Wpa3 support in OpenWrt?

kirdes · October 10, 2019, 3:06pm

I'm not sure, because WPA3 works with Apple clients and LANCOM devices for example (i tried it myself).

So maybe it's a configuration issue or we need an additional hostapd option?

Ansuel · October 10, 2019, 3:07pm

Could be that they transfer pmkid in a different way and hostapd doesn't support it? Or openwrt doesn't support it.

fuller · October 11, 2019, 12:00pm

confirmed. only wpa3-eap seems to be supported by ios 13.1.2 (no psk)

kirdes · October 11, 2019, 6:54pm

While settings in MacOS Catalina says "personal WPA3", connecting doesn't work either.

parsley72 · October 25, 2019, 6:55pm

iOS 12 connected fine to a mixed access point (WPA2/WPA3) but iOS 13 doesn't. I think Apple have tried to implement WPA3 but got something wrong which prevents it from falling back to WPA2. See https://www.reddit.com/r/ios/comments/df7mop/ios_13_wont_connect_to_wpa3_networks/.

sq-bb · October 26, 2019, 12:50am

I'm running an OpenWrt snapshot on my router in sae-mixed mode, and a MacBook running MacOS Catalina and some iOS devices running iOS 13 are all able to successfully connect. The MacBook reports that it is connecting via WPA3 Personal, but I can't find any info from the iOS devices as to which WPA version they're using. All the devices were updated with the network credentials already in place - I haven't tested trying to connect a fresh Catalina/iOS 13 device.

This is a shot in the dark, but the only change from the default in my wifi interface configuration (apart from setting the ssid, key, and encryption mode) is that I enable PMKSA caching (via the 'auth_cache' uci setting). Considering the error message regarding an invalid PMKID, this might be worth a try?

lantis1008 · October 26, 2019, 3:01am

That's supposed to only be relevant for enterprise type encryption... But worth a try I guess.

lantis1008 · October 27, 2019, 1:44am

I'll confirm that option auth_cache '1' does fix Apple devices connecting.
I wonder why? I still think it sounds like an error in the implementation from Apple?

Does anyone closer to the source have a comment?
Also i think this option disables the cache, not enables it? Looking at hostapd conf it looks like it is enabled by default.

tinylib · October 27, 2019, 4:58am

        I read below from repo of openwrt ,it is used to fix a secure problem

        # You don't really want to enable this unless you are doing
  	# some corner case testing or are using OpenWrt as a work around
  	# for some systematic issues.
  	config_get_bool auth_cache "$vif" auth_cache 0
  	config_get rsn_preauth "$vif" rsn_preauth
  	[ "$auth_cache" -gt 0 ] || [[ "$rsn_preauth" = 1 ]] || append "$var" "disable_pmksa_caching=1" "$N"
  	[ "$auth_cache" -gt 0 ] || [[ "$rsn_preauth" = 1 ]] || append "$var" "okc=0" "$N"

github.com

openwrt/archive/blob/master/package/network/services/hostapd/files/hostapd.sh

. /lib/functions/network.sh

hostapd_set_bss_options() {
	local var="$1"
	local vif="$2"
	local enc wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wps_possible wpa_key_mgmt

	config_get enc "$vif" encryption "none"
	config_get wep_rekey        "$vif" wep_rekey        # 300
	config_get wpa_group_rekey  "$vif" wpa_group_rekey  # 300
	config_get wpa_pair_rekey   "$vif" wpa_pair_rekey   # 300
	config_get wpa_master_rekey "$vif" wpa_master_rekey # 640
	config_get_bool ap_isolate "$vif" isolate 0
	config_get_bool disassoc_low_ack "$vif" disassoc_low_ack 1
	config_get max_num_sta "$vif" max_num_sta 0
	config_get max_inactivity "$vif" max_inactivity 0
	config_get_bool preamble "$vif" short_preamble 1

	config_get device "$vif" device
	config_get hwmode "$device" hwmode

This file has been truncated. show original

here
https://dev.archive.openwrt.org/ticket/12129

parsley72 · October 27, 2019, 5:12am

Can confirm option auth_cache '1' worked for me, my iPhone XR running iOS 13.1.3 connected.

fuller · October 27, 2019, 8:41am

it may not be apparent due to the "||", but setting auth_cache=1 will actually ensure that nothing is done here...?!

tinylib · October 27, 2019, 9:29am

yes it does nothing so pmksa caching won't be disabled...which makes 802.1x not safe. But WPA3-Personal should be ok.

Tiffchros · November 15, 2019, 5:59pm

I am very happy that OpenWRT 19.07 rc has now been released. Thanks a lot!
During my tests, I found, that one part is missing for me. The feature "WPA3 Enterprise" and "WPA3/WPA2 Enterprise" (mixed) should be available:
https://openwrt.org/docs/guide-user/network/wifi/basic
I can't see it on luci. I have the same dropdown menu as shown in Wpa3 support in OpenWrt? Post #58 by Camis.
Is it possible to add these two menu items, please?
By the way: "WPA2-PSK/WPA3-SAE Mixed Mode" seems to work with my WPA2 only mobile phone using the package wpad-wolfssl.

yrflsbwk · November 19, 2019, 11:50am

It seems like wpad-openssl is working in general better then wpad-wolfssl: https://bugs.openwrt.org/index.php?do=details&task_id=2571

devicelocksmith · November 26, 2019, 8:56pm

I can confirm that WPA3 works when using openssl.
Commands to enable WPA3:
opkg update && opkg remove wpad-basic && opkg install wpad-openssl

ImageBuilder command for generating custom image for MR24 with luci and WPA3 (replace meraki_mr24 with your device):
make image PROFILE=meraki_mr24 PACKAGES="wpad-openssl luci -wpad-basic"

Mushoz · December 3, 2019, 3:19am

Does the full wpad package support wpa3, or will either wpad-openssl or wpad-wolfssl need to be installed? If so, what's the difference between the full wpad packages and the specific SSL packages? The full wpad package has the largest size, so apparently it has something those specific packages do not have.

Also, has anyone made a performance comparison between using openssl vs wolfssl?

slh · December 3, 2019, 3:22am

As mentioned earlier in this thread.

wpad-full is not sufficient.

Mushoz · December 3, 2019, 3:25am

The full package is larger than either wpad-openssl and wpad-wolfssl though. What does it have that the other two packages do not? ie, am I giving anything up by moving from wpad-full to wpad-openssl or wpad-wolfssl?

lantis1008 · December 3, 2019, 3:45am

I think the way it used to work is that the full variant baked in the required SSL functions, and therefore had no external library required, but had the biggest size.

Looking now, it looks as though FULL is the parent variant, and then you select either OPENSSL or WOLFSSL as the child variants. Either of those will enable things like SAE and OWE (many reports of better success on openssl rather than wolfssl).

This is just my guess based on the makefile, which is a little hard to read given how many variants there are.

hnyman · December 3, 2019, 6:12am

SSL has always been a separate library package.

Earlier it was a dependency hell and plain wpad could require either openssl, mdedtls or wolfssl, depending on the compile time options used. That was clarified by declaring the SSL dependency already in the package name. Thus there is now wpad-openssl etc.

Functional wise it is also wpad, wpad-basic (without eap/radius), wpad-mini (without 80211r and w, thus no wpa3, without eap radius).