Wpa3 support in OpenWrt?

I'm running an OpenWrt snapshot on my router in sae-mixed mode, and a MacBook running MacOS Catalina and some iOS devices running iOS 13 are all able to successfully connect. The MacBook reports that it is connecting via WPA3 Personal, but I can't find any info from the iOS devices as to which WPA version they're using. All the devices were updated with the network credentials already in place - I haven't tested trying to connect a fresh Catalina/iOS 13 device.

This is a shot in the dark, but the only change from the default in my wifi interface configuration (apart from setting the ssid, key, and encryption mode) is that I enable PMKSA caching (via the 'auth_cache' uci setting). Considering the error message regarding an invalid PMKID, this might be worth a try?

That's supposed to only be relevant for enterprise type encryption... But worth a try I guess.

I'll confirm that option auth_cache '1' does fix Apple devices connecting.
I wonder why? I still think it sounds like an error in the implementation from Apple?

Does anyone closer to the source have a comment?
Also i think this option disables the cache, not enables it? Looking at hostapd conf it looks like it is enabled by default.

1 Like
        I read below from repo of openwrt ,it is used to fix a secure problem
        # You don't really want to enable this unless you are doing
  	# some corner case testing or are using OpenWrt as a work around
  	# for some systematic issues.
  	config_get_bool auth_cache "$vif" auth_cache 0
  	config_get rsn_preauth "$vif" rsn_preauth
  	[ "$auth_cache" -gt 0 ] || [[ "$rsn_preauth" = 1 ]] || append "$var" "disable_pmksa_caching=1" "$N"
  	[ "$auth_cache" -gt 0 ] || [[ "$rsn_preauth" = 1 ]] || append "$var" "okc=0" "$N"


here
https://dev.archive.openwrt.org/ticket/12129

Can confirm option auth_cache '1' worked for me, my iPhone XR running iOS 13.1.3 connected.

it may not be apparent due to the "||", but setting auth_cache=1 will actually ensure that nothing is done here...?!

yes it does nothing so pmksa caching won't be disabled...which makes 802.1x not safe. But WPA3-Personal should be ok.

I am very happy that OpenWRT 19.07 rc has now been released. Thanks a lot!
During my tests, I found, that one part is missing for me. The feature "WPA3 Enterprise" and "WPA3/WPA2 Enterprise" (mixed) should be available:
https://openwrt.org/docs/guide-user/network/wifi/basic
I can't see it on luci. I have the same dropdown menu as shown in Wpa3 support in OpenWrt? Post #58 by Camis.
Is it possible to add these two menu items, please?
By the way: "WPA2-PSK/WPA3-SAE Mixed Mode" seems to work with my WPA2 only mobile phone using the package wpad-wolfssl.

It seems like wpad-openssl is working in general better then wpad-wolfssl: https://bugs.openwrt.org/index.php?do=details&task_id=2571

I can confirm that WPA3 works when using openssl.
Commands to enable WPA3:
opkg update && opkg remove wpad-basic && opkg install wpad-openssl

ImageBuilder command for generating custom image for MR24 with luci and WPA3 (replace meraki_mr24 with your device):
make image PROFILE=meraki_mr24 PACKAGES="wpad-openssl luci -wpad-basic"

2 Likes

Does the full wpad package support wpa3, or will either wpad-openssl or wpad-wolfssl need to be installed? If so, what's the difference between the full wpad packages and the specific SSL packages? The full wpad package has the largest size, so apparently it has something those specific packages do not have.

Also, has anyone made a performance comparison between using openssl vs wolfssl?

As mentioned earlier in this thread.

wpad-full is not sufficient.

2 Likes

The full package is larger than either wpad-openssl and wpad-wolfssl though. What does it have that the other two packages do not? ie, am I giving anything up by moving from wpad-full to wpad-openssl or wpad-wolfssl?

I think the way it used to work is that the full variant baked in the required SSL functions, and therefore had no external library required, but had the biggest size.

Looking now, it looks as though FULL is the parent variant, and then you select either OPENSSL or WOLFSSL as the child variants. Either of those will enable things like SAE and OWE (many reports of better success on openssl rather than wolfssl).

This is just my guess based on the makefile, which is a little hard to read given how many variants there are.

2 Likes

SSL has always been a separate library package.

Earlier it was a dependency hell and plain wpad could require either openssl, mdedtls or wolfssl, depending on the compile time options used. That was clarified by declaring the SSL dependency already in the package name. Thus there is now wpad-openssl etc.

Functional wise it is also wpad, wpad-basic (without eap/radius), wpad-mini (without 80211r and w, thus no wpa3, without eap radius).

1 Like

I suppose i misspoke, and should have said "crypto" rather than "ssl".
From hostap git:

 * This file defines the cryptographic functions that need to be implemented
 * for wpa_supplicant and hostapd. When TLS is not used, internal
 * implementation of MD5, SHA1, and AES is used and no external libraries are
 * required. When TLS is enabled (e.g., by enabling EAP-TLS or EAP-PEAP), the
 * crypto library used by the TLS implementation is expected to be used for
 * non-TLS needs, too, in order to save space by not implementing these
 * functions twice.

Which is what i was referring to before. So if you don't include an SSL library, it reverts back to its own internal crypto functions (e.g. for hashing) and these all get linked in and make the resulting binary bigger. If you select an SSL library, these libraries provide the necessary crypto functions, and you get a smaller binary.

Looping back to the original question, as suggested, you need an SSL library to get WPA3 functionality. Additionally, the above explanation is why the binary is bigger when no SSL library is included (which may seem counter intuitive at first).

2 Likes

I have reported the WPA3 bug in iOS and iPadOS to Apple, and I think it would be a good idea if other people who have experienced the bug would report it as well. You can report iPhone bugs here, and iPad bugs here.

1 Like

WPA3 in iOS is working for me on 2.4ghz if I manually add the network and choose WPA3, with no need for auth_cache. I can’t get it working on 5ghz, with or without manually adding the network or changing auth_cache. This is on an Archer C7v2

Got mixed results here using Fritzbox 4040 (ath10k) and wpad-openssl on both stable and snapshot. macOS doesn't want to connect in wpa3 or wpa2/wpa3 mode it says password wrong or some vague message about not being able to connect. Manually adding a connection shows it only seems to support wpa3 enterprise (see image). On iOS/iPadOS connections went ok in mixed mode but I think they fell back on wpa2.

Don't really know where to check in iOS or OpenWrt what the active encryption is. In wpa3 only mode iOS said the password was wrong. Windows10 also said the password was wrong in wpa3 only mode and in mixed mode it said it couldn't connect.

Same results on both 2.4 and 5ghz bands.

Not sure if trying wpad-wolfssl will yield any different results but I can try if anyone here thinks its useful. Any logs or info I can share or other things to test or try are welcomed. I'll also report this to Apple if this is due to them. Running iOS/iPadOS 13.3.1 and Catalina 10.15.3.

Screenshot 2020-02-03 at 03.55.28

It looks like on openwrt-19.07.2,
wpa3 is not fully supported.
wpa3-enterprising (WPA3-EAP) is not ready yet.
see