WPA3 fails to connect, then banned from AP during hours

Hello,

I have been using WPA3 on my OpenWRT APs in mixed WPA2/WPA3 mode, without problem. Clients using MacOSX and Android can connect without problems in WPA3. Kids are using Mac OS X. My wife is using Debian + Gnome + Network-manager and can connect in WPA3 without problems. We are not using Windows.

I am also using Debian and here is what happens:

if I connect using WPA3 in Network-Manager, logon fails constantly. I have to edit my connection and set up WPA2 mode. Then it still fails to logon, lke if I were "banned". After a while (a night), I can connect without problem. When looking at my connection settings in NetworkManager, it is displayed "WPA3".

Seems like my wireless card is not fully compatible (Intel chipset) / and or / hostAPd has a mechanism to ban bad logon. Any idea?

I'm using an Intel 8260AC card here, Debian Testing, and 19.07 HEAD with WPA3. No issues. Android needs to be Android 10 to support WPA3, so similarly your Debian might need to be up to date for its wpa_supplicant. I'm running the wpad-openssl variety on the router and this is how my config looks:

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Blabla'
	option key 'whoopsiedaisy'
	option encryption 'sae'
	option ieee80211w '2'

I am using WPA2/WP3 compatible mode, so my settings are:

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Blabla'
	option key 'whoopsiedaisy'
 	option encryption 'sae-mixed'
 	option ieee80211w '1'

The reason is that I am not sure that all my clients are WPA3 ready. For example, my Debian station (testing and uptodate) cannot connect in WPA3. My wife is using Debian testing and can connect in WPA3.

I just wanted to comment that some mechanism seems to ban be after a failed logon on WPA3.

I am trying to spot the problem. Now, trying to connect with my WPA2 wireless phone does not work. There are some interoperability issues with using WPA2 client on WPA2/WPA3 mode.

Could you tell me how to increase verbosity on hostap ?

logread -l 20 -f returns nothing.

OK, this is explained here:
https://openwrt.org/docs/guide-developer/debugging

Please help.

When connecting from MacOSX, WPA3-sae client works.
mesh with 2 APS and WPA3-sae works.

When connection from Debian, WPA3 fails and then I cannot log on using WPA2 during hours. It is like I am banned from the AP. AP is configured with dual WPA2/WPA3 compatibility mode.

I found this in the log:
Fri Aug 14 20:57:33 2020 kern.warn kernel: [ 4762.994785] ath10k_ahb a000000.wifi: Firmware lacks feature flag indicating a retry limit of > 2 is OK, requested limit: 4

Is there a timeout setting that can be modified to lower timeout limit to 1 minute instead of hours in case of bad logon.

This would allow me to study in more details.

What you can try to do is make 2 SSID's, one for the WPA3 and one for the WPA2. That sort of works around the problem. I do not think mixed mode wpa2/wpa3 works for every client. Advantage of separating is also that you can assign different firewall zones and keep the WPA3 more secure, if needed you can combine it with VLAN tagging to keep traffic separated on the network when using multiple routers/switches.

OK. At least, it will allow me to logon wireless using WPA2-psk and enquire why I am getting banned using WPA3-sae

Apparently, my new WPA3 SSID does not log anything. Running "logread" returns no information at the time I fail to logon WPA3-sae client.

Here is my logging config:

config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/soc/a000000.wifi'
option htmode 'HT40'
option country 'FR'
option channel '1'
option txpower '10'
option log_level '0'

And my SSID:

config wifi-iface 'wifinet2'
option network 'lan'
option encryption 'sae'
option device 'radio0'
option mode 'ap'
option ieee80211w '2'
option key 'xxxxxxxxxx'
option ssid 'yyyyyyyyyWPA3'

Here is my complete config:
cat /var/run/hostapd-phy0.conf

driver=nl80211
logger_syslog=127
logger_syslog_level=0
logger_stdout=127
logger_stdout_level=0
country_code=FR
ieee80211d=1
hw_mode=g
beacon_int=100
channel=1

ieee80211n=1
ht_coex=0
ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40]

bss=wlan0-1
ctrl_interface=/var/run/hostapd
ap_isolate=1
bss_load_update_period=60
chan_util_avg_period=600
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
sae_require_mfp=1
wpa_passphrase=xxxxxxxxxxxxxx
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=yyyyyyyyyyyyyyyWPA3
bridge=br-lan
wpa_disable_eapol_key_retries=0
wpa_key_mgmt=SAE
okc=1
ieee80211w=2
group_mgmt_cipher=AES-128-CMAC
bssid=96:83:c4:03:7b:ee

Is there a way to return more verbose logging?

I suspect some kind of blacklisting mechanism. When failing to logon with WPA3-SAE to the WPA3 ssid, the client stops to see the WIFI neiborhood. I have to reboot my Debian station to be able to logon with WPA2 to the WPA2 SSID.

That kind of thing is known to happen. Not all radio hardware drivers/firmware really allow wpa2 and wpa3 to coexist. 80211w compatibility can also be problematic, as in addition to the routers driver problems, also some client devices do not support it.

Example is mwlwifi...

Thanks for clarification!

Seems like my Debian laptop is not PMF capable, it could be the explanation. WPA3 requires PMF, right?

The AP is a GliNet B1300 with recent ath9k/ath10k atheros chipset, so it should support PMF. I guess it supports PMF because the mesh network uses PMF and it works. I can also logon with PMF clients like Apple Mac Book air and iphone. But it does not seem to support "mixed-mode". If a non pmf client tries to connect in WPA3-sae, it could either gets banned or all clients are disconnected (this has to be confirmed).

It could also be Debian trying to connect in WPA3 with non-protected frames (as there are no settings for it).

In a few days, I will receive an USB3 wifi dongle with a/b/gn/ac and Atheros chipset. This will allow me to test using Debian. Leaving the issue open until then.

Yes. Wpa3 requires it. You have set it to 2 = mandatory

For wpa2/wpa3 mixed mode you could set it to 1 = optional. Then wpa2 clients could connect without pmf. (Mwlwifi fails that setting, but your hardware might work ok)

But he wpa3 support in clients is still somewhat weak, so wpa3 will take a long time to get fully adopted. (Personally I had to drop mixed mode as one of my routers is mwlwifi based, and roaming got buggy)

Thanks.

wpa2/wpa3 mixed mode you could set it to 1 = optional

In my first setup, I used wpa2/wpa3 mixed mode. When a non PMF client fails to connect in WPA3, I loose all wireless on the client side and I cannot reconnect in WPA2. After a number of failues, I need to wait more than 10 hours to be able to connect in WPA2. This is why I suspect some kind of banning mechanism.

To avoid that, I set up my Debian station to avoid connecting in automatic mode to the wpa2/wpa3 mixed mode SSID or a WPA3 SSID. After a first failure in WPA3, I reboot and connect in WPA2 manually.

I also suspect this setting to be incompatible with WPA2/WPA3 mixed mode:

reassociation_deadline=1000
as 1 second could be too low.

I set up reassociation deadline (802.11w maximum timeout in LuCi) from default 1 second (1000 ticks) to 10 seconds (10000 ticks):

reassociation_deadline=10000

Now using WPA2/WP3 mixed mode SSID. When I first fail to connect in WPA3, this allows me to switch back to WPA2 and connect in WPA2. Seems like reassociation deadline of 1 second is too short for non PMF client using WPA2.

I wonder whether the timer in ticks is precisely 1 millisecond. As the GliNet B1300 is a quad-core ARM7, it could be less. Ticks are a mesurement from the past, it could be deprecated to use them. Why is hostapd using them?

All this is very unclear to me, we need the advice of an OpenWRT developer.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.