I have been using WPA3 on my OpenWRT APs in mixed WPA2/WPA3 mode, without problem. Clients using MacOSX and Android can connect without problems in WPA3. Kids are using Mac OS X. My wife is using Debian + Gnome + Network-manager and can connect in WPA3 without problems. We are not using Windows.
I am also using Debian and here is what happens:
if I connect using WPA3 in Network-Manager, logon fails constantly. I have to edit my connection and set up WPA2 mode. Then it still fails to logon, lke if I were "banned". After a while (a night), I can connect without problem. When looking at my connection settings in NetworkManager, it is displayed "WPA3".
Seems like my wireless card is not fully compatible (Intel chipset) / and or / hostAPd has a mechanism to ban bad logon. Any idea?
I'm using an Intel 8260AC card here, Debian Testing, and 19.07 HEAD with WPA3. No issues. Android needs to be Android 10 to support WPA3, so similarly your Debian might need to be up to date for its wpa_supplicant. I'm running the wpad-openssl variety on the router and this is how my config looks:
The reason is that I am not sure that all my clients are WPA3 ready. For example, my Debian station (testing and uptodate) cannot connect in WPA3. My wife is using Debian testing and can connect in WPA3.
I just wanted to comment that some mechanism seems to ban be after a failed logon on WPA3.
What you can try to do is make 2 SSID's, one for the WPA3 and one for the WPA2. That sort of works around the problem. I do not think mixed mode wpa2/wpa3 works for every client. Advantage of separating is also that you can assign different firewall zones and keep the WPA3 more secure, if needed you can combine it with VLAN tagging to keep traffic separated on the network when using multiple routers/switches.
I suspect some kind of blacklisting mechanism. When failing to logon with WPA3-SAE to the WPA3 ssid, the client stops to see the WIFI neiborhood. I have to reboot my Debian station to be able to logon with WPA2 to the WPA2 SSID.
That kind of thing is known to happen. Not all radio hardware drivers/firmware really allow wpa2 and wpa3 to coexist. 80211w compatibility can also be problematic, as in addition to the routers driver problems, also some client devices do not support it.
Seems like my Debian laptop is not PMF capable, it could be the explanation. WPA3 requires PMF, right?
The AP is a GliNet B1300 with recent ath9k/ath10k atheros chipset, so it should support PMF. I guess it supports PMF because the mesh network uses PMF and it works. I can also logon with PMF clients like Apple Mac Book air and iphone. But it does not seem to support "mixed-mode". If a non pmf client tries to connect in WPA3-sae, it could either gets banned or all clients are disconnected (this has to be confirmed).
It could also be Debian trying to connect in WPA3 with non-protected frames (as there are no settings for it).
In a few days, I will receive an USB3 wifi dongle with a/b/gn/ac and Atheros chipset. This will allow me to test using Debian. Leaving the issue open until then.
Yes. Wpa3 requires it. You have set it to 2 = mandatory
For wpa2/wpa3 mixed mode you could set it to 1 = optional. Then wpa2 clients could connect without pmf. (Mwlwifi fails that setting, but your hardware might work ok)
But he wpa3 support in clients is still somewhat weak, so wpa3 will take a long time to get fully adopted. (Personally I had to drop mixed mode as one of my routers is mwlwifi based, and roaming got buggy)
wpa2/wpa3 mixed mode you could set it to 1 = optional
In my first setup, I used wpa2/wpa3 mixed mode. When a non PMF client fails to connect in WPA3, I loose all wireless on the client side and I cannot reconnect in WPA2. After a number of failues, I need to wait more than 10 hours to be able to connect in WPA2. This is why I suspect some kind of banning mechanism.
To avoid that, I set up my Debian station to avoid connecting in automatic mode to the wpa2/wpa3 mixed mode SSID or a WPA3 SSID. After a first failure in WPA3, I reboot and connect in WPA2 manually.
I also suspect this setting to be incompatible with WPA2/WPA3 mixed mode:
as 1 second could be too low.
I set up reassociation deadline (802.11w maximum timeout in LuCi) from default 1 second (1000 ticks) to 10 seconds (10000 ticks):
Now using WPA2/WP3 mixed mode SSID. When I first fail to connect in WPA3, this allows me to switch back to WPA2 and connect in WPA2. Seems like reassociation deadline of 1 second is too short for non PMF client using WPA2.
I wonder whether the timer in ticks is precisely 1 millisecond. As the GliNet B1300 is a quad-core ARM7, it could be less. Ticks are a mesurement from the past, it could be deprecated to use them. Why is hostapd using them?
All this is very unclear to me, we need the advice of an OpenWRT developer.