On Mon, Apr 04, 2022 at 11:08:26AM +0200, Beniamino Galvani wrote:
> On Tue, Mar 22, 2022 at 11:52:00AM +0100, Alfonso Sanchez-Beato via 
> networkmanager-list wrote:
> > Hi there!
> > 
> > I have been using NetworkManager 1.36.2 to create an Access Point, but I am
> > having some problems. Only devices that support WPA3 are able to connect to
> > the AP. Looking at the history, I see that
> > https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/f5d78c2d289c9e4a4c247d2520c7c3e2baf537c8
> > introduced a change that configures wpa_supplicant to be able to connect to
> > any of WPA, WPA2 or WPA3 and choose the best candidate. However, it looks
> > like this is breaking the hotspot case, at least for me - when I revert the
> > change I am able to connect again from WPA2-only devices.
> > 
> > I have seen these problems on
> > * An intel NUC with Intel wifi driver
> > * On a VM, when loading mac80211_hwsim with two radios (one for hotspot,
> > the other for connecting to it)
> Hi, I can reproduce the problem with mac80211_hwsim. The root cause is
> that NM passes both SAE and FT-SAE as key-mgmt to
> wpa_supplicant. wpa_supplicant currently doesn't support FT in AP
> mode, but still advertises FT-SAEit to the STA, leading to a key
> derivation mismatch.
> This patch works for me:
> http://lists.infradead.org/pipermail/hostap/2022-April/040352.html
> Arguably, we could also fix this in NM by not passing FT-SAE in AP
> mode; however I prefer that the fix is done in wpa_supplicant so that
> in the future, when FT support is added to AP mode it will work
> automatically with NM.

I changed my mind. FT requires special configuration in the AP and so
it doesn't make sense that NM automatically enables because it would
be useless and in some cases (FT-SAE) harmful.

In the end, I did this patch to disable FT when NM configures the
supplicant in AP mode:



Attachment: signature.asc
Description: PGP signature

networkmanager-list mailing list

Reply via email to