wpa_supplicant: configuring opportunistic WPA3

Dennis Bland dennis at dbperformance.com
Sun Jan 2 12:34:21 PST 2022


Hi Michele:

You can create two similar netblocks of different priority (higher
number = higher priority).  The higher priority netblock will be
compared with the scan results first.

For example, to try matching with SAE first:

network={
    ssid="mynetwork"
    psk="mypassword"
    key_mgmt=SAE
    ieee80211w=2
    priority=10
}
network={
    ssid="mynetwork"
    psk="mypassword"
    key_mgmt=WPA-PSK
    ieee80211w=1
    priority=5
}

Best regards,

Dennis

> Hi all,
>
> I'm the maintainer of the NixOS module[^1] for wpa_supplicant.
> I'd like to know if it's possible to write a network block that will
> always work for to both WPA2 and WPA3 networks. Based on the
> documentation I wrote:
>
>   network={
>     ssid="mynetwork"
>     psk="mypassword"
>     key_mgmt=SAE WPA-PSK
>     ieee80211w=1
>   }
>
> This seem to work:
>   1. if the network is mixed SAE WPA-PSK, wpa_supplicant uses SAE
>   2. if the network is WPA-PSK or SAE only, wpa_supplicant uses that
> However, if (in case 1.) SAE fails for some reason, wpa_supplicant
> will not fallback to WPA-PSK but keep trying SAE forever.
> This is an issue, for example, if the hardware lacks PMF support.
>
> Is there a way to configure SAE opportunistically? Try SAE first,
> if it succeeds use that, otherwise try another protocol.
>
> Thank you,
>
> rnhmjoj
>
>
> [^1]: If you never heard of NixOS, that is basically a high-level
> interface for generating wpa_supplicant config file.



More information about the Hostap mailing list