WPA3 SAE options are missing on MT7922 chipset

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I am trying to configure an AP with WPA3 personal with MT7922 PCIe adapter. However, the WAP3 options (SAE /SAE-mixed) are missing from luci. When adding this option via to /etc/config/wireless, the AP remained in disabled state until I change it back to psk2

Below are the details:

root@openwrt-wifi-radios:~# lspci -s 00:10.0 -v
00:10.0 Network controller: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter
        Subsystem: MEDIATEK Corp. Device c616
        Physical Slot: 16
        Flags: bus master, fast devsel, latency 0, IRQ 36
        Memory at fd600000 (64-bit, prefetchable) [size=1M]
        Memory at fea90000 (64-bit, non-prefetchable) [size=32K]
        Capabilities: [80] Express Endpoint, MSI 00
        Capabilities: [e0] MSI: Enable+ Count=1/32 Maskable+ 64bit+
        Capabilities: [f8] Power Management version 3
        Kernel driver in use: mt7921e
lspci: Unable to load libkmod resources: error -2

root@openwrt-wifi-radios:~#
root@openwrt-wifi-radios:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:10.0'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option txpower '100'
        option country 'US'
        option disabled '0'
        option legacy_rates '0'
        option require_mode 'ac'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid '1 2 3 GO'
        option encryption 'sae-mixed'
        option key 'password'
        option network 'lan'
        option disabled '0'

root@openwrt-wifi-radios:~#

image
image1307×557 64.6 KB

What can I check to have this enabled?
Thank you!

2

Try Force CCMP (AES) as the cipher.

3

Try Force CCMP (AES) as the cipher.

Still no luck

4

What driver did you use?

5

What driver did you use?

6

Looks like the right one...

x86 running OpenWrt only?
Sorry. Something is not accepting it and I'm out of ideas.

7

Which wpad package variant you are using? Mini version does not support wpa3.

1 Like
8

I am using wpad package

image
image1990×904 79.3 KB

9

Remove wpad, replace it with wpad-basic-* (there are 3, choose 1) or wpad-mesh-* (also choose 1 from 3)

10

Actually, "wpad" is larger more full-featured than the smaller -basic variant. (-mini is the crippled one).
"wpad" should be ok.

EDIT:
or actually I should have said that wpad-somessl is ok.
Apparently plain wpad is without any SSL support making WPA3 SAE impossible.

But my main point was that

  • wpad-mini is smallest,
  • wpad-basic-somessl is a larger feature set,
  • wpad-mesh-somessl is another for mesh purposes, and
  • wpad-somessl is the largest full feature set (although it is not named wpad-full-somessl).
1 Like
11

I'm also having this problem on x86. WPA3 just isn't available and everything is installed fine. I'm also using the full wpad package. Using master from yesterday.

12

What package did you install so far?

guessing: if WPA3 is missing in the LuCi option box, one of the 3 wpad-related encryption packages might be missing (install only 1 of the 3, not all 3):
if you had used the full blown wpad:

  • wpad-mbedtls (pick this one, if you cant decide and run default OpenWRT base packages)
  • wpad-openssl
  • wpad-wolfssl

for wpad-basic, 1 of the 3 wpad-basic-… packages

could be that you have just opkg-installed „wpad“ or „wpad-basic“, which I think do not trigger a dependency install of one of the 3 ssl libraries (which I think are needed for WPA3 SAE).

3 Likes
13

ah, i didnt realize wpad didn't include this stuff. the package names and descriptions are a little misleading. Full does not actually mean full in this case, if wpad-openssl fixes this issue.

i have everything using openssl so im now building with wpad-openssl instead of wpad and will test and post back.

14

EDIT : Partially fixed
The firmware in master is from November 2023 so I downloaded the latest firmware, which at this time is Febuary 2024. I restarted and had to change to 5GHz, save, and change back to 6GHz to have the channel selection appear. Setting this to auto and enabling the access point now works. I have yet to get a computer to actually see the 6GHz access point though, tested a PC with MT7922 and laptop with WCN6856 (wifi 6e), both machines running Debian Testing.

So ACS still doesn't work but I'm able to manually set a channel. I'm hoping the 6.6 kernel will fix this. I set the channel to 73 and my WCN6858 card can see the access point, but my other MT7922 cannot. The highest I've seen the connection is 576Mbps though, no where near what it is capable of. The WCN6856 seems to be a much better card for this application, but has terrible signal strength.

Not sure what to do at this point, might just wait for 6.6 kernel. master won't even allow 160mhz bandwidth yet.

Download latest firmware
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/mediatek

Error message on ACS

Sun Apr  7 08:59:48 2024 daemon.notice hostapd: phy1-ap0: interface state UNINITIALIZED->COUNTRY_UPDATE
Sun Apr  7 08:59:48 2024 daemon.notice hostapd: ACS: Automatic channel selection started, this may take a bit
Sun Apr  7 08:59:48 2024 daemon.notice hostapd: phy1-ap0: interface state COUNTRY_UPDATE->ACS
Sun Apr  7 08:59:48 2024 daemon.notice hostapd: phy1-ap0: ACS-STARTED

********** Below message repeated for every channel
Sun Apr  7 08:59:56 2024 daemon.notice hostapd: ACS: Survey for freq 6355 is missing noise floor

Sun Apr  7 08:59:56 2024 daemon.notice hostapd: phy1-ap0: ACS-COMPLETED freq=5955 channel=1
Sun Apr  7 08:59:56 2024 kern.info kernel: [  110.756413] IPv6: ADDRCONF(NETDEV_CHANGE): phy1-ap0: link becomes ready
Sun Apr  7 08:59:56 2024 kern.info kernel: [  110.763162] br-lan: port 5(phy1-ap0) entered blocking state
Sun Apr  7 08:59:56 2024 kern.info kernel: [  110.768767] br-lan: port 5(phy1-ap0) entered forwarding state
Sun Apr  7 08:59:56 2024 daemon.notice netifd: Network device 'phy1-ap0' link is up
Sun Apr  7 08:59:57 2024 daemon.notice hostapd: phy1-ap0: interface state ACS->ENABLED
Sun Apr  7 08:59:57 2024 daemon.notice hostapd: phy1-ap0: AP-ENABLED

ORIGINAL :

wpad-openssl seems to have brought back WPA3, but 6GHz does not work seemingly due to ACS. It says it cannot find available channel, but I believe it's just not working because I don't have any 6GHz devices within probably a mile. The country is set, WPA3-SAE is selected, and management frame protection set to required.

So ACS isn't working, and there is no option to select a channel for 6GHz, I can only change the bandwidth.

Sun Apr  7 08:41:54 2024 daemon.notice hostapd: phy1-ap0: interface state UNINITIALIZED->COUNTRY_UPDATE
Sun Apr  7 08:41:54 2024 daemon.notice hostapd: ACS: Automatic channel selection started, this may take a bit
Sun Apr  7 08:41:54 2024 daemon.err hostapd: ACS: No available channels found
Sun Apr  7 08:41:54 2024 daemon.warn hostapd: phy1-ap0: IEEE 802.11 Configured channel (0) or frequency (0) (secondary_channel=1) not found from the channel list of the current mode (2) IEEE 802.11a
Sun Apr  7 08:41:54 2024 daemon.warn hostapd: phy1-ap0: IEEE 802.11 Hardware does not support configured channel
Sun Apr  7 08:41:54 2024 daemon.err hostapd: Could not select hw_mode and channel. (-3)
Sun Apr  7 08:41:54 2024 daemon.notice hostapd: phy1-ap0: interface state COUNTRY_UPDATE->DISABLED
Sun Apr  7 08:41:54 2024 daemon.notice hostapd: phy1-ap0: AP-DISABLED
Sun Apr  7 08:41:54 2024 daemon.err hostapd: phy1-ap0: Unable to setup interface.
Sun Apr  7 08:41:54 2024 daemon.notice hostapd: nl80211: deinit ifname=phy1-ap0 disabled_11b_rates=0
Sun Apr  7 08:41:54 2024 daemon.err hostapd: rmdir[ctrl_interface=/var/run/hostapd]: Permission denied
Sun Apr  7 08:41:54 2024 daemon.notice hostapd: phy1-ap0: CTRL-EVENT-TERMINATING
Sun Apr  7 08:41:54 2024 daemon.err hostapd: hostapd_free_hapd_data: Interface phy1-ap0 wasn't started