Cannot connect to pure WPA3 SSID with wpa_supplicant [solved]

graysky · 2020-06-14 11:59:33

I have a pure WPA3 SSID on my home network. I know it's working:
1) Several iOS devices can connect to it.
2) When I use NetworkManager, it can connect and shows "WPA3" in the connection properties.

My goal is to use wpa_supplicant and systemd-networkd rather than NetworkManager.

I know that wpa_supplicant, is able to see my SSID called blast:

# wpa_cli -i wlp4s0 scan
OK

# wpa_cli -i wlp4s0 scan_results | grep blast
xx:xx:xx:xx:xx:xx	5745	-66	[WPA2-SAE-CCMP][ESS][UTF-8]	blast

So I created /etc/wpa_supplicant/wpa_supplicant-wlp4s0.conf:

ctrl_interface=/run/wpa_supplicant
update_config=1
 network={
  ssid="blast"
  psk=xxx
  key_mgmt=SAE
  ieee80211w=2
}

Where psk is my correctly formatted passphrase which I sanitized for the forum post.

But wpa_supplicant fails to connect:

# wpa_supplicant -i wlp4s0 -c /etc/wpa_supplicant/wpa_supplicant-wlp4s0.conf
Successfully initialized wpa_supplicant
wlp4s0: No PSK available for association
wlp4s0: SME: Failed to set WPA key management and encryption suites

Am I misunderstanding the conf options? Thanks.

Last edited by graysky (2020-06-14 15:16:53)

graysky · 2020-06-14 15:16:33

Finally figured it out with the help of the debug flag (-d) and searching the example /usr/share/doc/wpa_supplicant/wpa_supplicant.conf for some key words:

https://wiki.archlinux.org/index.php?ti … did=614477

qinohe · 2020-06-14 15:39:38

@graysky, thanks for that, but shouldn't 'ieee80211w=2' still be true for a 'pure WPA3 SSID' as you call it?
1=optional
2=required
(see) https://w1.fi/cgit/hostap/plain/wpa_sup … icant.conf

# ieee80211w: whether management frame protection is enabled
# 0 = disabled (default unless changed with the global pmf parameter)
# 1 = optional
# 2 = required
# The most common configuration options for this based on the PMF (protected
# management frames) certification program are:
# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
# (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used)
# WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE

graysky · 2020-06-14 15:42:51

@qinohe - I think so but am I not expert enough with different WPA3 configurations on the router's side... on my openwrt device, I have the SSID set to be required, but there is an optional mode as well. I think setting it to 1 in wpa's config is more permissive but please correct me if I am mistaken.

qinohe · 2020-06-14 15:59:10

Yes, that's what that option seems to imply.
If option '2' is enabled PFM is a crypto enabled transmission too.

I'm not an expert too but reading about it, it seems you could be forced to re-authenticate by malicious frames.
Could be far fetched, but better safe than sorry;)

Arch Linux

#1 2020-06-14 11:59:33

Cannot connect to pure WPA3 SSID with wpa_supplicant [solved]

#2 2020-06-14 15:16:33

Re: Cannot connect to pure WPA3 SSID with wpa_supplicant [solved]

#3 2020-06-14 15:39:38

Re: Cannot connect to pure WPA3 SSID with wpa_supplicant [solved]

#4 2020-06-14 15:42:51

Re: Cannot connect to pure WPA3 SSID with wpa_supplicant [solved]

#5 2020-06-14 15:59:10

Re: Cannot connect to pure WPA3 SSID with wpa_supplicant [solved]

Board footer