802.11r (FT) and WPA3 SAE

Like I said, SAE (and EAP) cannot work with ft_psk_generate_local as PMK is known only to the AP you connected to first.

You have to turn off psk_generate_local. I also had trouble with some devices if "Disconnect on low ACK" was enabled, so you can try turning that off too.

In theory you would have to set up R0KH and R1KH - I always set it manually. But in the documentation it says that openwrt will do it for you. The easiest way to manually set it up is to:

  • create a shared secret key (that can be any random 256 bits):
    • you can use an online utility such as this one or
    • generate it yourself using a command such as: dd if=/dev/random bs=16 count=1 2>/dev/null | md5sum | awk '{print $1}' on the router itself
  • set r0kh to: ff:ff:ff:ff:ff:ff * your_key_here (in /etc/config/wireless put commas instead of spaces)
  • set r1kh to: 00:00:00:00:00:00 00:00:00:00:00:00 your_key_here (in /etc/config/wireless put commas instead of spaces)

The above will enable hostapd's automatic FT RRB message exchange so you don't need to list all APs everywhere.

3 Likes