Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3108 - Some devices unable to connect in sae-mixed mode (WPA3/WPA2 Personal) #7858

Open
openwrt-bot opened this issue May 18, 2020 · 25 comments
Labels

Comments

@openwrt-bot
Copy link

Freddicus:

Device: Netgear Nighthawk X4S (R7800)
Software version: OpenWrt 19.07.2 r10947-65030d81f3 / LuCI openwrt-19.07 branch git-20.134.55291-ba0fb08
Steps to reproduce:

Devices previously able to connect to WPA2 mode:

  • 2012 Macbook Pro on macOS Catalina 10.15.4
  • Up-to-date raspberry pi 4 on raspbian buster

If I switch the radio to WPA2 Personal only (wpa-psk if not using luci, I believe), they can connect. I switch it back to WPA3/WPA2 Personal (sae-mixed) they cannot connect. Let me know what logs to gather and how to gather them. If it's a client issue, please confirm, but my understanding is that mixed mode should support all WPA2 Personal compatible devices.

@openwrt-bot
Copy link
Author

Freddicus:

Problem persists in version: OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.138.63234-ccd9d67

@openwrt-bot
Copy link
Author

Freddicus:

Problem persists in macOS Catalina 10.15.5.

@openwrt-bot
Copy link
Author

sseide:

Same problem with Android 9 client (LineageOS 16.0, March 2020)

On OpenWRT 19.07.3 no connection possible with following setup:

option mode 'ap'
option encryption 'sae-mixed'
option ieee80211w '1'
option ieee80211r '1'
option ft_psk_generate_local '1'
option ft_over_ds '1'

Just changing encryption to 'psk2+ccmp' everything works fine.

LuCI openwrt-19.07 branch (git-20.167.61968-87da00a) / OpenWrt 19.07.3 r11063-85e04e9f46
Openwrt (TP-Link Archer C7) everything up-to-date as of 22.06.2020

@openwrt-bot
Copy link
Author

wberrier:

I'm seeing this on 21.02.0-rc3 running on d-link dir-882 with some clients.

Interesting, I don't see it on these clients (Fedora 34):

03:00.0 Network controller: Intel Corporation Wireless 7265 (rev 59)

But I see it on these clients (Fedora 34):

03:00.0 Network controller: Intel Corporation Wireless 7260 (rev 83)

and

03:00.0 Network controller: Intel Corporation Wireless 7260 (rev 6b)

If I configure the AP to just WPA2 mode, or just WPA3 mode, the connect fine.

But wpa2/wpa3 mixed, the APs don't even show up on the 7260 devices... ??

Also, the fact I'm seeing this on mediatek and qualcomm APs smells like a wpad bug... ?

Also, in mixed mode, I had some android devices that also didn't connect (SM-T380).

@openwrt-bot
Copy link
Author

niclau:

I am facing the same problem here.
Newifi D2 with Openwrt 19.07.8
macbook pro 2013 early running macos catalina 10.15.7, which is only able to work with psk+ccmp.

@openwrt-bot
Copy link
Author

por:

Here no problem on macOS 10.15.7 (MBP mid 2012) with WPA2 (psk2) on OpenWRT 21.0.2.

@PerezChilli
Copy link

PerezChilli commented Mar 12, 2022

Same here on 22.058.70382 with Xiaomi SmartMi Humidifier 2.

WPA-2 (PSK): working
WPA-3 (SAE): working
WPA-3/WPA-2 (SAE, PSK): unable to connect

Both with wpad-wolfssl and wpad-openssl (and also with basic versions).

@tomaszg7
Copy link

tomaszg7 commented Apr 3, 2022

I have similar problem. PSK and SAE work fine, but one device has problem with SAE-mixed: in my case it is Android 8 phone HTC Desire 12+.

I also have some Xiaomi smart devices but they connect fine: Air Purifier 3H, Robot Vacuum Mop Pro.

The router in my case is TP-Link TL-WR1043ND v1 with 21.02.2 OpenWRT. Using pure SAE was not an option for me as some of my devices are too old to support it. I ended up leaving my another router (hooked with fast bss transition) in PSK mode as a fallback.

@PerezChilli
Copy link

I have similar problem. PSK and SAE work fine, but one device has problem with SAE-mixed: in my case it is Android 8 phone HTC Desire 12+.

I also have some Xiaomi smart devices but they connect fine: Air Purifier 3H, Robot Vacuum Mop Pro.

The router in my case is TP-Link TL-WR1043ND v1 with 21.02.2 OpenWRT. Using pure SAE was not an option for me as some of my devices are too old to support it. I ended up leaving my another router (hooked with fast bss transition) in PSK mode as a fallback.

I've disabled 802.11w feature and that helped me. Try this.

@tomaszg7
Copy link

tomaszg7 commented Apr 3, 2022

Hmm, it is disabled by default and I don't see anything that would enable it in my \etc\config\wireless. I have only 802.11r enabled.

Edit: I disabled 802.11r and the problem went away. That's nice but a bit unsatisfactory as I liked having a second AP to boost my range.

@rossiniscarface
Copy link

For me its working with WPA2 PSK and WPA3 but not for sae-mixed only in combination with FT.
The curios thing is: iPhone 12 mini with iOS 15.5 is connecting fine (with FT-SAE)
iPad 8. Generation
iPad Pro 11 2. Generation both with iPadOS 15.5 can't connect.
MacBook Air M1 macOS 12.3.1 can't connect.

There are no logs on the router on the failed connects.

@theAeon
Copy link
Contributor

theAeon commented Jul 22, 2022

another voice on the pile here-interestingly enough it was only with 802.11r switched on and is only with a vizio P55-F1.

Currently using an X4S on 22.03rc5..

@bzumik1
Copy link

bzumik1 commented Sep 24, 2022

I am also facing this issue, it happens even on new macbook air (m1). Strange is that on macbook pro with same processor (m1 pro) this isn’t happening as well as on very old iPhone SE everything works. Hopefully it will be fixed soon.

@svillar
Copy link

svillar commented Oct 13, 2022

Just to add some more information, it's working for me with an iPhone SE (1st gen) running iOS 15.7 but it does not work on an iPhone XR running iOS 16.

As soon as I disable 802.11r everything works fine in all devices

@bjo81
Copy link

bjo81 commented Feb 26, 2023

Same issue here with an IPhone XR iOS 16.3 and IPad 9th Gen iOS 16.3 and WPA2/WPA3-Mixed, FT enabled on an ASUS RT-X53U and a TP-Link C50v1. 802.11w is disabled already.

@kzn1990
Copy link

kzn1990 commented Feb 28, 2023

Same here on openwrt-21.02. I had issue with Xiaomi Mi Air Purifier.
Disabling 802.11w works for me (WPA2-PSK/WPA3-SAE) or just switching to WPA2-PSK.

@bjo81
Copy link

bjo81 commented Feb 28, 2023

@kzn1990 Same with iOS 16.3 devices?

@xNUTx
Copy link

xNUTx commented Mar 2, 2023

I have to ammend that comment. I think, because the WPA3 requirements where first drafted and later expanded by an addendum, we basically have a flurry of devices that should be 'wpa3 capable' but are unaware of the latest security features in WPA3. The wait is for the manufacturers to release an updated firmware/software to get them compatible with the latest spec.

On the other hand, I believe OpenWRT offers us too much configuration options and conflicting settings when running WPA3 mixed mode which is further confusing us users and the devices that try to connect alike. I think this process could be a little more streamlined.

Examples, according to the spec:
WPA2-PSK: 802.11w should be disabled, it is unsupported.
WPA2-EAP: 802.11w is optional, it can increase the security but clients are not required to support it.
WPA3-SAE and EAP: 802.11w is required.

When using WPA2-PSK/WPA3-SAE mixed mode OpenWRT offers 802.11w as required to all clients, even those who try to connect using WPA2-PSK, breaking compatibility.
When using WPA2-PSK with 802.11w required, the same clients that failed the mixed mode connect will actually connect without problems, because now OpenWRT will silently ignore the 802.11w setting and will not even offer it to the clients.

Confusing, to say the least.

EDIT: this all is still true in 22.03.3.

@dahu33
Copy link

dahu33 commented Apr 26, 2023

Same issue here, is there any workaround? Also is this an issue in OpenWRT or some upstream software, would be nice to pin point the exact root cause.

@n1tehawk
Copy link

I'm seeing this with an Intel 7260 WiFi card (on Lenovo ThinkPad L540) against a TP-Link Archer C2600 running OpenWrt 22.03.5.

I was running WPA2/WPA3 PSK ("sae-mixed") before for some time and had not noticed any issues, but then decided to enable 802.11r. Afterwards the notebook would no longer connect (or even list the WLAN SSID) - under Win 10 Pro (x64), Ubuntu "Jammy" LTS, and Gentoo using plain wpa_supplicant. Other devices (Android 8.x) were still fine. Setting 802.11w to "Disabled" solved it.

The way I understand it, this older wireless NIC isn't (and likely never will be) compatible with WPA3, so the easy way out would be to stick with WPA2-PSK only (which I assume works fine with 802.11r/w, going by others' experience). Trying to be "future proof" with WPA2/WPA3 mixed mode is where the troubles start...

Regards, NiteHawk

@chrcoluk
Copy link

chrcoluk commented Jun 21, 2023

I assumed the 802.11w visible setting in mixed mode is just for WPA2 clients as 802.11w is mandatory for WPA3, if a WPA3 client fails with 802.11w enforced then its not meeting WPA3 spec.

But then I noticed the option is still visible when selecting WPA3 standalone mode.

So does the 802.11w chosen setting apply to both WPA2 and WPA3 in mixed mode?

My problematic devices.

Xbox Series S - for whatever reason Microsoft have not added WPA3 support to their software stack, so need mixed mode to allow the console to connect, in WPA2 standalone mode it will sometimes connect when 802.11w is enforced, but only sometimes, when optional it always connects, interestingly in mixed mode it always connects with 802.11w set to enforced, so does 802.11w work for WPA2 clients in mixed mode?

Intel AX210 Windows 10 21H2 - only reliably connects in either WPA2 standalone mode or WPA3 standalone mode, in mixed mode this is weird, but basically will only connect if OpenWRT device recently rebooted, after day or so uptime it cant negotiate DHCP.

Oneplus 6 phone running android 9, SAE is only support in Android 10 onwards officially, however the phone will connect in SAE mode, but android considers the connection not secure so will drop the connection after a few hours and not auto reconnect. I havent found a way in android to force WPA2 to be used when mixed mode is on the AP.

My ok devices. These connect fine in all combinations of modes and 802.11w.

PS5.
G play 9 on Android 10
Oneplus 8 pro on Android 11

@nop1984
Copy link

nop1984 commented Aug 7, 2023

Have a similar problem.

UpStream with OpenWrt 22, TL-WDR4300 v1
Client repeater Asus RP-AC51

With WPA2 PSK (CCMP) repeater has upstream
with WPA2-PSK/WPA3-SAE Mixed Mode getting ieee80211_match_rsn_info keymgmt 0x0
802.11w disabled, optional - does not matter

May  5 08:07:45 kernel: [ieee80211_ioctl_setmlme] set desired bssid 30:b5:c2:38:57:37
May  5 08:07:45 kernel: ieee80211_match_rsn_info[806] pairwise 0x8, gtk 0x8 , keymgmt 0x0 
May  5 08:07:45 kernel: ieee80211_match_rsn_info[806] pairwise 0x8, gtk 0x8 , keymgmt 0x0 
May  5 08:07:55 kernel: osif_vap_stop: Scan in progress.. Cancelling it. vap: 0x85ba0000 
May  5 08:07:56 kernel: wmi_unified_vdev_down_send for vap 1 (86ea0000)
May  5 08:07:59 kernel: __ieee80211_smart_ant_init: Smart Antenna functions are not registered !!! 
May  5 08:07:59 kernel: vap-1(sta1):set SIOC80211NWID, 14 characters

@misaka00251
Copy link

I'm still hitting this problem in both 23.05 & snapshot r24256. Strangely my iPad M1 works fine, but iPhone 11 & mac mini M1 isn't.

@larskotthoff
Copy link

Having this problem with some roombas. 802.11w disabled or optional doesn't matter. I ended up changing the encryption to WPA2-PSK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests