Closed ghost closed 4 years ago
bryteise
commented
4 years ago Hrm I see https://bugzilla.redhat.com/show_bug.cgi?id=1705868 but that looks like something is happening and failing where yours just doesn't seem to try negotiating a login. Any chance you could get logs from the journal for gnome shell and network manager?
ghost
commented
4 years ago Certainly, first here's what journalctl spit out after I try and connect:
-- Logs begin at Sun 2020-02-02 14:09:37 EST, end at Mon 2020-02-03 13:41:45 EST. --
Feb 03 13:41:36 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:36 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:36 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:36 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:37 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:37 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:41 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:41 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:41 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:41 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:41 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:41 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:42 osiris gnome-shell[1085]: Ignoring excess values in shadow definition
Feb 03 13:41:45 osiris NetworkManager[419]: <info> [1580755305.8959] audit: op="connection-add-activate" pid=1085 uid=1000 result="fail" reason="Failed to determine AP security information"After that I did a little web searching and found a NetworkManager bug which had some debug settings I could try here. That lead me to this line:
Feb 03 13:51:04 osiris wpa_supplicant[478]: Line 0: invalid key_mgmt 'SAE'... which I think lends itself to what causes the connection to ultimately fail. That's probably not the issue with nm-applet but explains why it never connects up I guess.
ghost
commented
4 years ago So if I compare the clearlinux-pkg wpa_supplicant defconf and the current upstream it looks like CONFIG_SAE=y isn't in the clearlinux version. That would make sense if it's from wpa_supplicant 2.4 which probably didn't have SAE in it.
bryteise
commented
4 years ago @jquagga Great detective work, should be easy for us to switch on then.
ghost
commented
4 years ago Yeah, I just went ahead and did that while playing with it. It looks like SAE and CONFIG_IEEE80211W need to be set to on (since WPA3 requires protected management frames). I also turned on IEEE80211R for testing since my 3AP use it. I don't know if that has any impact on wpa_supplicant but I was just flipping switches.
There are several other new lines in the wpa_supplicant defconf, but these were what I changed in the existing config.patch to get connected. The laptop is connected happily now to a WPA3 OpenWRT access point (running WPA3 only since my iOS devices don't like WPA2/3 mixed mode).
diff --git a/config.patch b/config.patch
index a0fe291..ebf9c31 100644
--- a/config.patch
+++ b/config.patch
@@ -228,6 +228,9 @@ Index: wpa_supplicant-2.4/wpa_supplicant/.config
+# wpa_passphrase). This saves about 0.5 kB in code size.
+#CONFIG_NO_WPA_PASSPHRASE=y
+
++# Simultaneous Authentication of Equals (SAE), WPA3-Personal
++CONFIG_SAE=y
++
+# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
+# This can be used if ap_scan=1 mode is never enabled.
+#CONFIG_NO_SCAN_PROCESSING=y
@@ -286,7 +289,7 @@ Index: wpa_supplicant-2.4/wpa_supplicant/.config
+
+# IEEE 802.11w (management frame protection), also known as PMF
+# Driver support is also needed for IEEE 802.11w.
-+#CONFIG_IEEE80211W=y
++CONFIG_IEEE80211W=y
+
+# Select TLS implementation
+# openssl = OpenSSL (default)
@@ -364,7 +367,7 @@ Index: wpa_supplicant-2.4/wpa_supplicant/.config
+#CONFIG_DYNAMIC_EAP_METHODS=y
+
+# IEEE Std 802.11r-2008 (Fast BSS Transition)
-+#CONFIG_IEEE80211R=y
++CONFIG_IEEE80211R=y
+
+# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
+#CONFIG_DEBUG_FILE=y
Good day,
So I'd like to request for WPA3 Personal / SAE support. I've built a new AP SSID running WPA3 and other devices with WPA3 support connect without an issue but ClearLinux doesn't seem happy with that. The gnome-applet gives no output when you click on that SSID. No error; just nothing happens. If I switch to a terminal and run nmtui, I can configure a WPA3 network configuration, however attempting to activate it results in "Could not activate connection: Failed to determine AP security information".
The work around it so use the legacy WPA2-PSK SSID I'm keeping for devices which don't support WPA3 but I'd like to put clear on the WPA3 SSID when possible.