On Mon, Apr 04, 2022 at 11:08:26AM +0200, Beniamino Galvani wrote:
On Tue, Mar 22, 2022 at 11:52:00AM +0100, Alfonso Sanchez-Beato via networkmanager-list wrote:Hi there! I have been using NetworkManager 1.36.2 to create an Access Point, but I am having some problems. Only devices that support WPA3 are able to connect to the AP. Looking at the history, I see that https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/f5d78c2d289c9e4a4c247d2520c7c3e2baf537c8 introduced a change that configures wpa_supplicant to be able to connect to any of WPA, WPA2 or WPA3 and choose the best candidate. However, it looks like this is breaking the hotspot case, at least for me - when I revert the change I am able to connect again from WPA2-only devices. I have seen these problems on * An intel NUC with Intel wifi driver * On a VM, when loading mac80211_hwsim with two radios (one for hotspot, the other for connecting to it)Hi, I can reproduce the problem with mac80211_hwsim. The root cause is that NM passes both SAE and FT-SAE as key-mgmt to wpa_supplicant. wpa_supplicant currently doesn't support FT in AP mode, but still advertises FT-SAEit to the STA, leading to a key derivation mismatch. This patch works for me: http://lists.infradead.org/pipermail/hostap/2022-April/040352.html Arguably, we could also fix this in NM by not passing FT-SAE in AP mode; however I prefer that the fix is done in wpa_supplicant so that in the future, when FT support is added to AP mode it will work automatically with NM.
I changed my mind. FT requires special configuration in the AP and so it doesn't make sense that NM automatically enables because it would be useless and in some cases (FT-SAE) harmful. In the end, I did this patch to disable FT when NM configures the supplicant in AP mode: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1184 Beniamino
Attachment:
signature.asc
Description: PGP signature