802.11w protected management frames (PMF) support

Software SW help
1

Hello,

does Turris Omnia support protected management frames (PMF) based on 802.11w?

1 Like
2

support: yes
turn-key: no

for starters see https://openwrt.org/docs/user-guide/wifi/wireless.security.8021x

3

Sorry, but I did not found any information about 802.11w there.

4

you are right… i was under the impression that wpa-enterprise is a requirement for MFP…

anyways from using google (you’re welcome) i found that you’d need wpad-full as well as set option ieee80211w 2 for the interface.
https://wiki.openwrt.org/doc/uci/wireless

also, your clients have to support it.

maybe i will try out on weekend

update: @pepe care to weight in?

5

Hello,
regarding both WiFi cards, which we use:

  • Compex WLE900VX for 5 GHz according to data sheet supports IEEE 802.11w.

  • Compex WLE200N2 in driver ath9k supports 802.11w. Couldn’t find mention in datasheet.

But don’t forget also about software.
Support for 802.11w (PMF) is in packages hostapd and wpad, but in OpenWRT you can find support there since version 17.01.

We should have the latest hostapd, so support should be there, but it won’t be user-friendly, because you will need to edit some files to make it work. In Turris OS 4.0, which will be based on OpenWRT (LEDE) in LuCI will be there possibility to choose 802.11w. :slight_smile:

6

I’ve set

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'turris 5 Ghz'
        option network 'wifi'
        option encryption 'psk2+ccmp'
        option key 'thisismysecretkey'
   	option ieee80211w '2'

on the 5 GHz card but the clients (Pixel 2, Samsung Galaxy S8,Windows 10) couldn’t connect to the wifi anymore.

Is this an issue of the clients or of Turris Omnia? How can we verify this?

7

same here (but on 2.4ghz)

omnia says:

2018-03-04T13:48:18+01:00 info hostapd[]: wlan1: STA <clientmac> IEEE 802.11: authenticated
2018-03-04T13:48:52+01:00 notice hostapd[]: wlan1: STA <clientmac> IEEE 802.11: did not acknowledge authentication response
2018-03-04T13:53:14+01:00 info hostapd[]: wlan1: STA <clientmac> IEEE 802.11: disassociated due to inactivity
2018-03-04T13:53:15+01:00 info hostapd[]: wlan1: STA <clientmac> IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

ubuntu says:

Mar  4 15:15:30 scamel wpa_supplicant[1092]: wlp1s0: SME: Trying to authenticate with <mac> (SSID='<ssid>' freq=2462 MHz)
Mar  4 15:15:30 scamel kernel: [16523.831621] wlp1s0: authenticate with <mac>
Mar  4 15:15:30 scamel NetworkManager[851]: <info>  [1520172930.0977] device (wlp1s0): supplicant interface state: disconnected -> authenticating
Mar  4 15:15:30 scamel wpa_supplicant[1092]: wlp1s0: Trying to associate with <mac> (SSID='<ssid>' freq=2462 MHz)
Mar  4 15:15:30 scamel kernel: [16523.839789] wlp1s0: send auth to <mac> (try 1/3)
Mar  4 15:15:30 scamel kernel: [16523.842700] wlp1s0: authenticated
Mar  4 15:15:30 scamel kernel: [16523.842952] wlp1s0: associate with <mac> (try 1/3)
Mar  4 15:15:30 scamel kernel: [16523.846425] wlp1s0: RX AssocResp from <mac> (capab=0x431 status=31 aid=0)
Mar  4 15:15:30 scamel kernel: [16523.846427] wlp1s0: <mac> denied association (code=31)
Mar  4 15:15:30 scamel NetworkManager[851]: <info>  [1520172930.1057] device (wlp1s0): supplicant interface state: authenticating -> associating
Mar  4 15:15:30 scamel wpa_supplicant[1092]: wlp1s0: CTRL-EVENT-ASSOC-REJECT bssid=<mac> status_code=31
Mar  4 15:15:30 scamel wpa_supplicant[1092]: wlp1s0: SME: Deauth request to the driver failed
Mar  4 15:15:30 scamel wpa_supplicant[1092]: wlp1s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="<ssid>" auth_failures=1 duration=10 reason=CONN_FAILED
Mar  4 15:15:30 scamel NetworkManager[851]: <info>  [1520172930.1358] device (wlp1s0): supplicant interface state: associating -> disconnected

update:
i implemented the wpa_key_mgmt=WPA-PSK-SHA256 thing from here https://patchwork.ozlabs.org/patch/630303/
but this made it worse. the network is “greyed out” and the client does not even try to connect.

update-update:
this sounds like it would capture (part of?) the problem https://forum.lede-project.org/t/wpad-802-11w-no-longer-working-in-trunk/7244/23

8

hard to say …

i have a recent business laptop with intel wifi and recent linux version, so i expect it to be working in Turris 4.0 :wink: @pepe