wpa_supplicant.conf - adding a mixed WPA2+WPA3 network

1k Views Asked by At

I have successfully connected an embedded Linux board running wpa_supplicant 2.9 to a Fritz!Box router using this wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1

network={
    # Connect via WPA2 to a WPA2+WPA3 network
    ssid="my_network"
    psk="password"
    key_mgmt=WPA-PSK
}

This connection, on the Fritz!Box router, shows up as a WPA2 connection. The router shows other devices connected via WPA3 which is what I'm trying to achieve with the Linux board. I've tried:

network={
    # Connect via WPA3 to a WPA2+WPA3 network
    ssid="my_network"
    psk="password"
    key_mgmt=SAE
    ieee80211w=1
}

I've tried a few variation but without success. wpa_supplicant was built with: CONFIG_SAE=y

Anyone have any pointers please?

1

There are 1 best solutions below

2
On

While fiddling self to setup a WPA2+WPA3 AP, i came to this setup, which "seems" to work.
I say "seems" because i can connect using one phone, but not with my other phone at moment ‍

TLTR;

Important part seems to be:

    # WPA2-PSK + WPA3-SAE
    proto=RSN
    key_mgmt=WPA-PSK-SHA256 SAE
    ieee80211w=1

My current setup:

The supplicant config:

# /etc/wpa_supplicant/<IFNAME>.conf
#
# Enable/Start "wpa_supplicant@<IFNAME>" [no need to add .service]
#
# We set access in the service unit...
ctrl_interface=DIR=/run/wpa_supplicant

# Note: ap_scan=0/2 should not be used with the nl80211 driver interface (the
# current Linux interface). ap_scan=1 is the only option working with nl80211.
# For finding networks using hidden SSID, scan_ssid=1 in the network block can
# be used with nl80211.
ap_scan=1

#passive_scan=1

# Maximum number of peer links (0-255; default: 99)
# Maximum number of mesh peering currently maintained by the STA.
max_peer_links=255

country=XX # Use your 2 chat country code here
#   1-0050F204-1 (Computer / PC)
#   1-0050F204-2 (Computer / Server)
#   5-0050F204-1 (Storage / NAS)
#   6-0050F204-1 (Network Infrastructure / AP)
device_type=1-0050F204-2
#device_type=6-0050F204-1

wps_cred_add_sae=1 # WPA3-Personal transition mode
pmf=1

# Disable P2P functionality
p2p_disabled=1

# SAE mechanism for PWE derivation
# 0 = hunting-and-pecking loop only (default without password identifier)
# 1 = hash-to-element only (default with password identifier)
# 2 = both hunting-and-pecking loop and hash-to-element enabled
# Note: The default value is likely to change from 0 to 2 once the new
# hash-to-element mechanism has received more interoperability testing.
# When using SAE password identifier, the hash-to-element mechanism is used
# regardless of the sae_pwe parameter value.
sae_pwe=2

network={
    ssid="xxxx"
    psk="xxxx"
    #psk=<hex>

    # mode: IEEE 802.11 operation mode
    # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
    # 1 = IBSS (ad-hoc, peer-to-peer)
    # 2 = AP (access point)
    # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
    # WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
    # TKIP/CCMP) is available for backwards compatibility, but its use is
    # deprecated. WPA-None requires following network block options:
    # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
    # both), and psk must also be set.
    mode=2

    #frequency=0
    ### Channel 1
    #frequency=2412
    ## Channel 13
    frequency=2472
    ### Channel 36
    #frequency=5180

    ## WPA(2?) only
    #proto=WPA
    #key_mgmt=WPA-PSK
    #pairwise=TKIP
    #group=TKIP

    ## WPA3-SAE only
    #proto=RSN
    #key_mgmt=SAE
    #ieee80211w=2

    # WPA2-PSK + WPA3-SAE
    proto=RSN
    key_mgmt=WPA-PSK-SHA256 SAE
    ieee80211w=1

    ## Optional:
    #ocv=1
    #beacon_prot=1
    #disable_ht=0
    #disable_ht40=0
    #disable_sgi=0
    #disable_ldpc=0
    #ht40_intolerant=0
    #disable_vht=0

    # WPS in AP mode
    # 0 = WPS enabled and configured (default)
    # 1 = WPS disabled
    wps_disabled=1
}

And these modifications as "drop-in" files for the systemd service template unit:

# .../systemd/system/[email protected]/00-alternative.conf
[Service]
ConfigurationDirectory=wpa_supplicant
RuntimeDirectory=wpa_supplicant
RuntimeDirectoryMode=0775
RuntimeDirectoryPreserve=yes
Group=adm
ExecStart=
ExecStart=/sbin/wpa_supplicant -i%I -c%E/wpa_supplicant/%I.conf $options

# .../systemd/system/[email protected]/debug.conf
[Service]
#Environment='options=-d'