00 00 49 4c
51 03 02 09 72 01 8c 16 00 00 3c 00 00 00 dd 6f 00 50 f2 04 10 4a 00
01 10 10 44 00 01 02 10 3b 00 01 03 10 47 00 10 c9 59 b5 c3 8d d0 39
ac a9 80 38 10 d5 65 71 88 10 21 00 03 41 56 4d 10 23 00 04 46 42 6f
78 10 24 00 04 30 30 30 30 10 42 00 04 30 30 30 30 10 54 00 08 00 06
00 50 f2 04 00 01 10 11 00 04 46 42 6f 78 10 08 00 02 02 80 10 3c 00
01 03 10 49 00 06 00 37 2a 00 01 20 30 18 01 00 00 0f ac 04 01 00 00
0f ac 04 02 00 00 0f ac 02 00 0f ac 08 80 00 dd 08 8c fd f0 01 01 02
01 00
Jan 18 11:36:01 pluto wpa_supplicant[86593]: Beacon IEs -
hexdump(len=363): 00 08 77 67 72 6f 75 74 65 72 01 08 8c 12 98 24 b0
48 60 6c 03 01 7c 05 04 00 01 00 00 07 3c 44 45 20 24 01 17 28 01 17
2c 01 17 30 01 17 34 01 17 38 01 17 3c 01 17 40 01 17 64 01 1e 68 01
1e 6c 01 1e 70 01 1e 74 01 1e 78 01 1e 7c 01 1e 80 01 1e 84 01 1e 88
01 1e 8c 01 1e 20 01 03 0b 05 02 00 01 00 00 46 05 73 d0 00 00 0c 2d
1a ef 09 1b ff ff ff 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00
00 00 00 00 3d 16 7c 05 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 4a 0e 14 00 0a 00 2c 01 c8 00 14 00 05 00 19 00 7f 08
05 00 0f 00 00 00 00 40 bf 0c b2 01 80 33 ea ff 00 00 ea ff 00 00 c0
05 01 7a 00 fc ff c1 06 00 00 00 64 00 00 c3 04 02 3c 3c 3c dd 18 00
50 f2 02 01 01 00 00 03 a4 00 00 27 a4 00 00 42 43 5e 00 62 32 2f 00
dd 09 00 03 7f 01 01 00 00 ff 7f dd 08 8c fd f0 01 01 02 01 00 dd 16
8c fd f0 04 00 00 49 4c 51 03 02 09 72 01 8c 16 00 00 3c 00 00 00 dd
0c 00 04 0e 01 01 02 01 00 00 00 00 00 dd 1d 00 50 f2 04 10 4a 00 01
10 10 44 00 01 02 10 3c 00 01 03 10 49 00 06 00 37 2a 00 01 20 30 18
01 00 00 0f ac 04 01 00 00 0f ac 04 02 00 00 0f ac 02 00 0f ac 08 80
00
----

So wpa_supplicant try to connect the AP and send association request.
Of course the association request does not include group management
cipher suite for 802.11w.

30 14
01 00
00 0f ac 04
01 00
00 0f ac 04
01 00
00 0f ac 08
00 00
----
Jan 18 11:36:02 pluto wpa_supplicant[86593]: nl80211: Associate (ifindex=9)
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * bssid=38:10:d5:8f:38:e2
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * freq=5620
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * SSID=wgrouter
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * IEs -
hexdump(len=61): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f
ac 08 00 00 7f 0b 00 00 0a 02 01 40 40 40 00 01 20 46 05 70 00 00 00
00 3b 11 80 51 53 54 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * WPA Versions 0x2
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * pairwise=0xfac04
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * group=0xfac04
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * akm=0xfac08
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * htcaps -
hexdump(len=26): 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * htcaps_mask -
hexdump(len=26): 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * vhtcaps -
hexdump(len=12): 00 00 00 00 00 00 00 00 00 00 00 00
Jan 18 11:36:02 pluto wpa_supplicant[86593]:   * vhtcaps_mask -
hexdump(len=12): 00 00 00 00 00 00 00 00 00 00 00 00
----

The AP reject with WLAN_STATUS_INVALID_IE.
I guess this is because lack of group management cipher suite for 802.11w.

----
Jan 18 11:36:02 pluto wpa_supplicant[86593]: wlp3s0:
CTRL-EVENT-ASSOC-REJECT bssid=38:10:d5:8f:38:e2 status_code=40
----

I'm still having problems buying that access point from Japan.
But this comment would be helpful.

> To connect the wireless device anyway, you must adjust the security settings in the FRITZ!Box:
> Disabling WPA3 transition mode (WPA2 + WPA3)

Almost APs allows no 802.11w STAs when "WPA3 transition mode (WPA2 +
WPA3)" is enabled.
But unfortunately the AP does not allow it.


> Still curious, why this worked flawlessly with this device with 2.9.0-23

Before the commit 7a9c36722511ce4df88b76cceceb241d6c6a151e "DBus: Add "sae" to
interface key_mgmt capabilities", there is no way to enable WPA3 via DBus.
So your station just using WPA2. Your access point does not appear to require
802.11w for WPA2.


To summarize, the AP indicates that it does not require 802.11w for WPA3,
when in fact it does. So it could not be solved by wpa_supplicant.

Regards,
Masashi Honma.

2022年1月31日(月) 1:01 Michael Biebl <biebl at debian.org>:
>
>
> Since I could easily reproduce it, I ran git bisect.
>
> 7a9c36722511ce4df88b76cceceb241d6c6a151e is the first bad commit
> commit 7a9c36722511ce4df88b76cceceb241d6c6a151e
> Author: Brian Norris <briannorris at chromium.org>
> Date:   Fri Feb 28 15:50:47 2020 -0800
>
>      DBus: Add "sae" to interface key_mgmt capabilities
>
>      This will be present when the driver supports SAE and it's included in
>      the wpa_supplicant build.
>
>      Signed-off-by: Brian Norris <briannorris at chromium.org>
>
>
> Reverting that commit on top of 2.10 I was again able to successfully
> establish a connection.
>
> The debian build uses CONFIG_SAE=y.
> Is it possible that wpasupplicant reports that the driver (iwlwifi)
> supports SAE but my hardware does not actually support SAE?
>
> https://www.intel.com/content/www/us/en/support/articles/000054783/wireless.html
>
> My network controller is an "Intel Corporation Centrino Advanced-N 6205"

More information about the Hostap mailing list