WPA3 Enterprise FreeRADIUS config

Recently I have configured a FreeRADIUS for WPA2 Enterprise usage, based on the fabulous FreeRADIUS config on OpenWRT wiki, I successfully configured PEAP+TTLS authentication.

However, this FreeRADIUS configuration does not work with WPA3 Enterprise. My questions are:

1). Which authentication method works with WPA3 Enterprise?
2). How to revert the 'in-secure' configurations with PEAP+TTLS of the FreeRADIUS?

Thanks in advance.

To my knowledge wpa3 enterprise only supports TLS.

You can read it here: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/WPA3_Encryption_and_Configuration_Guide

and

But maybe I am mistaken and this is only required for 192bit security.

How did you figure out the " does not work" ? What client did you use ? Is WPA3 Enterprise supported by that client ?

I tried out wpa3 3 months ago and figured out, that none of my devices supported wpa3 enterprise, including a brand new Samsung s20.

I was using iPhone 12 for client testing, it just told me the password not right and refused to connect.

Just confirmed that the Intel 8265 does not support WPA3 at all, so it may not worth the effort after all.

My personal lessons learnt regarding wpa3 enterprise was:

  • currently it does not work together with 802.11r fast transition ( because of win 10 clients 802.11w has to be switched off for 802.11r, but protected management frames (802.11w) are required for wpa3
  • nearly no client hw supports it
  • but I changed my security from peap- mschapv2 to eap-tls, and that one is far easier to setup on clients (once you have generated the certificates) and much faster in authentication

I just swapped out the Intel 8265 chip in my laptop for an Intel AX210. The AX210 supports WPA3 and Wifi 6E. It was $30 and took about 10 minutes. Windows 10 automatically installed the latest drivers for it too.

Trying to connect to WPA3-Enterprise from Android, I get an instant error and the same stacktrace in logcat as this bug report — that one is about apps configuring the network, but I'm just using the Settings. :frowning:

UPD: at least the message after the stack trace — "WifiKeyStore: Invalid CA certificate type for Suite-B: 1.2.840.113549.1.1.5" — means that the CA cert must use sha384WithRSAEncryption or ecdsa-with-SHA384 for its own signature. This is a requirement for "WPA3-Enterprise 192-bit mode", i.e. WPA-EAP-SUITE-B-192 in hostapd. Uhhh so "WPA3-EAP" in OpenWrt means that I guess. Even though from the WPA3 spec it seems that 192-bit/Suite-B is just an optional mode of WPA3-EAP. Well, time to make a new CA I guess…

Continuing the WPA3-Enterprise 192-bit mode investigation.

Switched to all-ECC/SHA384 keys&certs, Android doesn't fail with that error anymore, it just does nothing (as if the Java stuff is just not telling wpa_supplicant to do anything, WTF) but…

I made it work with Windows 10! \o/ The best article about W10 config is here but to make it work, OpenWrt modifications were required.

Screenshot 2021-08-25 033646

So turns out, basically the /lib/netifd / UCI stuff does not generate valid configs for WPA3-Enterprise 192-bit mode AT ALL:

  • /lib/netifd/netifd-wireless.sh generates wpa_pairwise=CCMP. For wpa3 where eap192 is set, wpa_cipher/wpa_pairwise MUST be set to GCMP-256!
  • /lib/netifd/hostapd.sh generates group_mgmt_cipher=AES-128-CMAC. It MUST be BIP-GMAC-256!
  • nothing generates openssl_ciphers=SUITEB192. This doesn't seem mandatory, my Windows machine connected anyway. But it is present in various examples e.g. here.
  • nothing enforces 11w management frame protection being set to mandatory for this 192-bit mode.

P.S. Argh, why does nothing give good debug output for this stuff?! e.g. if 11w is not set to mandatory, the only indication Windows gives you that that's the problem is a log message with "Matching security capabilities of IE in M3 failed (RSN/WPA)".

1 Like