jkdf2
April 9, 2024, 2:50am
15
cotequeiroz:
Setting r0kh and r1kh should not be mandatory, except if you use a password file and do not set a regular password. Keys are supposed to be random; manually changing them should not make a difference. If you have a PSK set, and FT does not work without setting r0kh and r1kh, then there is a bug that needs to be fixed!
Are you sure? Like for @ej_breaks_the_lan , it was your post that, for me, clued me into needing to specify an r0kh and r1kh!
I have not even tried to measure any difference between them.
If you wish to try WPA3-SAE on your own, I'll give you some clues. The minimum config you need is to enable 802.11r, and make sure to DISABLE Generate PMK locally (ft_psk_generate_local). This option is currently not working with WPA3.
OpenWRT will provide default values for the keys and identifiers, so there's no need to set them: nas_identifier is taken from the BSSID; mobility_domain will be the first 4 hex digits of the md5sum…
And your follow-up post here:
Basically, assuming you're running 21.02 or master and configuring from luci, you just need to turn 802.11r on and disable 'Generate PMK locally'. Leave the r0kh and r1kh empty.
OpenWrt will generate a key for you. Test it with just that to see if it works. The caveat is that it will only use the mobility domain to do so, meaning it will only generate 65536 possible keys, vs 3.403E+38 if you set your own. If you don't set your own mobility domain, then anyone can use the same recipe to comp…
If you're certain that simply enabling 802.11r with WPA3-SAE should simply work, I can certainly try to provide a minimally reproducible config when my wife isn't in the middle of some AWS exam studies.