wpa_supplicant: configuring opportunistic WPA3

Michele Guerini Rocco rnhmjoj at eurofusion.eu
Wed Jan 12 01:20:45 PST 2022 

I tested your solution a bit and it seems to be working: it's a bit
slower because wpa_supplicant makes more than one attempt before
disabling the block and trying the other, but it does work.

Thank you!

rnhmjoj

On 02-01-22, Dennis Bland wrote:
> Hi Michele:
> 
> You can create two similar netblocks of different priority (higher
> number = higher priority).  The higher priority netblock will be
> compared with the scan results first.
> 
> For example, to try matching with SAE first:
> 
> network={
>     ssid="mynetwork"
>     psk="mypassword"
>     key_mgmt=SAE
>     ieee80211w=2
>     priority=10
> }
> network={
>     ssid="mynetwork"
>     psk="mypassword"
>     key_mgmt=WPA-PSK
>     ieee80211w=1
>     priority=5
> }
> 
> Best regards,
> 
> Dennis
> 
> > Hi all,
> >
> > I'm the maintainer of the NixOS module[^1] for wpa_supplicant.
> > I'd like to know if it's possible to write a network block that will
> > always work for to both WPA2 and WPA3 networks. Based on the
> > documentation I wrote:
> >
> >   network={
> >     ssid="mynetwork"
> >     psk="mypassword"
> >     key_mgmt=SAE WPA-PSK
> >     ieee80211w=1
> >   }
> >
> > This seem to work:
> >   1. if the network is mixed SAE WPA-PSK, wpa_supplicant uses SAE
> >   2. if the network is WPA-PSK or SAE only, wpa_supplicant uses that
> > However, if (in case 1.) SAE fails for some reason, wpa_supplicant
> > will not fallback to WPA-PSK but keep trying SAE forever.
> > This is an issue, for example, if the hardware lacks PMF support.
> >
> > Is there a way to configure SAE opportunistically? Try SAE first,
> > if it succeeds use that, otherwise try another protocol.
> >
> > Thank you,
> >
> > rnhmjoj
> >
> >
> > [^1]: If you never heard of NixOS, that is basically a high-level
> > interface for generating wpa_supplicant config file.
> 
> _______________________________________________
> Hostap mailing list
> Hostap at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20220112/26410999/attachment.sig>

More information about the Hostap mailing list