nasbdh9
commented
1 month ago Closed nasbdh9 closed 1 month ago
nasbdh9
commented
1 month ago 
systemcrash
commented
1 month ago You'll need to make a PR of what you want changing, pending the outcome of discussion (if there ever is one) in the linked issue.
Luci has functionality as: has_ap_eap192 for WPA3. This check is:
which is checked by UCI at runtime:
Check yourself, on an openwrt shell:
hostapd -vsuiteb192
echo $?
0/etc/config/wireless → option encryption 'wpa2+ccmp' → luci show as WPA2 802.1X (CCMP)
interface=phy1-ap0
ctrl_interface=/var/run/hostapd
ap_isolate=1
bss_load_update_period=60
chan_util_avg_period=600
disassoc_low_ack=1
skip_inactivity_poll=0
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=
dynamic_own_ip_addr=1
eapol_key_index_workaround=1
ieee8021x=1
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=Test2.2.1
bridge=br-lan
wds_bridge=
snoop_iface=br-lan.1000
wpa_disable_eapol_key_retries=0
wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256
okc=0
disable_pmksa_caching=1
ieee80211w=2
group_mgmt_cipher=AES-128-CMAC
qos_map_set=0,0,2,16,1,1,255,255,18,22,24,38,40,40,44,46,48,56
bssid=
#default_macaddr
/etc/config/wireless → option encryption 'wpa3+ccmp' → luci show as WPA2 802.1X (CCMP) ← show wrong, luci it should show WPA3 802.1X (CCMP)
interface=phy1-ap0
ctrl_interface=/var/run/hostapd
ap_isolate=1
bss_load_update_period=60
chan_util_avg_period=600
disassoc_low_ack=1
skip_inactivity_poll=0
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
sae_require_mfp=1
sae_pwe=2
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=
dynamic_own_ip_addr=1
eapol_key_index_workaround=1
ieee8021x=1
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=Test2.2.1
bridge=br-lan
wds_bridge=
snoop_iface=br-lan.1000
wpa_disable_eapol_key_retries=0
wpa_key_mgmt=WPA-EAP-SHA256
okc=0
disable_pmksa_caching=1
ieee80211w=2
group_mgmt_cipher=AES-128-CMAC
qos_map_set=0,0,2,16,1,1,255,255,18,22,24,38,40,40,44,46,48,56
bssid=
#default_macaddr
option encryption 'wpa2+ccmp' compared option encryption 'wpa3+ccmp'
add sae_require_mfp=1 sae_pwe=2
change wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256 to wpa_key_mgmt=WPA-EAP-SHA256
/etc/config/wireless → option encryption 'wpa3-192' → luci show as WPA3 802.1X (GCMP-256) ← misleading, luci it should show WPA3 802.1X 192-bit mode (CNSA), lacks the option to configure /etc/config/wireless to option encryption 'wpa3-192'
interface=phy1-ap0
ctrl_interface=/var/run/hostapd
ap_isolate=1
bss_load_update_period=60
chan_util_avg_period=600
disassoc_low_ack=1
skip_inactivity_poll=0
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
sae_require_mfp=1
sae_pwe=2
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=
dynamic_own_ip_addr=1
eapol_key_index_workaround=1
ieee8021x=1
auth_algs=1
wpa=2
wpa_pairwise=GCMP-256
ssid=Test2.2.1
bridge=br-lan
wds_bridge=
snoop_iface=br-lan.1000
wpa_disable_eapol_key_retries=0
wpa_key_mgmt=WPA-EAP-SUITE-B-192
okc=0
disable_pmksa_caching=1
ieee80211w=2
group_mgmt_cipher=BIP-GMAC-256
qos_map_set=0,0,2,16,1,1,255,255,18,22,24,38,40,40,44,46,48,56
bssid=
#default_macaddr
option encryption 'wpa3+ccmp' compared option encryption 'wpa3-192'
change1 wpa_pairwise=CCMP to wpa_pairwise=GCMP-256
change2 wpa_key_mgmt=WPA-EAP-SHA256 to wpa_key_mgmt=WPA-EAP-SUITE-B-192
change3 group_mgmt_cipher=AES-128-CMAC to group_mgmt_cipher=BIP-GMAC-256
/etc/config/wireless → option encryption 'wpa2+ccmp256'
/etc/config/wireless → option encryption 'wpa2+gcmp256'
/etc/config/wireless → option encryption 'wpa3+ccmp256'
/etc/config/wireless → option encryption 'wpa3+gcmp256'
These four options can indeed make hostapd work, but I can't find any document that considers the above four modes to be standard, and I can't connect to the SSID set with these four modes in Android and iOS.
systemcrash
commented
1 month ago luci show as
WPA2 802.1X (CCMP)← show wrong, luci it should showWPA3 802.1X (CCMP)
Then a correction must be made in the underlying scripts as @ansuel mentions here, if there is indeed even a bug there. Because that is where the data comes from.
But I don't think there's a bug (if there is, remind me):
==== https://mrncciew.com/2020/08/17/wpa3-enterprise/
systemcrash
commented
1 month ago You can try my commit and see whether it resolves your usability problem.
nasbdh9
commented
1 month ago You can try my commit and see whether it resolves your usability problem.
apply the commit wpa3-192 can be configured in luci.
nasbdh9
commented
1 month ago luci show as
WPA2 802.1X (CCMP)← show wrong, luci it should showWPA3 802.1X (CCMP)Then a correction must be made in the underlying scripts as @Ansuel mentions here, if there is indeed even a bug there. Because that is where the data comes from.
But I don't think there's a bug (if there is, remind me):
I should open an issue in
netifdiwinfo?
systemcrash
commented
1 month ago You can try my commit and see whether it resolves your usability problem.
apply the commit wpa3-192 can be configured in luci.
Does this fix config issues for you? You set wpa-192 and your AP sets the correct crypto?
nasbdh9
commented
1 month ago Yes, after apply the commit and configuring WPA3-EAP 192-bit Mode in luci, hostapd runs correctly in wpa3-192 mode.
But when configuring wpa3+ccmp, luci still shows WPA2 802.1X (CCMP), and check iwinfo also show WPA2 802.1X (CCMP), where should report this issues?
systemcrash
commented
1 month ago systemcrash
commented
1 month ago OK - the fix is in.
Thanks for the detective work @nasbdh9
https://github.com/openwrt/netifd/commit/db3934d2f740bdfe8537933741f71b439a109422
missing
wpa3-192=WPA3 802.1X (GCMP-256)option encryptionwpa3is actuallywpa2+ccmp=WPA2 802.1X (CCMP)