WPA3 Personal only and 802.11r FT

Is WPA3 Personal only supposed to work with 802.11r FT? It is unclear whether this is a supported configuration.

FWIW, if others run into the same problem, even if you use mixed mode WPA2/WPA3 and enable 802.11r, some clients won't even see the SSID at all (experienced this with older Chromebooks), others see it but cannot connect to it (iPads in my case), while others connect but it's unclear whether 802.11r FT works at all (recent Android pohones).

It appears that if you need 802.11r FT, it's best to create a dedicated SSID and keep it on WPA2.

I've done some testing with WPA3, and there are still a lot of issues that need to be resolved. I'm not surprised given how new it is and how few people are using it. Here are some of my observations:

  • When Apple initially added WPA3 support to iOS connection attempts to FT-SAE (WPA3 with 802.11r) networks failed. I can now confirm that it works on iOS 14.4.2 and iPadOS 14.5.

  • I have faced the same issues as you when it comes to WPA3/WPA2-mixed with 802.11r enabled. My Fedora laptop is unable to see the network in the list of available networks, and my iPad sees the network, but is unable to connect to it. The tests I've done with my Fedora laptop seem to suggest that this is not related to NetworkManager, but due to something deeper in the stack. I suspect it's due to some bug in iwlwifi (the driver for my Intel network card).

  • My Fedora laptop refuses to roam when it's connected to a FT-SAE network.

  • None of my clients seem to support the hash-to-element SAE mechanism which fixes the security issues described in the Dragonblood paper by Mathy Vanhoef. One of the reasons for this lack of support is that hostapd/wpa_supplicant last had a stable release in August 2019, and support for H2E was added after this.

3 Likes

It's disappointing to see that after all these years WiFi is still such a mess, in particular when you try to use alternative software like we do here with OpenWRT.

It will probably start to get better soon. One example is the recent publishing of the 802.11-2020 standard which contains the hash-to-element (H2E) mechanism. Vendors now can't use the excuse that it's only a draft standard to not implement H2E. But again, as I previously said, this is all very recent stuff and as such it will inevitably be buggy. That's why it's important to report the bugs you find so they can be fixed.