Can't get WPA3 to work...

rany rany2 at riseup.net
Thu May 18 13:28:20 PDT 2023


I believe this is expected, WPA3 requires that you have 80211w set to
required, though that setting 80211w to optional would be accepted
as well ONLY if you have WPA2-CCMP enabled alongside WPA3.

At any rate, the WPA3 connection itself must use PMF AFAIK and
that's something some drivers seem to still have instability issues
with. Though I know that ath9k+ and iwlmvm work fine, haven't
had any luck with MediaTek and Broadcomm drivers; but those
generally have issues more glaring than 80211w not working :)

On 5/18/23 23:23, Robert Senger wrote:
> Thanks. No, I was not aware that WPA3-EAP only supports certificate
> based authentication. So I keep this for later and concentrate on WPA3-
> PSK for now.
>
> Well, even WPA3-PSK does not work, at least not as intended.
>
> I managed to set up a working WPA3-PSK connection by running
> wpa_supplicant and dhclient in a terminal on the client machine, and by
> setting wpa_passphrase=<secretpassword> in hostapd.conf on the AP.
>
> But NetworkManager failed locally on the client when trying to connect.
> It turned out that this was caused by the Intel wifi driver, which does
> not support PMF. But NetworkManager insists on ieee80211w=2 (required).
> So I patched NetworkManager to set ieee80211w=1 (optional) in
> wpa_supplicant configuration, now NetworkManager can connect to the
> WPA3-PSK AP. This is not the best solution, of course...
>
> The other problem is on the AP side. Only setting a single
> wpa_passphrase=<somepassword> in hostapd.conf works. Connection fails
> with "authentication denied" message on the client side when I try to
> use a file, e.g. wpa_psk_file=/etc/hostapd/hostapd.psk, or when I try
> to use the freeradius server for authentication. Both, file and radius,
> works fine with WPA2-PSK.
>
> So, WPA3-PSK works basically. I will start a new thread about the
> question why hostapd fails to obtain passwords from a file or from the
> radius server for WPA3-PSK, while it succeeds for WPA2-PSK.
>
> Thanks for now!
>
> Robert
>
>
> Am Mittwoch, dem 17.05.2023 um 20:36 +0300 schrieb rany:
>> You have to keep in mind that WPA3-EAP only supports certificate
>> based
>> authentication.
>>
>> If your RADIUS setup uses username/password it will not work in WPA3-
>> EAP
>> only mode, you need to keep WPA2-EAP support.
>>
>> At any rate I don't think WPA2-EAP is insecure, I think it is still
>> fine
>> for the most part with no real security vulnerabilities; unlike WPA2-
>> PSK.
>>
>> You just need to enable KRACK and KRACK-like mitigations on the AP
>> end
>> if you aren't sure if the clients are updated.
>>
>> On 5/17/23 19:55, Robert Senger wrote:
>>> Hi all,
>>>
>>> I am trying to set up APs with WPA3, but can't get it to work. WPA2
>>> works fine on the same hardware and software since more that 10
>>> years. This is my third try with WPA3 in the past 3 years...
>>>
>>> This is my setup:
>>>
>>> __access_points__
>>>
>>> Debian 11 Bullseye
>>> hostapd 2.9.0 (or 2.10 from backports)
>>> Qualcomm Atheros AR922X Wireless Network Adapter
>>>
>>> __client_machines__
>>>
>>> Debian 11 Bullseye
>>> wpasupplicant 2.9.0 (or 2.10 from backports)
>>> NetworkManager 1.30.6 (or 1.42.4 from backports)
>>> Intel Centrino Advanced-N 6205 Wireless Network Adapter
>>>
>>> Neither SAE nor WPA-EAP-SUITE-B-192 work, that means, either
>>> connection
>>> attempts fail (without useful logs), or the SSID is greyed out on
>>> the
>>> client machine. I will post configuration and logs, but first of
>>> all,
>>> if you take a look at the software versions and the hardware above,
>>> is
>>> there a "no-go" somewhere?
>>>
>>> Thanks,
>>>
>>> Robert
>>>
>> _______________________________________________
>> Hostap mailing list
>> Hostap at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/hostap



More information about the Hostap mailing list