Hello
So i wanted to look at wpa3.
Added and configured wpa3 to my access point, and zypper dup on tumbleweed to have NetworkManager 1.18.4 (supposedly proposing wpa3)
My network card is Intel 7260, only certified wap2, but certification dates from before wpa3 was born, and wpa3 “should” be a question of software. So i hoped being in range of wpa3. But when i go to networkmanager, wi-fi security, i do not see wpa3 proposed in the dropdown list. For the fun and to avoid the eternal KDE/Gnome discussion, i also looked in nmtui-edit, and still no wpa3. I am sure it is there somewhere. What did i miss?

rpm -qa |grep NetworkManager
NetworkManager-pptp-lang-1.2.8-1.5.noarch
NetworkManager-openvpn-1.8.10-1.4.x86_64
NetworkManager-openvpn-lang-1.8.10-1.4.noarch
libKF5NetworkManagerQt6-5.64.0-1.1.x86_64
NetworkManager-1.18.4-2.1.x86_64
NetworkManager-branding-openSUSE-42.1-4.16.noarch
NetworkManager-openconnect-lang-1.2.6-1.1.noarch
NetworkManager-openconnect-1.2.6-1.1.x86_64
NetworkManager-pptp-1.2.8-1.5.x86_64
NetworkManager-lang-1.18.4-2.1.noarch

What exactly you mean with “proposing”? NetworkManager supports WPA3 authentication since 1.16 IIRC.

i also looked in nmtui-edit, and still no wpa3

WPA3 was added to TUI in 1.21 development version which means it will be available in 1.22. Native NM applet should support it since 1.8.24.

Possibly not possible with your hardware: https://www.intel.com/content/www/us/en/support/articles/000054783/network-and-io/wireless-networking.html .
Try to use compatible WiFi adapter.

Thank you for your prompt replies. It is very simple.
So i am on KDE so my instructions will reflect that, but it should not be important for the issue.
I click on networkmanager in the system tray, then click on the the settings button in the upper right corner. Then i click on my wifi access point in the list on the left, then select the tab wi-fi Security. Then in the Security drop down box, i see WPA/WPA2; none; LEAP, WEP and some more, but WPA3 is not an option in the list (i need WPA2/WP3 mixed mode to not cut all my older WPA2 devices while i test WPA3).
Regarding the supported adapters, it “should” not be a problem, since many WPA2 supported adapters will successfully run WPA3 (as i understand it), though not officially supported - and i would be curious to the mechanics on how NetworkManager chooses if i am on a supported adapter or not. I do not see anyone spending neurons on a supported adapters list, but rather lets people choose an option not supported by their adapter, at the risc of it not working.
In my case i am on iwlwifi and there is no wpa info in the modinfo for that one.
I took the opportunity to upgrade today but no change in the problem

zypper dup

and now i have :

rpm -qa |grep NetworkManager
NetworkManager-openconnect-1.2.6-1.2.x86_64
libKF5NetworkManagerQt6-5.64.0-1.1.x86_64
NetworkManager-branding-openSUSE-42.1-4.16.noarch
NetworkManager-lang-1.18.4-2.2.noarch
NetworkManager-openvpn-lang-1.8.10-1.5.noarch
NetworkManager-openvpn-1.8.10-1.5.x86_64
NetworkManager-pptp-lang-1.2.8-1.6.noarch
NetworkManager-openconnect-lang-1.2.6-1.2.noarch
NetworkManager-pptp-1.2.8-1.6.x86_64
NetworkManager-1.18.4-2.2.x86_64

Regarding the supported adapters, it “should” not be a problem, since many WPA2 supported adapters will successfully run WPA3 (as i understand it),

I would have thought that the requisite driver support would also be required as well to support the wifi device with using WPA3?

I also note that you have not mentioned wpa-supplicant, which would also need to support SAE authentication.

Good point about wpa_supplicant
I have just
zypper dup’ed today, so i am on a tumbleweed completely updated inclusing the network repo :

zypper lr
Repository priorities are without effect. All enabled repositories share the same priority.

# | Alias                               | Name                        | Enabled | GPG Check | Refresh
--+-------------------------------------+-----------------------------+---------+-----------+--------
1 | http-download.opensuse.org-22123e64 | network                     | Yes     | (r ) Yes  | Yes    
2 | http-ftp.gwdg.de-189aabdb           | Packman Repository          | Yes     | (r ) Yes  | Yes    
3 | http-opensuse-guide.org-e0cb3c9f    | libdvdcss repository        | Yes     | (r ) Yes  | Yes    
4 | repo-non-oss                        | openSUSE-Tumbleweed-Non-Oss | Yes     | (r ) Yes  | Yes    
5 | repo-oss                            | openSUSE-Tumbleweed-Oss     | Yes     | (r ) Yes  | Yes    
6 | repo-update                         | openSUSE-Tumbleweed-Update  | Yes     | (r ) Yes  | Yes  

here about wpa_supplicant :

 rpm -qi wpa_supplicant
Name        : wpa_supplicant
Version     : 2.9
Release     : 1.1
Architecture: x86_64
Install Date: Sun Nov 17 11:13:44 2019
Group       : Unspecified
Size        : 4907621
License     : BSD-3-Clause AND GPL-2.0-or-later
Signature   : RSA/SHA256, Mon Nov 11 14:45:43 2019, Key ID b88b2fd43dbdc284
Source RPM  : wpa_supplicant-2.9-1.1.src.rpm
Build Date  : Mon Nov 11 14:45:15 2019
Build Host  : lamb11
Relocations : (not relocatable)
Packager    : https://bugs.opensuse.org
Vendor      : openSUSE
URL         : https://w1.fi/wpa_supplicant
Summary     : WPA supplicant implementation
Description :

I have again tried to delete my access point and reconnect to it as new, but also on wpa3 to be found in the security drop down list.

And i notice this all up on top in the changelog of wpa_supplicant :

rpm  -q wpa_supplicant-2.9-1.1 --changelog |less
* Mon Nov 04 2019 Tomáš Chvátal <tchvatal@suse.com>
- Update to 2.9 release:
  * SAE changes
  - disable use of groups using Brainpool curves
  - improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
  * EAP-pwd changes
  - disable use of groups using Brainpool curves
  - allow the set of groups to be configured (eap_pwd_groups)
  - improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
  * fixed FT-EAP initial mobility domain association using PMKSA caching
    (disabled by default for backwards compatibility; can be enabled
    with ft_eap_pmksa_caching=1)
  * fixed a regression in OpenSSL 1.1+ engine loading
  * added validation of RSNE in (Re)Association Response frames
  * fixed DPP bootstrapping URI parser of channel list
  * extended EAP-SIM/AKA fast re-authentication to allow use with FILS
  * extended ca_cert_blob to support PEM format
  * improved robustness of P2P Action frame scheduling
  * added support for EAP-SIM/AKA using anonymous@realm identity
  * fixed Hotspot 2.0 credential selection based on roaming consortium
    to ignore credentials without a specific EAP method
  * added experimental support for EAP-TEAP peer (RFC 7170)
  * added experimental support for EAP-TLS peer with TLS v1.3
  * fixed a regression in WMM parameter configuration for a TDLS peer
  * fixed a regression in operation with drivers that offload 802.1X
    4-way handshake
  * fixed an ECDH operation corner case with OpenSSL
  * SAE changes
  - added support for SAE Password Identifier
  - changed default configuration to enable only groups 19, 20, 21
......

2nd update this evening. I tried to create a new Access point allowing only WPA3, and when i see it in the list of access points, when clicking on networkmanager in the systemtray, Just below the access point name, is mentioned the encryption, and for my WPA3 access point it is marked WEP, and if i scan i only see WPA2 as below with no authentication suite (should be PSK or something)

iwlist wlp3s0 scanning |less
......
Channel:36
                    Frequency:5.18 GHz (Channel 36)
                    Quality=59/70  Signal level=-51 dBm  
                    Encryption key:on
                    ESSID:"MyAPWPA3"
                    Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
                              36 Mb/s; 48 Mb/s; 54 Mb/s
                    Mode:Master
                    Extra:tsf=00000000002ea0e3
                    Extra: Last beacon: 26436ms ago
                    IE: Unknown: 00084D79415057504133
                    IE: Unknown: 01088C129824B048606C
                    IE: Unknown: 030124
                    IE: Unknown: 070A303020240814640B1400
                   ** IE: IEEE 802.11i/WPA2 Version 1**
                        Group Cipher : CCMP
                        Pairwise Ciphers (1) : CCMP
                        Authentication Suites (1) : unknown (8)
                    IE: Unknown: 0B050000000000
                    IE: Unknown: 3B028000
                    IE: Unknown: 2D1AEF0117FFFF000000000000000000000100000000000000000000
                    IE: Unknown: 3D1624050400000000000000000000000000000000000000
                    IE: Unknown: 7F080400000200000140
                    IE: Unknown: BF0CB0018031FAFF0000FAFF0000
                    IE: Unknown: C005012A00FCFF
                    IE: Unknown: C30402282828
                    IE: Unknown: DD180050F2020101000003A4000027A4000042435E0062322F00
.....

Do we need NetworkManager 1.20 for this?

https://www.mail-archive.com/ftp-release-list@gnome.org/msg29374.html

News

Overview of changes since NetworkManager-1.20.4
===============================================This is a new stable release of NetworkManager. Notable changes include:

• Fix crash related to Wi-Fi-P2P.
• Support rd.znet option in initrd generator to support s390.
• Fix not creating default-wired-connection when a suitable profile exists
  which is not tied to the device by interface-name.
  *** tui: support WPA3-Personal (SAE).**
• Fixes for OLPC Mesh Wi-Fi.
• Various bug fixes. Notably, fix unit test and build issues.

So i dug up a repo with NetworkManager 1.20, and installed with dependencies, and then indeed using nmtui-edit, i now found wpa3 in the security menu, and could configure using wpa3 to connect to my access point - however still could not connect to it using wpa3. I think i need to wait a while for some packages to mature. If anyone mastering the release of the needed packages would like me to test something. Please let me know. For now i will rest my case
From a philosophic point of view, it is somewhat a shame, there is not a lot more stress to make the wpa3 framework functional, since wpa2 has now proven very fragile:
(i tried to remove the formatting from the below title to not make it stand out, but did not succeed in reasonable time
**Breaking WPA2 by forcing nonce reuse
**

https://www.krackattacks.com/

I think it is kind of getting embarrassing that wpa3 still does not work - in the meantime i have a brand spanking new Lenovo ThinkPad X1 Extreme 2nd, model 20QVS14E00
and can still not connect to an access point wpa3 that my phone is accessing via WPA3 with no problems

here the network card in my new laptop

*-network
description: Wireless interface
product: Wi-Fi 6 AX200
vendor: Intel Corporation
physical id: 0
bus info: pci@0000:52:00.0
logical name: wlp82s0
version: 1a
serial: <<removed by discretion>>
width: 64 bits
clock: 33MHz
capabilities: pm msi pciexpress msix bus_master cap_list ethernet physical wireless
configuration: broadcast=yes driver=iwlwifi driverversion=5.8.7-1-default firmware=55.d9698065.0 cc-a0-55.ucode latency=0 link=no multicast=yes wireless=IEEE 802.11
resources: irq:18 memory:e8f00000-e8f03fff

and my openSUSE patch level

cat /etc/os-release
NAME=“openSUSE Tumbleweed”

VERSION=“20200914”

ID=“opensuse-tumbleweed”
ID_LIKE=“opensuse suse”
VERSION_ID=“20200914”
PRETTY_NAME=“openSUSE Tumbleweed”
ANSI_COLOR=“0;32”
CPE_NAME=“cpe:/o:opensuse:tumbleweed:20200914”
BUG_REPORT_URL=“https://bugs.opensuse.org”
HOME_URL=“https://www.opensuse.org/”
LOGO=“distributor-logo”

When you say “not proposed” are you saying it’s not an option when you create a new network connection and you inspect the dropdown options in the WiFi security tab?
Or something else?

TSU

I think you should try installing the wpa_supplicant from hardware, or wait until https://build.opensuse.org/request/show/836104 reaches Tumbleweed.

(Unfortunately I don’t own cards suitable to test the theory)

I’ve not yet had an opportunity to test connecting to WPA3 (maybe I’ll have a chance with my new laptop when pandemic restrictions are loosened and I try connecting to more APs),

But supposedly Network Manager first introduced support for WPA3 in 2019 (?) maybe a year earlier. Should be standard in all current Network Manager today.

But, based on an Internet search I do see other articles about wpa_supplicant, slow adoption by hardware vendors, some older hardware upgradeable but not universally… a lot of information of varying reliability.

In any case, if you absolutely know that you’ve deployed a WPA3-Personal(note this is a very specific part of WPA3) on your Access Point and you know your hardware supports WPA3-Personal and has updated firmware, then I’d expect that Network Manager should offer WPA3-Personal as a security option when you create your network connection.

TSU

In my opinion, the problem lies with wpa_supplicant not having SAE enabled during the build.

This has been recently changed and should reach Tumbleweed in a few days.
If you want to test this theory, try installing wpa_supplicant from the hardware project.

Regards

Yeh, I confirm. I can now connect to a WPA3 access point using Tumbleweed. Great!!
Accesspoint running openwrt 19.0.4 on a netgear r6220 just for the records.

cat /etc/os-release
NAME=“openSUSE Tumbleweed”

VERSION=“20201012”

ID=“opensuse-tumbleweed”
ID_LIKE=“opensuse suse”
VERSION_ID=“20201012”
PRETTY_NAME=“openSUSE Tumbleweed”
ANSI_COLOR=“0;32”
CPE_NAME=“cpe:/o:opensuse:tumbleweed:20201012”
BUG_REPORT_URL=“https://bugs.opensuse.org”
HOME_URL=“https://www.opensuse.org/”
DOCUMENTATION_URL=“https://en.opensuse.org/Portal:Tumbleweed”
LOGO=“distributor-logo”