New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#3108 - Some devices unable to connect in sae-mixed mode (WPA3/WPA2 Personal) #7858
Comments
Freddicus: Problem persists in version: OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.138.63234-ccd9d67 |
Freddicus: Problem persists in macOS Catalina 10.15.5. |
sseide: Same problem with Android 9 client (LineageOS 16.0, March 2020) On OpenWRT 19.07.3 no connection possible with following setup:
Just changing encryption to 'psk2+ccmp' everything works fine. LuCI openwrt-19.07 branch (git-20.167.61968-87da00a) / OpenWrt 19.07.3 r11063-85e04e9f46 |
wberrier: I'm seeing this on 21.02.0-rc3 running on d-link dir-882 with some clients. Interesting, I don't see it on these clients (Fedora 34): 03:00.0 Network controller: Intel Corporation Wireless 7265 (rev 59) But I see it on these clients (Fedora 34): 03:00.0 Network controller: Intel Corporation Wireless 7260 (rev 83) and 03:00.0 Network controller: Intel Corporation Wireless 7260 (rev 6b) If I configure the AP to just WPA2 mode, or just WPA3 mode, the connect fine. But wpa2/wpa3 mixed, the APs don't even show up on the 7260 devices... ?? Also, the fact I'm seeing this on mediatek and qualcomm APs smells like a wpad bug... ? Also, in mixed mode, I had some android devices that also didn't connect (SM-T380). |
niclau: I am facing the same problem here. |
por: Here no problem on macOS 10.15.7 (MBP mid 2012) with WPA2 (psk2) on OpenWRT 21.0.2. |
Same here on 22.058.70382 with Xiaomi SmartMi Humidifier 2. WPA-2 (PSK): working Both with wpad-wolfssl and wpad-openssl (and also with basic versions). |
I have similar problem. PSK and SAE work fine, but one device has problem with SAE-mixed: in my case it is Android 8 phone HTC Desire 12+. I also have some Xiaomi smart devices but they connect fine: Air Purifier 3H, Robot Vacuum Mop Pro. The router in my case is TP-Link TL-WR1043ND v1 with 21.02.2 OpenWRT. Using pure SAE was not an option for me as some of my devices are too old to support it. I ended up leaving my another router (hooked with fast bss transition) in PSK mode as a fallback. |
I've disabled 802.11w feature and that helped me. Try this. |
Hmm, it is disabled by default and I don't see anything that would enable it in my Edit: I disabled 802.11r and the problem went away. That's nice but a bit unsatisfactory as I liked having a second AP to boost my range. |
For me its working with WPA2 PSK and WPA3 but not for sae-mixed only in combination with FT. There are no logs on the router on the failed connects. |
another voice on the pile here-interestingly enough it was only with 802.11r switched on and is only with a vizio P55-F1. Currently using an X4S on 22.03rc5.. |
I am also facing this issue, it happens even on new macbook air (m1). Strange is that on macbook pro with same processor (m1 pro) this isn’t happening as well as on very old iPhone SE everything works. Hopefully it will be fixed soon. |
Just to add some more information, it's working for me with an iPhone SE (1st gen) running iOS 15.7 but it does not work on an iPhone XR running iOS 16. As soon as I disable 802.11r everything works fine in all devices |
Same issue here with an IPhone XR iOS 16.3 and IPad 9th Gen iOS 16.3 and WPA2/WPA3-Mixed, FT enabled on an ASUS RT-X53U and a TP-Link C50v1. 802.11w is disabled already. |
Same here on openwrt-21.02. I had issue with Xiaomi Mi Air Purifier. |
@kzn1990 Same with iOS 16.3 devices? |
https://www.wi-fi.org/download.php?file=/sites/default/files/private/202012_Wi-Fi_Security_Roadmap_and_WPA3_Updates.pdf I think OpenWRT lacks support for FT-SAE somewhere. See the Roadmap page 18. |
I have to ammend that comment. I think, because the WPA3 requirements where first drafted and later expanded by an addendum, we basically have a flurry of devices that should be 'wpa3 capable' but are unaware of the latest security features in WPA3. The wait is for the manufacturers to release an updated firmware/software to get them compatible with the latest spec. On the other hand, I believe OpenWRT offers us too much configuration options and conflicting settings when running WPA3 mixed mode which is further confusing us users and the devices that try to connect alike. I think this process could be a little more streamlined. Examples, according to the spec: When using WPA2-PSK/WPA3-SAE mixed mode OpenWRT offers 802.11w as required to all clients, even those who try to connect using WPA2-PSK, breaking compatibility. Confusing, to say the least. EDIT: this all is still true in 22.03.3. |
Same issue here, is there any workaround? Also is this an issue in OpenWRT or some upstream software, would be nice to pin point the exact root cause. |
I'm seeing this with an Intel 7260 WiFi card (on Lenovo ThinkPad L540) against a TP-Link Archer C2600 running OpenWrt 22.03.5. I was running WPA2/WPA3 PSK ("sae-mixed") before for some time and had not noticed any issues, but then decided to enable 802.11r. Afterwards the notebook would no longer connect (or even list the WLAN SSID) - under Win 10 Pro (x64), Ubuntu "Jammy" LTS, and Gentoo using plain wpa_supplicant. Other devices (Android 8.x) were still fine. Setting 802.11w to "Disabled" solved it. The way I understand it, this older wireless NIC isn't (and likely never will be) compatible with WPA3, so the easy way out would be to stick with WPA2-PSK only (which I assume works fine with 802.11r/w, going by others' experience). Trying to be "future proof" with WPA2/WPA3 mixed mode is where the troubles start... Regards, NiteHawk |
I assumed the 802.11w visible setting in mixed mode is just for WPA2 clients as 802.11w is mandatory for WPA3, if a WPA3 client fails with 802.11w enforced then its not meeting WPA3 spec. But then I noticed the option is still visible when selecting WPA3 standalone mode. So does the 802.11w chosen setting apply to both WPA2 and WPA3 in mixed mode? My problematic devices. Xbox Series S - for whatever reason Microsoft have not added WPA3 support to their software stack, so need mixed mode to allow the console to connect, in WPA2 standalone mode it will sometimes connect when 802.11w is enforced, but only sometimes, when optional it always connects, interestingly in mixed mode it always connects with 802.11w set to enforced, so does 802.11w work for WPA2 clients in mixed mode? Intel AX210 Windows 10 21H2 - only reliably connects in either WPA2 standalone mode or WPA3 standalone mode, in mixed mode this is weird, but basically will only connect if OpenWRT device recently rebooted, after day or so uptime it cant negotiate DHCP. Oneplus 6 phone running android 9, SAE is only support in Android 10 onwards officially, however the phone will connect in SAE mode, but android considers the connection not secure so will drop the connection after a few hours and not auto reconnect. I havent found a way in android to force WPA2 to be used when mixed mode is on the AP. My ok devices. These connect fine in all combinations of modes and 802.11w. PS5. |
Have a similar problem. UpStream with OpenWrt 22, TL-WDR4300 v1 With WPA2 PSK (CCMP) repeater has upstream
|
I'm still hitting this problem in both 23.05 & snapshot r24256. Strangely my iPad M1 works fine, but iPhone 11 & mac mini M1 isn't. |
Having this problem with some roombas. 802.11w disabled or optional doesn't matter. I ended up changing the encryption to WPA2-PSK. |
Freddicus:
Device: Netgear Nighthawk X4S (R7800)
Software version: OpenWrt 19.07.2 r10947-65030d81f3 / LuCI openwrt-19.07 branch git-20.134.55291-ba0fb08
Steps to reproduce:
Devices previously able to connect to WPA2 mode:
If I switch the radio to WPA2 Personal only (wpa-psk if not using luci, I believe), they can connect. I switch it back to WPA3/WPA2 Personal (sae-mixed) they cannot connect. Let me know what logs to gather and how to gather them. If it's a client issue, please confirm, but my understanding is that mixed mode should support all WPA2 Personal compatible devices.
The text was updated successfully, but these errors were encountered: