Hello
So i wanted to look at wpa3.
Added and configured wpa3 to my access point, and zypper dup on tumbleweed to have NetworkManager 1.18.4 (supposedly proposing wpa3)
My network card is Intel 7260, only certified wap2, but certification dates from before wpa3 was born, and wpa3 “should” be a question of software. So i hoped being in range of wpa3. But when i go to networkmanager, wi-fi security, i do not see wpa3 proposed in the dropdown list. For the fun and to avoid the eternal KDE/Gnome discussion, i also looked in nmtui-edit, and still no wpa3. I am sure it is there somewhere. What did i miss?
Thank you for your prompt replies. It is very simple.
So i am on KDE so my instructions will reflect that, but it should not be important for the issue.
I click on networkmanager in the system tray, then click on the the settings button in the upper right corner. Then i click on my wifi access point in the list on the left, then select the tab wi-fi Security. Then in the Security drop down box, i see WPA/WPA2; none; LEAP, WEP and some more, but WPA3 is not an option in the list (i need WPA2/WP3 mixed mode to not cut all my older WPA2 devices while i test WPA3).
Regarding the supported adapters, it “should” not be a problem, since many WPA2 supported adapters will successfully run WPA3 (as i understand it), though not officially supported - and i would be curious to the mechanics on how NetworkManager chooses if i am on a supported adapter or not. I do not see anyone spending neurons on a supported adapters list, but rather lets people choose an option not supported by their adapter, at the risc of it not working.
In my case i am on iwlwifi and there is no wpa info in the modinfo for that one.
I took the opportunity to upgrade today but no change in the problem
rpm -qi wpa_supplicant
Name : wpa_supplicant
Version : 2.9
Release : 1.1
Architecture: x86_64
Install Date: Sun Nov 17 11:13:44 2019
Group : Unspecified
Size : 4907621
License : BSD-3-Clause AND GPL-2.0-or-later
Signature : RSA/SHA256, Mon Nov 11 14:45:43 2019, Key ID b88b2fd43dbdc284
Source RPM : wpa_supplicant-2.9-1.1.src.rpm
Build Date : Mon Nov 11 14:45:15 2019
Build Host : lamb11
Relocations : (not relocatable)
Packager : https://bugs.opensuse.org
Vendor : openSUSE
URL : https://w1.fi/wpa_supplicant
Summary : WPA supplicant implementation
Description :
I have again tried to delete my access point and reconnect to it as new, but also on wpa3 to be found in the security drop down list.
And i notice this all up on top in the changelog of wpa_supplicant :
rpm -q wpa_supplicant-2.9-1.1 --changelog |less
* Mon Nov 04 2019 Tomáš Chvátal <tchvatal@suse.com>
- Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
......
2nd update this evening. I tried to create a new Access point allowing only WPA3, and when i see it in the list of access points, when clicking on networkmanager in the systemtray, Just below the access point name, is mentioned the encryption, and for my WPA3 access point it is marked WEP, and if i scan i only see WPA2 as below with no authentication suite (should be PSK or something)
Overview of changes since NetworkManager-1.20.4
===============================================This is a new stable release of NetworkManager. Notable changes include:
Fix crash related to Wi-Fi-P2P.
Support rd.znet option in initrd generator to support s390.
Fix not creating default-wired-connection when a suitable profile exists
which is not tied to the device by interface-name.
*** tui: support WPA3-Personal (SAE).**
Fixes for OLPC Mesh Wi-Fi.
Various bug fixes. Notably, fix unit test and build issues.
So i dug up a repo with NetworkManager 1.20, and installed with dependencies, and then indeed using nmtui-edit, i now found wpa3 in the security menu, and could configure using wpa3 to connect to my access point - however still could not connect to it using wpa3. I think i need to wait a while for some packages to mature. If anyone mastering the release of the needed packages would like me to test something. Please let me know. For now i will rest my case
From a philosophic point of view, it is somewhat a shame, there is not a lot more stress to make the wpa3 framework functional, since wpa2 has now proven very fragile:
(i tried to remove the formatting from the below title to not make it stand out, but did not succeed in reasonable time
**Breaking WPA2 by forcing nonce reuse
**
I think it is kind of getting embarrassing that wpa3 still does not work - in the meantime i have a brand spanking new Lenovo ThinkPad X1 Extreme 2nd, model 20QVS14E00
and can still not connect to an access point wpa3 that my phone is accessing via WPA3 with no problems
When you say “not proposed” are you saying it’s not an option when you create a new network connection and you inspect the dropdown options in the WiFi security tab?
Or something else?
I’ve not yet had an opportunity to test connecting to WPA3 (maybe I’ll have a chance with my new laptop when pandemic restrictions are loosened and I try connecting to more APs),
But supposedly Network Manager first introduced support for WPA3 in 2019 (?) maybe a year earlier. Should be standard in all current Network Manager today.
But, based on an Internet search I do see other articles about wpa_supplicant, slow adoption by hardware vendors, some older hardware upgradeable but not universally… a lot of information of varying reliability.
In any case, if you absolutely know that you’ve deployed a WPA3-Personal(note this is a very specific part of WPA3) on your Access Point and you know your hardware supports WPA3-Personal and has updated firmware, then I’d expect that Network Manager should offer WPA3-Personal as a security option when you create your network connection.
In my opinion, the problem lies with wpa_supplicant not having SAE enabled during the build.
This has been recently changed and should reach Tumbleweed in a few days.
If you want to test this theory, try installing wpa_supplicant from the hardware project.
Yeh, I confirm. I can now connect to a WPA3 access point using Tumbleweed. Great!!
Accesspoint running openwrt 19.0.4 on a netgear r6220 just for the records.