Do we need to specify key_mgmt while configuring wifi?

Rehan · January 10, 2024, 3:22pm

Hello,

I was working with VintageNet to configure the wlan. We can configure the wifi network using VintageNetWiFi.quick_configure() or VintageNet.configure(). I’m able to configure using both.
I checked that when i use quick_configure(), key_mgmt is set to :wpa_psk.
When i use configure() i have set the key_mgmt if i don’t set it to :wpa_psk or any other key management, I observed it defaults to :none.

Now my requirement is to be able connect to any network WPA2, WPA3, or transitional WPA2/WPA3, without specifying the key_mgmt type.

Regards

fhunleth · January 11, 2024, 3:08pm

WPA3 can be made to work with VintageNetWiFi, but we don’t have a read-to-go configuration. The main reason has been, amazingly, lack of interest. I think that it stems from WPA3 not being supported on the Raspberry Pi 3. (Every time I type this, I can’t believe it could still be the case, so if you know that it works now, please correct me.)

One thing to keep in mind with VintageNetWiFi is that it “just” converts configurations expressed as Elixir terms to wpa_supplicant configurations. That means that anything doable with wpa_supplicant can be done with VintageNetWiFi. Sometimes we need to update VintageNetWiFi to properly expose a feature, but the process is primarily one of converting data structures rather than actually implementing a WiFi feature.

If you look midway down at README — vintage_net_wifi v0.12.0, you can see the configurations for WPA3 and transitional WPA2/WPA3. I don’t know of an all-in-one configuration for the wpa_supplicant to do everything with one configuration. If you find one, it could be adapted to VintageNetWiFi and I’d be very interested in doing that.

The workarounds that I can think of:

Scan for networks, find the AP you want, check it’s parameters and save the config accordingly. I don’t like this since it won’t handle hidden networks and if someone changes the AP’s settings, you’ll have to reconfigure. I know this will work, though.
Send down three configurations for the same SSID in the :networks key. One is the WPA3 config, the next is the transitional config and the last is the WPA2 config. This should make wpa_supplicant try each one and stick with the one that works.

If option 2 works and doesn’t break with hardware that doesn’t support WPA3, I’d interested in updating VintageNetWiFi.quick_configure to do that.

fhunleth · January 15, 2024, 3:53am

My previous response isn’t right.

The way to do this is to list all of the key_mgmt types that are ok. The current VintageNetWiFi release doesn’t support that. I started a PR with support at Support creating WPA2/WPA3 configurations by fhunleth · Pull Request #217 · nerves-networking/vintage_net_wifi · GitHub.

Another issue is that I don’t think any of the officially supported Nerves hardware have WiFi modules that support WPA3. I just confirmed that we can’t test WPA3 on any of the Raspberry Pis. This blog post had good links on the work being done.

Do you have a WiFi module that supports WPA3? I’ve tested the PR with a WiFi module that supports WPA3, so the PR seems to work. Confirming that it works with whatever hardware you have would be nice to know if that’s possible.

Rehan · January 16, 2024, 12:36pm

Thank you @fhunleth

Your response is very helpful for me to proceed further.

I haven’t really tested with WAP3 for now, I have raspberry pi with me. however from your comment it looks it doesn’t support WPA3,

Does beagle bone green support WAP3?

Regards.

fhunleth · January 16, 2024, 2:26pm

The BeagleBone Green Wireless uses the WL1835MOD WiFi module. It lists WPA3 on its features.

Rehan · January 17, 2024, 12:14pm

Hello @fhunleth

I’m using vintage_net_wifi version 0.12.1 which should have the changes you had mentioned in the above comment.
I’m trying to configure my device using the same method, however it is failing to connect to the network. Attaching logs for your reference

iex(19)> VintageNet.configure("wlan0",   %{
...(19)>   type: VintageNetWiFi,
...(19)>   vintage_net_wifi: %{
...(19)>     networks: [
...(19)>       %{
...(19)>         ssid: "TestWifi",
...(19)>         psk: "Test1234567",
...(19)>         sae_password: "Test1234567",
...(19)>         key_mgmt: [:wpa_psk, :sae, :wpa_psk_sha256],
...(19)>         ieee80211w: 2
...(19)>       }
...(19)>     ]
...(19)>   },
...(19)>   ipv4: %{method: :dhcp}
...(19)> })
:ok

12:06:55.902 [info]  RouteManager: clear_route wlan0
         
12:06:55.915 [warn]  RouteManager: new set_connection_status wlan0 -> :disconnected (Elixir.VintageNet.Interface.start_configuri)
         
12:06:56.516 [info]  wlcore: PHY firmware version: Rev 8.2.0.0.243
         
12:06:56.572 [info]  wlcore: firmware booted (Rev 8.9.0.0.83)
         
12:06:56.600 [info]  IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
iex(20)> ifconfig
lo: flags=[:up, :loopback, :running]
    inet 127.0.0.1  netmask 255.0.0.0
    inet ::1  netmask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    hwaddr 00:00:00:00:00:00

can0: flags=[]

can1: flags=[]

eth0: flags=[:up, :broadcast, :running, :multicast]
    inet 192.168.0.100  netmask 255.255.255.0  broadcast 192.168.0.255
    inet fe80::3684:e4ff:fe1e:8dac  netmask ffff:ffff:ffff:ffff::
    hwaddr 34:84:e4:1e:8d:ac

wwan0: flags=[:broadcast, :multicast]
    hwaddr ce:c2:fb:b5:9e:43

wlan0: flags=[:up, :broadcast, :running, :multicast]
    hwaddr 38:ab:41:4a:9a:f0

ppp0: flags=[:pointtopoint, :multicast]

                   
12:07:05.574 [info]  Start inverter init
iex(21)> VintageNet.get
get/1                  get/2                  get_by_prefix/1        
get_configuration/1                  
iex(21)> VintageNet.get_configuration("wlan0")
%{
  ipv4: %{method: :dhcp},
  type: VintageNetWiFi,
  vintage_net_wifi: %{
    networks: [
      %{
        allowed_key_mgmt: [:wpa_psk, :sae, :wpa_psk_sha256],
        ieee80211w: 2,
        key_mgmt: :wpa_psk,
        mode: :infrastructure,
        psk: "F887CDC82262134FC3A3A8D458AF76BF2C0124FC62B915A61990F9AAA6533B6E",
        sae_password: "Test1234567",
        ssid: "TestWifi"
      }
    ]
  }
}

With same version if use below command it gets connected to the network

 VintageNet.configure("wlan0", %{
       type: VintageNetWiFi,
       vintage_net_wifi: %{
         networks: [
           %{
             key_mgmt: :wpa_psk,
             psk: "Test1234567",
             ssid: "TestWifi"
           }
         ]
       },
       ipv4: %{method: :dhcp}
     })

fhunleth · January 18, 2024, 1:58am

Could you try the same configuration except with ieee80211w: 1?

If that doesn’t work, could you let me know what access point you’re using, what device (I assume BeagleBone Green Wireless?), and what version of nerves_system_bbb that you’re using.

Rehan · January 19, 2024, 7:19am

I made ieee80211w: 1
And saw it is connected to the network

iex(7)> VintageNet.configure("wlan0",   %{
...(7)>    type: VintageNetWiFi,
...(7)>   vintage_net_wifi: %{
...(7)>     networks: [
...(7)>        %{
...(7)>          ssid: "TestWifi",
...(7)>          psk: "Test1234567",
...(7)>          sae_password: "Test1234567",
...(7)>          key_mgmt: [:wpa_psk, :sae, :wpa_psk_sha256],
...(7)>          ieee80211w: 1
...(7)>        }
...(7)>      ]
...(7)>    },
...(7)>    ipv4: %{method: :dhcp}
...(7)>  })

It got Ip assigned as well

Interface wlan0
  Type: VintageNetWiFi
  Present: true
  State: :configured (14.6 s)
  Connection: :lan (12.1 s)
  Addresses: 192.168.0.100/24, fe80::3aab:41ff:fe4a:9af0/64
  MAC Address: "38:ab:41:4a:9a:f0"
  Configuration:
    %{
      ipv4: %{method: :dhcp},
      type: VintageNetWiFi,
      vintage_net_wifi: %{
        networks: [
          %{
            allowed_key_mgmt: [:wpa_psk, :sae, :wpa_psk_sha256],
            ieee80211w: 1,
            key_mgmt: :wpa_psk,
            mode: :infrastructure,
            psk: "....",
            sae_password: "....",
            ssid: "TestWifi"
          }
        ]
      }
    }

After this for my experiment i changed my network to WPA2/WPA3 and tried to connect again this time it failed

I’m using TP Link AC750 Router and device is beaglebone green

When using WPA supplicant directly, even if we don’t specify the key_mgmt config in the WPA supplicant configuration, it should work for any security type. When no key management type is specified WPA supplicant or the lower level layers will do a scan and figure out the security type.

For debug purposes Is there a way to look at the actual WPA Supplicant config when using Vintage Net? Does Vintage Net create a supplicant config file and pass that on to the supplicant?

Thanks and regards

fhunleth · January 23, 2024, 1:39pm

To see the configuration it creates, run this:

iex> cat "/tmp/vintage_net/wpa_supplicant.conf.wlan0"
ctrl_interface=/tmp/vintage_net/wpa_supplicant
country=00
wps_cred_processing=1
network={
...

Looking at wpa_supplicant’s example configuration, these sections look interesting:

# Whether to enable SAE (WPA3-Personal transition mode) automatically for
# WPA2-PSK credentials received using WPS.
# 0 = only add the explicitly listed WPA2-PSK configuration (default)
# 1 = add both the WPA2-PSK and SAE configuration and enable PMF so that the
#     station gets configured in WPA3-Personal transition mode (supports both
#     WPA2-Personal (PSK) and WPA3-Personal (SAE) APs).
#wps_cred_add_sae=0

and

# sae_check_mfp: Require PMF support to select SAE key_mgmt
# 0 = Do not check PMF for SAE (default)
# 1 = Limit SAE when PMF is not enabled
#
# When enabled SAE will not be selected if PMF will not be used
# for the connection.
# Scenarios where this check will limit SAE:
#  1) ieee80211w=0 is set for the network
#  2) The AP does not have PMF enabled.
#  3) ieee80211w is unset, pmf=1 is enabled globally, and
#     the device does not support the BIP cipher.
# Consider the configuration of global parameterss sae_check_mfp=1, pmf=1 and a
# network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
# In the example WPA-PSK will be used if the device does not support
# the BIP cipher or the AP has PMF disabled.
# Limiting SAE with this check can avoid failing to associate to an AP
# that is configured with sae_requires_mfp=1 if the device does
# not support PMF due to lack of the BIP cipher.
#
# Enabling this check helps with compliance of the WPA3
# specification for WPA3-Personal transition mode.
# The WPA3 specification section 2.3 "WPA3-Personal transition mode" item 8
# states "A STA shall negotiate PMF when associating to an AP using SAE".
# With this check WPA3 capable devices when connecting
# to transition mode APs that do not advertise PMF support
# will not use SAE and instead fallback to PSK.
#sae_check_mfp=0

I don’t see any examples at the end of the file that apply to a WPA2, WPA2/3 transitional, and WPA3 configuration. Maybe someone posted one to a mailing list or it can be scraped out of a Linux desktop config.

fhunleth · February 14, 2024, 2:01pm

@Rehan Did you find out anything more with supporting WPA2/WPA3 transitional mode? The reason I ask is that vintage_net_wifi now uses ieee80211w: 1 for the generic configuration based on feedback from others. Your case is now the only one that I’m aware of that doesn’t work.

Rehan · March 1, 2024, 1:32pm

@fhunleth Yes we figured out the problem, the reason we’re unable to connect to WPA3 network is because of the wifi chip firmware, I haven’t yet tried updating it, after updating the firmware i’ll check it.