- WPA3-SAE is supported by Openwrt software for Xiaomi Redmi Router AC2100, MIPS, MT7621A .
- If MT7621A haven't WPA3 hardware support, can WPA3 usage on 2.4ghz and 5Ghz overload Redmi processor?
Great thread, has more information than what google finds on WPA3...
Can some of this be written to the wiki?
This page: https://openwrt.org/docs/guide-user/network/wifi/basic
Or maybe a separate page for WPA3?
To answer common questions, like:
- does OpenWRT support WPA3?
- does it require special hardware?
- any negative issues (like lower performance on older hardware)?
- a word about compatibility with other devices (like the mentioned Apple issue)
- is mixed WPA2/WPA3 really more secure than just WPA2? I read that exclusive WPA3 is better, but forgot the details.
- is WPA/WPA2/WPA3 mixed mode possible? (I see no support for it currently, but what in theory?)
Sure it can be written there?
By you, perhaps?
For the clients that connect via WPA3 it's more secure. However, if the client allows connecting to the same network via WPA2 there's a possibility of a downgrade attack. It's up to the client implementation to prevent this. As an example, the Google Pixel 3 always connects via WPA3 after the first WPA3 authentication/association with a network.[1]
Sure, after I get the answers to those questions.
Another solution for OpenWrt admins is to setup 2 virtual WLAN using different keys, one for WPA2 and another for WPA3.
Although, it may not be that much of an improvement in terms of security due to other practical reasons.
Cheers.
- does OpenWRT support WPA3? Yes, for official release, since 19.07 with wpad-openssl. wpad-wolfssl has been fixed in master/development
- does it require special hardware? No AFAIK
- any negative issues (like lower performance on older hardware)? In my test case no, the WLAN speed seems to be CPU-bound even without encryption, others with more experience may chime in?
- a word about compatibility with other devices (like the mentioned Apple issue) You can go ahead and add later when people report other incompatibilities
- is mixed WPA2/WPA3 really more secure than just WPA2? I read that exclusive WPA3 is better, but forgot the details. see reply of huaracheguarache
- is WPA/WPA2/WPA3 mixed mode possible? (I see no support for it currently, but what in theory?)
no idea, but why would anyone still use WPA?
...................
Notes:
- doesn't work on the WRT AC series of routers (mwlwifi). Probably important to note as they're very popular.
- some older hardware needs hardware encryption disabled in the driver for it to work with wpa3
WPA3 not working on TL-wr1043NDv1
https://openwrt.org/docs/techref/driver.wlan/mwlwifi would be the place to document mwlwifi specific stuff, e.g. WPA3 issues / WPA3 incompatibilities / general development status.
some older hardware needs hardware encryption disabled in the driver for it to work with wpa3
WPA3 not working on TL-wr1043NDv1
Fortunately this particular issue with ath9k and draft-n wireless chipsets <= AR9160 will be resolved with mac80211: ath9k: enable MFP capability unconditionally, which I've just successfully tested with on my tl-wr1043nd v1:
root@tl-wr1043ndx:~# grep -i -e sae -e 80211w /tmp/run/hostapd-phy0.conf
sae_require_mfp=1
wpa_key_mgmt=SAE
ieee80211w=2
root@ath5k-client:~# wpa_cli -i wlp3s0 status | grep -i -e sae -e 80211w -e mfp -e pmf
key_mgmt=SAE
pmf=2
sae_group=19
Similar efforts have been happening (upstream) for b43 and rt2x00 as well (not yet in OpenWrt); ath5k worked fine with WPA3/ SAE from the beginning. Yes, enabling IEEE 802.11w (which is mandatory for WPA3) on devices that can't do it hardware accelerated does come with a steep performance penalty, but at least it (now-) works - without having to supply module parameters manually.
Hi there, are you working on it now?
Cheers.
Yes, enabling IEEE 802.11w (which is mandatory for WPA3) on devices that can't do it hardware accelerated does come with a steep performance penalty,
How much performance penalty?
Hmm, the https://en.wikipedia.org/wiki/IEEE_802.11w-2009 page says:
is required for 802.11 implementations that support TKIP or CCMP
So all WPA and WPA2 hardware should support it? Or am I misunderstanding something?
So all WPA and WPA2 hardware should support it? Or am I misunderstanding something?
In theory, perhaps - in practice not at all. Even among the 802.ac chipsets functional 802.11w support is not a given, even less hardware accelerated pmf/ mfp.
About Apple WPA3 support:
on my iPhone SE, the options for Security offered are:
- None
- WEP
- WPA
- WPA2
- WPA Enterprise
- WPA2 Enterprise
- WPA3 Enterprise
on iPad 6th gen:
- None
- WEP
- WPA
- WPA2/WPA3
- WPA3
- WPA Enterprise
- WPA2 Enterprise
- WPA3 Enterprise
Both running iOS 13.5.1
So either the SE hardware does not support WPA3 Personal or it is some UI glitch.
About Apple WPA3 support:
on my iPhone SE, the options for Security offered are:
Where are you seeing these options listed? App on the phone itself? I have a iphone7 that connects to pure WPA-SAE just fine.
Same on MacBook Air 2012, it seem that wap3 is not fully supported on Apple older hardware.
Where are you seeing these options listed?
In Settings, when manually adding a network. Click/tap on "Other..." below the list of detected networks.
In Settings, when manually adding a network. Click/tap on "Other..." below the list of detected networks.
Nice, I did not know about this. From my iPhone7:
It seems that apple cuts functionality on older devices. Deceives people. Here's what's on my iphone 6s, ios 14 beta:
CONFIG_DPP - Device Provisioning Protocol ( Wi-Fi Easy Connect(TM) )
(The "Connect a IoT-device with the help of your smartphone" feature.)
Hello, didn't find any info about PC OSes support for this (Windows, OSX, Linux, etc.).
So far I only see it working on Android Q devices (via sharing QR code feature).
Any info about it?
PS: and also I'm interested if Luci interface for that feature exists?