WPA3 not working on TL-wr1043NDv1

lantis1008 · September 7, 2019, 10:43pm

Can you post your config file for wireless? I'm using wpa3 mixed at home for several months now no problem.

tapper · September 8, 2019, 9:36am

@lantis1008 does WPA3 work on the wrt3200acm?

lantis1008 · September 8, 2019, 10:45am

Didn't try it, i'm running a r7800 at the moment and sold my wrt3200acm. I can try a wrt32x later on.

bsxx · September 8, 2019, 10:54am

my config is
/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/ath9k'
	option disabled '0'
	option noscan '1'
	option legacy_rates '0'
	option country 'US'
	option txpower '24'
	option hwmode '11a'
	option channel 'auto'

config wifi-iface
	option ssid 'OpenWrt'
	option device 'radio0'
	option key 'mykeyaaa'
	option mode 'ap'
	option network 'lan'
	option encryption 'sae-mixed'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/180c0000.wmac'
	option htmode 'HT20'
	option country 'US'
	option legacy_rates '1'
	option channel '7'
	option txpower '24'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option wpa_disable_eapol_key_retries '1'
	option key 'mykeyaaa'
	option encryption 'sae-mixed'

It works on archer c7, but not work on tl-1043nd.

lantis1008 · September 8, 2019, 12:12pm

Certainly looks fine...

bsxx · September 8, 2019, 11:33pm

When I downgrade to openwrt 18.06.4 and install full wpad-wolfssl I cannot choose WPA3. It isn't in menu.

slh · September 8, 2019, 11:46pm

The openwrt-18.06 branch doesn't (and never will) support WPA3, it's new in master and openwrt-19.07.

cotequeiroz · September 9, 2019, 6:08pm

I haven't played with WPA3 at all yet. My newest router is a WRT3200ACM, and I'm not sure it is compatible. Considering the fact that it is not working with either openwrt or wolfssl, I would imagine that the problem is not the ssl library--I'll definitely change my mind if you have it working with mbedtls. I'll give it a try as soon as I find some time. If I have news, I'll post here.

stragies · September 9, 2019, 8:13pm

I have a TL-wr1043nd v1 running a recent 4.19 snapshot working somewhere as Wifi-Client with WPA2. If i install wpad-mesh-openssl on it, I have the WPA3 options in Luci. I selected "sae-mixed", and the device reconnected. (With WPA2 off course, but the option was accepted, and saved to the config)

bsxx · September 9, 2019, 9:42pm

I have second router tl-wr1043nd v3 - it works as client and when I set WPA2-PSK/WPA3-SAE Mixed Mode - It works, but When I try to setup Access Point on tl-wr1043nd v1 with WPA2-PSK/WPA3-SAE Mixed Mode it show wifi network is not connected instead information about WPA mode Signal strenght and so on
I tried wpad-mesh-openssl and libopenssl too, and it is that same.
I reset wireless config and set new configuration - it didn't help
config:

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/180c0000.wmac'
        option htmode 'HT20'
        option channel '7'
        option txpower '24'
        option country 'US'
        option legacy_rates '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option key 'mykeyaaa'
        option wpa_disable_eapol_key_retries '1'
        option encryption 'sae-mixed'

On tp-link archer c7 v5 WPA3 works.

tapper · September 9, 2019, 10:10pm

It will work on a wrt3200acm snapshot with hostapd-full openssl. It all depends on your wifi driver I think.

lantis1008 · September 10, 2019, 3:05am

Seems fishy that the wr1043nd v1 has a draft-N Wi-Fi chip? Maybe the chipset is problematic.

slh · September 10, 2019, 7:06am

It seems that h/w crypto support of these draft-N ath9k chipsets doesn't work with WPA3SAE. Once you disable it and use nl80211's softmac implementation instead, WPA3SAE works just fine (yes, doing this comes at a performance penalty).

Change /etc/modules.d/ath9k to say (so add nohwcrypt=1):

ath9k nohwcrypt=1

Router:

# dmesg | grep -e AR9 -e machine
[    0.000000] MIPS: machine is TP-Link TL-WR1043ND v1
[    0.000000] SoC: Atheros AR9132 rev 2
[   23.454604] ieee80211 phy0: Atheros AR9100 MAC/BB Rev:7 AR2133 RF Rev:a2 mem=0xb80c0000, irq=2

# iwinfo 
wlan0     ESSID: "XXX"
          Access Point: 00:27:19:XX:XX:XX
          Mode: Master  Channel: 6 (2.437 GHz)
          Tx-Power: 20 dBm  Link Quality: 70/70
          Signal: -24 dBm  Noise: -95 dBm
          Bit Rate: 54.0 MBit/s
          Encryption: WPA3 SAE (CCMP)
          Type: nl80211  HW Mode(s): 802.11bgn
          Hardware: unknown [Generic MAC80211]
          TX power offset: unknown
          Frequency offset: unknown
          Supports VAPs: yes  PHY name: phy0

# hostapd_cli -i wlan0 get_config
bssid=00:27:19:XX:XX:XX
ssid=XXX
wps_state=disabled
wpa=2
key_mgmt=SAE
group_cipher=CCMP
rsn_pairwise_cipher=CCMP

# hostapd_cli -i wlan0 status
state=ENABLED
phy=phy0
freq=2437
num_sta_non_erp=0
num_sta_no_short_slot_time=0
num_sta_no_short_preamble=0
olbc=0
num_sta_ht_no_gf=0
num_sta_no_ht=1
num_sta_ht_20_mhz=0
num_sta_ht40_intolerant=0
olbc_ht=1
ht_op_mode=0x13
cac_time_seconds=0
cac_time_left_seconds=N/A
channel=6
secondary_channel=0
ieee80211n=1
ieee80211ac=0
ieee80211ax=0
beacon_int=100
dtim_period=2
ht_caps_info=104e
supported_rates=02 04 0b 16 0c 12 18 24 30 48 60 6c
max_txpower=20
bss[0]=wlan0
bssid[0]=00:27:19:XX:XX:XX
ssid[0]=XXX
num_sta[0]=1
chan_util_avg=26

Client:

# wpa_cli -i wlp3s0 status
bssid=00:27:19:XX:XX:XX
freq=2437
ssid=XXX
id=3
id_str=tl-wr1043nd
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=SAE
pmf=2
mgmt_group_cipher=BIP
sae_group=19
wpa_state=COMPLETED
ip_address=192.168.2.154
address=00:22:68:XX:XX:XX
uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

These draft-N chipsets have a lot of problems, both in terms of stability and plain bugs. If you can, scheduling a replacement with a newer chipset (ath9k, ath10k, maybe ath11k in the future) is a good idea, before even thinking about the RAM constraints and the low-end CPU performance (e.g. luci is effectively unusable).

lantis1008 · September 10, 2019, 8:34am

I've got good instincts as it turns out

Lucky there's not too many of these chips running around, but they have been a longtime favourite for running OpenWrt...

slh · September 10, 2019, 9:04am

It would really help to get this reported upstream (linux-wireless/ ath9k), so a hardware quirk can be added to disable hwcrypt automatically for this chipset/ when using 802.11w+WPA3SAE, as modifying /etc/modules.d/ath9k is neither user, nor sysupgrade friendly.

bsxx · September 10, 2019, 3:04pm

Thanks for help.
When I use software crypting. Interface works with WPA3 Info about network and signal status is dispalyed, but other clients cannot connect with Access Point. @slh - which software you use?

slh · September 10, 2019, 7:13pm

If you aren't using a rather recent linux distribution, client support for WPA3 is still dire. I'm using Debian/ unstable, kernel 5.3, wpasupplicant 2.9 with ath5k hardware.

bsxx · September 10, 2019, 9:02pm

Please write me which software you are using on tp-link: wolfssl or openssl wpad or hostapd.
For checking WPA3 I have tplink tl-wr1043nd v3 and archer c7 v5.
I want to make connection between tplink tl-wr1043nd v1 ans tl-wr1043nd v3.

slh · September 10, 2019, 9:45pm

As pasted above, TP-Link TL-WR1043ND v1.4 acting as AP (respectively several other more recent devices, which don't require disabling hwcrypto) and wpad-openssl, as client, among others, an old QCA-Atheros AR5007EG+AR2425 mini-PCIe card in a netbook running Linux.

system · September 20, 2019, 9:45pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.