WPA3 Enterprise FreeRADIUS config

Enig123 · April 16, 2021, 5:18am

Recently I have configured a FreeRADIUS for WPA2 Enterprise usage, based on the fabulous FreeRADIUS config on OpenWRT wiki, I successfully configured PEAP+TTLS authentication.

However, this FreeRADIUS configuration does not work with WPA3 Enterprise. My questions are:

1). Which authentication method works with WPA3 Enterprise?
2). How to revert the 'in-secure' configurations with PEAP+TTLS of the FreeRADIUS?

Thanks in advance.

Stefan1 · April 16, 2021, 5:40am

To my knowledge wpa3 enterprise only supports TLS.

You can read it here: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/WPA3_Encryption_and_Configuration_Guide

and

But maybe I am mistaken and this is only required for 192bit security.

How did you figure out the " does not work" ? What client did you use ? Is WPA3 Enterprise supported by that client ?

I tried out wpa3 3 months ago and figured out, that none of my devices supported wpa3 enterprise, including a brand new Samsung s20.

Enig123 · April 16, 2021, 5:46am

I was using iPhone 12 for client testing, it just told me the password not right and refused to connect.

Just confirmed that the Intel 8265 does not support WPA3 at all, so it may not worth the effort after all.

Stefan1 · April 16, 2021, 6:04am

My personal lessons learnt regarding wpa3 enterprise was:

currently it does not work together with 802.11r fast transition ( because of win 10 clients 802.11w has to be switched off for 802.11r, but protected management frames (802.11w) are required for wpa3
nearly no client hw supports it
but I changed my security from peap- mschapv2 to eap-tls, and that one is far easier to setup on clients (once you have generated the certificates) and much faster in authentication

chadneufeld · May 21, 2021, 1:25pm

I just swapped out the Intel 8265 chip in my laptop for an Intel AX210. The AX210 supports WPA3 and Wifi 6E. It was $30 and took about 10 minutes. Windows 10 automatically installed the latest drivers for it too.

unrelentingtech · August 24, 2021, 12:12am

Trying to connect to WPA3-Enterprise from Android, I get an instant error and the same stacktrace in logcat as this bug report — that one is about apps configuring the network, but I'm just using the Settings.

UPD: at least the message after the stack trace — "WifiKeyStore: Invalid CA certificate type for Suite-B: 1.2.840.113549.1.1.5" — means that the CA cert must use sha384WithRSAEncryption or ecdsa-with-SHA384 for its own signature. This is a requirement for "WPA3-Enterprise 192-bit mode", i.e. WPA-EAP-SUITE-B-192 in hostapd. Uhhh so "WPA3-EAP" in OpenWrt means that I guess. Even though from the WPA3 spec it seems that 192-bit/Suite-B is just an optional mode of WPA3-EAP. Well, time to make a new CA I guess…

unrelentingtech · August 25, 2021, 12:59am

Continuing the WPA3-Enterprise 192-bit mode investigation.

Switched to all-ECC/SHA384 keys&certs, Android doesn't fail with that error anymore, it just does nothing (as if the Java stuff is just not telling wpa_supplicant to do anything, WTF) but…

I made it work with Windows 10! \o/ The best article about W10 config is here but to make it work, OpenWrt modifications were required.

Screenshot 2021-08-25 033646

So turns out, basically the /lib/netifd / UCI stuff does not generate valid configs for WPA3-Enterprise 192-bit mode AT ALL:

/lib/netifd/netifd-wireless.sh generates wpa_pairwise=CCMP. For wpa3 where eap192 is set, wpa_cipher/wpa_pairwise MUST be set to GCMP-256!
/lib/netifd/hostapd.sh generates group_mgmt_cipher=AES-128-CMAC. It MUST be BIP-GMAC-256!
nothing generates openssl_ciphers=SUITEB192. This doesn't seem mandatory, my Windows machine connected anyway. But it is present in various examples e.g. here.
nothing enforces 11w management frame protection being set to mandatory for this 192-bit mode.

P.S. Argh, why does nothing give good debug output for this stuff?! e.g. if 11w is not set to mandatory, the only indication Windows gives you that that's the problem is a log message with "Matching security capabilities of IE in M3 failed (RSN/WPA)".

schreibubi · June 27, 2022, 5:22pm

Hi,

I've submitted patches to make these changes:

https://patchwork.ozlabs.org/project/openwrt/patch/20220626152133.531981-1-schreibubi@gmail.com/

https://patchwork.ozlabs.org/project/openwrt/patch/20220626151839.531572-1-schreibubi@gmail.com/

Best Regards,

Joerg

GqSteve · June 3, 2023, 11:43am

Hi,

did anyone get to setup a WPA3 Enterprise 192bit (EAP-TLS) and have an Adroid device connected?

BR

schreibubi · June 3, 2023, 1:55pm

Works for me without issues on the master branch. What issues do you have? Make sure that your Radius certificates meet the minimum requirements (if not, then Android will refuse to connect):

Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit mode are:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE and ECDSA using the 384-bit prime modulus curve P-384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE using the 384-bit prime modulus curve P-384
RSA ≥ 3072-bit modulus
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
RSA ≥ 3072-bit modulus
DHE ≥ 3072-bit modulus

laiba · July 5, 2023, 8:13am

while configuring freeradius3 i got Failed with error: Error loading shared library proto_auth.so: No such file or directory
and

Error: Failed binding to auth address * port 1812 bound to server default: Address in use 
Fri Apr 28 06:20:46 2023 : Error: /etc/freeradius3/sites-enabled/default[59]: Error binding to port for 0.0.0.0 port 1812

Need help...