Wpa3 support in OpenWrt?

Client Devices which does not support Management Frame Protection cannot connect to WPA3-SAE

I have it on both my EA6350v3 and EA8500 running 19.07.02. I am not using it - my clients do not support it yet - but it is available.

It is not included by default. Did you install the necessary package ( i.e., replace wpad with wpad-openssl)?

Thanks for you replay. I did install wapd-openssl.

wpa3-enterprise or wpa3-eap , this is a method for radius, it's mainly used for small bussiness and enterprise.

Some news here. With the release of iOS 13.4.1 and macOS 10.15.4 I decided to give WPA3 another go. Only my iPad can connect, which is kind of odd because iOS and iPadOS are pretty much the same. My MacBook was also unable to connect. Just like last time only the iPad can connect to it (running WPA3 mode only).

I hope Apple sorts this out soon.

I also wanted to add that after removing wpad and installing wpad-OpenSSL and setting up a mixed and/or wpa3 only network on 19.07.2, my iPhone SE (iOS 13.3.1) would not connect, the error was “wrong password” too.
*I also found it strange that when trying to manually add a wireless network on the iPhone that wpa3 personal was not an option, only “enterprise” was listed. Apple’s claims of supporting wpa3 only seem to be for enterprise use for now ..

Apple seems to have made a partially wrong claim when they are talking about WPA3 compatibility. From my experience, WPA3 personal works from the iPhone 7 onwards, while the 6s does not connect.

On the MacBook side of things, a MacBook Pro from early 2016 was also not able to connect when 802.11w (required per spec) was enabled. This is kind of interesting, as for WiFi certification 802.11w is mandatory.

Some possible improvement was done yesterday https://github.com/openwrt/openwrt/commit/631c437a91c20df678b25dcc34fe23636116a35a

Is there a list somewhere of what devices should be able to support WPA3? Or could such a category be added on the wiki?

I have ea6350 but I'm experiencing unstability and inability of some devices to connect, this may be related to vlans (I'm still checking that) but knowing whether the device should be able to handle it would be cool.

WPA3 support should be fine on all ath10k devices, I'm actively using it on ipq4019, qca9886 and qca9984 hardware.

Is this 19.07.3 or 20.xx going into
And any benefit using wolfssl over openssl?

Unfortunatelly no.

Benefit is package size and stability, openssl needs much more space, however every package has openssl version (luci, openvpn) oposing to wolfssl

1 Like

I have a Surface device with one of those terrible Marvell AVASTAR radios, and it absolutely refuses to connect to an AP operating in WPA2-PSK/WPA3-SAE mixed mode. Even a random Realtek USB card had no issues connecting to the exact same AP (obviously it's WPA2 but at least it works). iOS 13.5 seems to work just fine with WPA2/WPA3 mixed mode though, which is good news at least. Older (802.11n) Intel cards didn't have any issues connecting to the same AP with WPA2 either.

Which is sad because it seems unlikely to me that Microsoft/Marvell will release an updated driver...

If you're running OpenWrt, perhaps you can set up multi-SSID, i.e. one WPA3-SAE and one WPA2-PSK, as a workaround.

Cheers.

Noted.

Is there practically no performance / resource-usage differences between openssl and wolfssl?

Cheers.

Yeah, unfortunately that would be the only solution. The windows driver for this card was released in 2016, sigh.

I feel for you.

Even for a more recently released device and the WPA3 driver already out there, MS still doesn't update the one they officially distribute.

https://answers.microsoft.com/en-us/surface/forum/all/surface-wpa3/f1cc5c1f-2756-469c-aa04-8c57b5eeb515?page=2

Sigh.

  1. WPA3-SAE is supported by Openwrt software for Xiaomi Redmi Router AC2100, MIPS, MT7621A .
  2. If MT7621A haven't WPA3 hardware support, can WPA3 usage on 2.4ghz and 5Ghz overload Redmi processor?

Great thread, has more information than what google finds on WPA3...

Can some of this be written to the wiki?

This page: https://openwrt.org/docs/guide-user/network/wifi/basic
Or maybe a separate page for WPA3?

To answer common questions, like:

  • does OpenWRT support WPA3?
  • does it require special hardware?
  • any negative issues (like lower performance on older hardware)?
  • a word about compatibility with other devices (like the mentioned Apple issue)
  • is mixed WPA2/WPA3 really more secure than just WPA2? I read that exclusive WPA3 is better, but forgot the details.
  • is WPA/WPA2/WPA3 mixed mode possible? (I see no support for it currently, but what in theory?)
1 Like

Sure it can be written there?
By you, perhaps?

1 Like

For the clients that connect via WPA3 it's more secure. However, if the client allows connecting to the same network via WPA2 there's a possibility of a downgrade attack. It's up to the client implementation to prevent this. As an example, the Google Pixel 3 always connects via WPA3 after the first WPA3 authentication/association with a network.[1]

[1] Interesting paper on security vulnerabilities in WPA3.

1 Like