Can't get WPA3 to work...

Robert Senger robert.senger at lists.microscopium.de
Fri May 19 08:29:38 PDT 2023 

Now I managed to get SAE and WPA-EAP-SUITE-B-192 connections to work
(with some workarounds and patching on the client side due to hardware
and software limitations, and off specification settings on the AP
side, but this is a testing environment).

I just wonder why you say that WPA3-EAP only supports certificate based
authentication, which means eap=tls in my understanding. I found that
WPA3-EAP works well with username/password based authentication, e.g.
eap=ttls, the same way as WPA2-EAP does. 

Now the only question still open is why SAE authentication does not
work with passwords provides in a file or from radius. But this is a
new topic.

Thanks again!

Robert

Am Donnerstag, dem 18.05.2023 um 23:28 +0300 schrieb rany:
> I believe this is expected, WPA3 requires that you have 80211w set to
> required, though that setting 80211w to optional would be accepted
> as well ONLY if you have WPA2-CCMP enabled alongside WPA3.
> 
> At any rate, the WPA3 connection itself must use PMF AFAIK and
> that's something some drivers seem to still have instability issues
> with. Though I know that ath9k+ and iwlmvm work fine, haven't
> had any luck with MediaTek and Broadcomm drivers; but those
> generally have issues more glaring than 80211w not working :)
> 
> On 5/18/23 23:23, Robert Senger wrote:
> > Thanks. No, I was not aware that WPA3-EAP only supports certificate
> > based authentication. So I keep this for later and concentrate on
> > WPA3-
> > PSK for now.
> > 
> > Well, even WPA3-PSK does not work, at least not as intended.
> > 
> > I managed to set up a working WPA3-PSK connection by running
> > wpa_supplicant and dhclient in a terminal on the client machine,
> > and by
> > setting wpa_passphrase=<secretpassword> in hostapd.conf on the AP.
> > 
> > But NetworkManager failed locally on the client when trying to
> > connect.
> > It turned out that this was caused by the Intel wifi driver, which
> > does
> > not support PMF. But NetworkManager insists on ieee80211w=2
> > (required).
> > So I patched NetworkManager to set ieee80211w=1 (optional) in
> > wpa_supplicant configuration, now NetworkManager can connect to the
> > WPA3-PSK AP. This is not the best solution, of course...
> > 
> > The other problem is on the AP side. Only setting a single
> > wpa_passphrase=<somepassword> in hostapd.conf works. Connection
> > fails
> > with "authentication denied" message on the client side when I try
> > to
> > use a file, e.g. wpa_psk_file=/etc/hostapd/hostapd.psk, or when I
> > try
> > to use the freeradius server for authentication. Both, file and
> > radius,
> > works fine with WPA2-PSK.
> > 
> > So, WPA3-PSK works basically. I will start a new thread about the
> > question why hostapd fails to obtain passwords from a file or from
> > the
> > radius server for WPA3-PSK, while it succeeds for WPA2-PSK.
> > 
> > Thanks for now!
> > 
> > Robert
> > 
> > 
> > Am Mittwoch, dem 17.05.2023 um 20:36 +0300 schrieb rany:
> > > You have to keep in mind that WPA3-EAP only supports certificate
> > > based
> > > authentication.
> > > 
> > > If your RADIUS setup uses username/password it will not work in
> > > WPA3-
> > > EAP
> > > only mode, you need to keep WPA2-EAP support.
> > > 
> > > At any rate I don't think WPA2-EAP is insecure, I think it is
> > > still
> > > fine
> > > for the most part with no real security vulnerabilities; unlike
> > > WPA2-
> > > PSK.
> > > 
> > > You just need to enable KRACK and KRACK-like mitigations on the
> > > AP
> > > end
> > > if you aren't sure if the clients are updated.
> > > 
> > > On 5/17/23 19:55, Robert Senger wrote:
> > > > Hi all,
> > > > 
> > > > I am trying to set up APs with WPA3, but can't get it to work.
> > > > WPA2
> > > > works fine on the same hardware and software since more that 10
> > > > years. This is my third try with WPA3 in the past 3 years...
> > > > 
> > > > This is my setup:
> > > > 
> > > > __access_points__
> > > > 
> > > > Debian 11 Bullseye
> > > > hostapd 2.9.0 (or 2.10 from backports)
> > > > Qualcomm Atheros AR922X Wireless Network Adapter
> > > > 
> > > > __client_machines__
> > > > 
> > > > Debian 11 Bullseye
> > > > wpasupplicant 2.9.0 (or 2.10 from backports)
> > > > NetworkManager 1.30.6 (or 1.42.4 from backports)
> > > > Intel Centrino Advanced-N 6205 Wireless Network Adapter
> > > > 
> > > > Neither SAE nor WPA-EAP-SUITE-B-192 work, that means, either
> > > > connection
> > > > attempts fail (without useful logs), or the SSID is greyed out
> > > > on
> > > > the
> > > > client machine. I will post configuration and logs, but first
> > > > of
> > > > all,
> > > > if you take a look at the software versions and the hardware
> > > > above,
> > > > is
> > > > there a "no-go" somewhere?
> > > > 
> > > > Thanks,
> > > > 
> > > > Robert
> > > > 
> > > _______________________________________________
> > > Hostap mailing list
> > > Hostap at lists.infradead.org
> > > http://lists.infradead.org/mailman/listinfo/hostap
> 
> _______________________________________________
> Hostap mailing list
> Hostap at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap

-- 
-- 
Robert Senger

More information about the Hostap mailing list