wpa_supplicant: SAE auth failure with MLO AP

[Pablo MARTIN-GOMEZ]

Hello all,

I'm running a STA with wpa_supplicant built from git commit 60f5c09304 
(main branch from 10 days ago). I was trying to get it to connect to a 
MLD AP (hostapd based) configured with WPA3 Transition and 2-links (5 
GHz & 2.4 GHz) and receiving systematically an auth failure with reason 
CONN_FAILED. I've attached a PCAP capture to understand what is happening.

What I guess is happening is that the STA sends a SAE commit frame with 
a multi-link element [using MLD address] but with hunt and peck method 
[this is not compliant with 802.11be] and the AP responds with a SAE 
commit frame without the multi-link element [using the associated STA 
address] and the hunt and peck [this is compliant], and this ends up 
with confirm frame with failed status. Setting the option "sae_pwe=2" 
immediately fixed my connection issue.

So currently I don't have an issue but I'm not expecting wpa_supplicant 
to failed to connect with a valid configuration. I think I would be able 
to propose a patch to fix this but I'm not sure of which option is the 
best: should we prevent a multi-link setup if H2E is not activated or 
should we activate automatically H2E for a multi-link setup (this is 
already done for 6 GHz BSSs)? [there is also the discussion of whatever 
hostapd should accept the auth discarding the multi-link element or 
responding with a failure status code in the commit frame]

Best regards,

Pablo MG
-------------- next part --------------
A non-text attachment was scrubbed...
Name: be200_mlo_auth_fail_extract.pcap
Type: application/vnd.tcpdump.pcap
Size: 5076 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20251211/08a36c74/attachment.pcap>