WPA3 not working on TL-wr1043NDv1

Installing and Using OpenWrt
21

It seems that h/w crypto support of these draft-N ath9k chipsets doesn't work with WPA3SAE. Once you disable it and use nl80211's softmac implementation instead, WPA3SAE works just fine (yes, doing this comes at a performance penalty).

Change /etc/modules.d/ath9k to say (so add nohwcrypt=1):

ath9k nohwcrypt=1

Router:

# dmesg | grep -e AR9 -e machine
[    0.000000] MIPS: machine is TP-Link TL-WR1043ND v1
[    0.000000] SoC: Atheros AR9132 rev 2
[   23.454604] ieee80211 phy0: Atheros AR9100 MAC/BB Rev:7 AR2133 RF Rev:a2 mem=0xb80c0000, irq=2

# iwinfo 
wlan0     ESSID: "XXX"
          Access Point: 00:27:19:XX:XX:XX
          Mode: Master  Channel: 6 (2.437 GHz)
          Tx-Power: 20 dBm  Link Quality: 70/70
          Signal: -24 dBm  Noise: -95 dBm
          Bit Rate: 54.0 MBit/s
          Encryption: WPA3 SAE (CCMP)
          Type: nl80211  HW Mode(s): 802.11bgn
          Hardware: unknown [Generic MAC80211]
          TX power offset: unknown
          Frequency offset: unknown
          Supports VAPs: yes  PHY name: phy0

# hostapd_cli -i wlan0 get_config
bssid=00:27:19:XX:XX:XX
ssid=XXX
wps_state=disabled
wpa=2
key_mgmt=SAE
group_cipher=CCMP
rsn_pairwise_cipher=CCMP

# hostapd_cli -i wlan0 status
state=ENABLED
phy=phy0
freq=2437
num_sta_non_erp=0
num_sta_no_short_slot_time=0
num_sta_no_short_preamble=0
olbc=0
num_sta_ht_no_gf=0
num_sta_no_ht=1
num_sta_ht_20_mhz=0
num_sta_ht40_intolerant=0
olbc_ht=1
ht_op_mode=0x13
cac_time_seconds=0
cac_time_left_seconds=N/A
channel=6
secondary_channel=0
ieee80211n=1
ieee80211ac=0
ieee80211ax=0
beacon_int=100
dtim_period=2
ht_caps_info=104e
supported_rates=02 04 0b 16 0c 12 18 24 30 48 60 6c
max_txpower=20
bss[0]=wlan0
bssid[0]=00:27:19:XX:XX:XX
ssid[0]=XXX
num_sta[0]=1
chan_util_avg=26

Client:

# wpa_cli -i wlp3s0 status
bssid=00:27:19:XX:XX:XX
freq=2437
ssid=XXX
id=3
id_str=tl-wr1043nd
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=SAE
pmf=2
mgmt_group_cipher=BIP
sae_group=19
wpa_state=COMPLETED
ip_address=192.168.2.154
address=00:22:68:XX:XX:XX
uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

These draft-N chipsets have a lot of problems, both in terms of stability and plain bugs. If you can, scheduling a replacement with a newer chipset (ath9k, ath10k, maybe ath11k in the future) is a good idea, before even thinking about the RAM constraints and the low-end CPU performance (e.g. luci is effectively unusable).

3 Likes