[EXTERNAL] Re: Fwd: Pixel6 was not able to connect due to phone indicates support for SAE H2E, but did not use it

Sean Li sean at plume.com
Sun May 22 21:55:58 PDT 2022 

Jouni,
Please refer to the sniffer capture at
https://drive.google.com/file/d/13EcsEJKjKrkID20SPaq0YYA3_iatGD6Y/view?usp=sharing
Pixel6 mac: 0c:c4:13:14:16:93
The issue usually happens after multiple roaming connections between
our mesh system.
Here is the wpa_supplicant.conf I dumped from Pixel6, assuming that's
the config taken and run in the wifi system
> oriole:/ $ cat /vendor/etc/wifi/wpa_supplicant.conf
> update_config=1
> eapol_version=1
> ap_scan=1
> fast_reauth=1
> pmf=1
> p2p_add_cli_chan=1
> oce=1
> sae_pwe=2

If the 802.11 spec mandates H2E when both peers advertised the
support, the issue here sounds more on the Pixel6 then.

Regards,
Sean

On Sun, May 22, 2022 at 6:30 AM Jouni Malinen <j at w1.fi> wrote:
>
> On Thu, May 19, 2022 at 10:59:58AM -0700, Sean Li wrote:
> > We have a tri-band 6G AP product running hostapd with sae_pwe as 2.
> > We noticed Android Pixel6 was failed to make successful connection due
> > to warning "SAE: 0c:c4:13:14:16:93 indicates support for SAE H2E, but
> > did not use it."
> > From sniffer capture, Pixel6 has status code 0 in AUTH COMMIT message,
> > H2E bit set in (Re)Assoc Req and hostapd returned
> > WLAN_STATUS_UNSPECIFIED_FAILURE in (Re)Assoc Resp.
>
> Would you be able to share a sniffer capture showing this? Was there any
> configuration option on the station device for enabling SAE H2E?
>
> > Can we get more context on why hostapd instrument the check below?
> > Is there any spec stating the requirement below?
>
> > >     SAE: Verify that STA negotiated H2E if it claims to support it
> > >
> > >     If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in
> > >     the AP configuration, require H2E to be used.
>
> This is mainly to prevent downgrade attacks should there be remaining
> security issues in SAE hunting-and-pecking loop implementations (which
> seems likely, in general, compared to H2E).
>
> IEEE Std 802.11-2020 has a shall requirement on the STA using H2E if it
> has determined that the peer supports H2E. In case of an infrastructure
> BSS, i.e., whenever connecting to an AP, this would always be the case
> if both devices advertise support for SAE H2E.
>
> --
> Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list