Howto configure WPA-SAE-PK

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello! How do I use WPA-SAE-PK? lleachii's reply in WPA3 R3 SAE-PK in OpenWrt suggests it's possible, but I wasn't able to find it in the webinterface or when grepping the openwrt code. I tried setting my password to 2udb-slxf-3ij2|pk=04e8aad54d1a121955e8703d1dfa115e:MHcCAQEEIKMP3SZEAlW9rSwTFsaR/sEyX963opsOo2QYe4G8Kcl+oAoGCCqGSM49AwEHoUQDQgAE4GuxyTkKNt0MEispu/XPxImInj+tl2ri/Jfu2mOQKb1TdNHSPs6UP+rxv5OWnezhOpjpD63Y+zjjz1yk7/iF7g== hoping it would end up correctly in the config https://w1.fi/cgit/hostap/tree/hostapd/hostapd.conf?id=f2dd75093f9ee5211cedc125e2f211b8cd3d93cd#n2010 , but OpenWRT didn't allow such long passwords. (using 23.05.0-rc2)

2

I'm not sure but I thought I noticed a option in luci's roaming options for PK, the options only appear if you checked the roaming option, you might also need wpad-openssl.

Though I'm not sure how it works, last time when I tried to use a vlan argument in the wpa key entry it also did not work for sae.

3

Even though this is an old thread, I'll post my findings if anyone looks for this:

Even though the version of hostap used by OpenWrt snapshots supports SAE-PK, it is not being enabled at build time. You can build your own version by applying this patch to the package Makefile, noting that it will only build for the full openssl versions:

--- a/package/network/services/hostapd/Makefile
+++ b/package/network/services/hostapd/Makefile
@@ -100,7 +100,7 @@ ifeq ($(SSL_VARIANT),openssl)
     DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y
   endif
   ifeq ($(LOCAL_VARIANT),full)
-    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y
+    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y CONFIG_SAE_PK=y
   endif
 endif

Then in your /etc/config/wireless, add the password like this:

config wifi-iface ...
...
        option encryption 'sae'
        option key '2udb-slxf-3ij2'
        list hostapd_bss_options 'sae_password=2udb-slxf-3ij2|pk=04e8aad54d1a121955e8703d1dfa115e:MHcCAQEEIKMP3SZEAlW9rSwTFsaR/sEyX963opsOo2QYe4G8Kcl+oAoGCCqGSM49AwEHoUQDQgAE4GuxyTkKNt0MEispu/XPxImInj+tl2ri/Jfu2mOQKb1TdNHSPs6UP+rxv5OWnezhOpjpD63Y+zjjz1yk7/iF7g=='

The key option would be used with WPA2 in sae-mixed mode. It will be ignored in sae only mode.

You may also set the transition disable bits by adding:

        list hostapd_bss_options 'transition_disable=0x03'

This was tested with wpad's wpa-supplicant (with the patch above) as a client.

# wpa_cli status
Selected interface 'wsta5g'
bssid=xx:xx:xx:xx:xx:xx
freq=5180
ssid=acme
id=3
mode=station
wifi_generation=6
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=SAE
pmf=1
mgmt_group_cipher=BIP
sae_group=19
sae_h2e=1
sae_pk=1
wpa_state=COMPLETED
address=xx:xx:xx:xx:xx:xx
uuid=xxxxxxxx-xxx-xxx-xxxx-xxxxxxxxxxxx
ieee80211ac=1

The transition-disable showed up in the STA log like this:

daemon.notice wpa_supplicant[1631]: wsta5g: TRANSITION-DISABLE 03
1 Like