Windows 11 Client can't connect to WPA3 Enterprise

Robert Senger robert.senger at lists.microscopium.de
Wed May 24 14:48:21 PDT 2023 

Hi Beniamino,

you were right, setting "group_mgmt_cipher=BIP-GMAC-256" (the default
is AES-128-CMAC) did the trick. At least in "WPA3 Enterprise 192-bit"
mode. But it seems to mess up "WPA3 Enterprise transition" mode... but
this is a new topic.

I already tried this setting couple of days ago, but hostapd failed to
start with that. Maybe a typo, maybe that was prior to upgrading
hostapd to 2.10 (was 2.9 before). However...

Thank you for your hint!

Best regards,

Robert


Am Mittwoch, dem 24.05.2023 um 11:09 +0200 schrieb Beniamino Galvani:
> On Sun, May 21, 2023 at 08:41:22PM +0200, Robert Senger wrote:
> > Hi all,
> > 
> > I am having trouble getting a Windows 11 client connected to a WPA3
> > Enterprise network.
> > 
> > While clients using wpa_supplicant can connect fine, the Windows 11
> > machine fails in early stage. 
> > 
> > When running hostapd with the -d switch from the commmand linbe, I
> > see
> > this during a connection attempt of the Windows 11 machine: 
> > 
> > association request: STA=04:7b:cb:29:e0:94 capab_info=0x11
> > listen_interval=1 seq_ctrl=0x1020
> > Validating WMM IE: OUI 00:50:f2  OUI type 2  OUI sub-type 0 
> > version 1  QoS info 0x0
> > Unsupported management group cipher 4096
> > 
> > This error occurs always, whatever I set for rsn or group cipher in
> > hostapd.conf
> > 
> > I digged into the sources for that message and found this in
> > wpa_common.c:
> > 
> > int wpa_cipher_valid_mgmt_group(int cipher)
> > {
> >         return cipher == WPA_CIPHER_GTK_NOT_USED ||
> >                 cipher == WPA_CIPHER_AES_128_CMAC ||
> >                 cipher == WPA_CIPHER_BIP_GMAC_128 ||
> >                 cipher == WPA_CIPHER_BIP_GMAC_256 ||
> >                 cipher == WPA_CIPHER_BIP_CMAC_256;
> > }
> 
> Hi,
> 
> I think the error comes from wpa_auth_ie.c:
> 
> 
>      if (data.mgmt_group_cipher != wpa_auth->conf.group_mgmt_cipher)
>      {
>              wpa_printf(MSG_DEBUG, "Unsupported management group "
>                         "cipher %d", data.mgmt_group_cipher);
>              return WPA_INVALID_MGMT_GROUP_CIPHER;
>      }
> 
> (Note that the cipher is displayed in decimal here, while it's
> printed
> in hex in wpa_common.c).
> 
> It seems the problem is that PMF is required and the group management
> cipher from configuration (group_mgmt_cipher=) doesn't match the one
> from the IE?
> 
> Beniamino

-- 
-- 
Robert Senger

More information about the Hostap mailing list