WPA3 R3 SAE-PK in OpenWrt

grithnir · February 2, 2023, 7:53am

Since it has been ages since WPA3 R3 was released, there is barely any commercial router that
put SAE-PK as a feature into use.

I have got a Linksys e8450 at hand, and have installed openwrt 22.03.1
From the change log, I found that this current version supports SAE-PK to some extent.
My question is whether you experts in this forum have ever tried this SAE-PK authentication
as the latest WPA3 feature.
And how to get it going under openwrt?

thanks experts!

grithnir · February 7, 2023, 2:02pm

Come on experts, any comments?

lleachii · February 7, 2023, 4:14pm

Yes.

Configure your AP to use it.

Seems quite simple to just set it up and see. Are you having an issue?

There's also few clients that use it
Some devices don't like WPA2/WPA3 on the same SSID - create a separate WPA3 SSID to test

grithnir · February 8, 2023, 7:05am

So nice to hear from you!

Yes, I do have an issue that even if I rewrite the hostapd.conf(through SIGHUP signal, knowing the /etc/config/wireless stuff), the e8450 fails to carry RSNXE IE with RSNX==0x60 to indicate SAE-PK capability in its beacon.
The thing is I am testing my company's iot device with this newly introduced feature.
My question is how can i turn this SAE-PK on and change configuration, simply by WEBUI? or hacking hostapd.conf?

BTW, the version is

Thank you all, experts!

lleachii · February 8, 2023, 10:55am

???

What happens when you use OpenWrt to properly configure Wireless (i.e. follow the Wiki and instructions)?
You may wish to upgrade to 22.03.3

(FYI to be clear, OpenWrt doesn't require directly manipulating files like hostapd.conf.)

grithnir · February 9, 2023, 2:32am

Yep, it is no good idea just skip to manipulate the hostap.conf, I have to follow the OpenWrt rules.

There seems no explicit switch ON/OFF to control SAE-PublicKey authentication.

What enables SAE-PK feature in hostapd.conf is like:

github.com

vanhoefm/hostap-wpa3/blob/master/hostapd/hostapd_sae_pk.conf

interface=wlan0
ssid=SAEPK-Network

hw_mode=g
channel=1

wpa=2
wpa_key_mgmt=SAE
rsn_pairwise=CCMP
ieee80211w=2

sae_groups=19
sae_password=2udb-slxf-3ij2|pk=04e8aad54d1a121955e8703d1dfa115e:MHcCAQEEIKMP3SZEAlW9rSwTFsaR/sEyX963opsOo2QYe4G8Kcl+oAoGCCqGSM49AwEHoUQDQgAE4GuxyTkKNt0MEispu/XPxImInj+tl2ri/Jfu2mOQKb1TdNHSPs6UP+rxv5OWnezhOpjpD63Y+zjjz1yk7/iF7g==

Is that possible AP will automatically adopt this SAE-PK authentication by identifying
a SAE-PK-style password, like 2udb-slxf-3ij2 and stuff like that, since SAE-PK is nothing
more than a SAE extention.

Might it be so, shall I just modify /config/wireless in "option key" to a SAE-PK style string?

So far, I have not seen any document talking about SAE-PK on OpenWrt website, except
2 releasenotes, changelogs.

What I am looking for is just an officially recommended way of SAE-PublicKey configuration.

Thanks.

grithnir · February 12, 2023, 2:44pm

experts, any comments?

mk24 · February 12, 2023, 9:04pm

First remove the wpad-basic-xxxxssl which is installed by default and install the full version which is just called wpad-xxxxssl. That build contains more cryptographic features, though I could not say if the one you are looking for is there.

system · February 24, 2023, 5:55am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.