Fwd: Pixel6 was not able to connect due to phone indicates support for SAE H2E, but did not use it

Jouni Malinen j at w1.fi
Sun May 22 06:30:54 PDT 2022

On Thu, May 19, 2022 at 10:59:58AM -0700, Sean Li wrote:
> We have a tri-band 6G AP product running hostapd with sae_pwe as 2.
> We noticed Android Pixel6 was failed to make successful connection due
> to warning "SAE: 0c:c4:13:14:16:93 indicates support for SAE H2E, but
> did not use it."
> From sniffer capture, Pixel6 has status code 0 in AUTH COMMIT message,
> H2E bit set in (Re)Assoc Req and hostapd returned

Would you be able to share a sniffer capture showing this? Was there any
configuration option on the station device for enabling SAE H2E?

> Can we get more context on why hostapd instrument the check below?
> Is there any spec stating the requirement below?

> >     SAE: Verify that STA negotiated H2E if it claims to support it
> >
> >     If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in
> >     the AP configuration, require H2E to be used.

This is mainly to prevent downgrade attacks should there be remaining
security issues in SAE hunting-and-pecking loop implementations (which
seems likely, in general, compared to H2E).

IEEE Std 802.11-2020 has a shall requirement on the STA using H2E if it
has determined that the peer supports H2E. In case of an infrastructure
BSS, i.e., whenever connecting to an AP, this would always be the case
if both devices advertise support for SAE H2E.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list