Posts: 13,426
Threads: 304
Joined: Mar 2018
Reputation:
545
(02-16-2023, 09:23 PM)adam_zzz Wrote: Ok, so I tried again Tim's suggestion to add the extra parameters to the wpa_supplicant.conf mentioned here:
https://github.com/raspberrypi/linux/iss...1279951709
I've added these 2 lines and with my router set to WPA2-PSK/WPA3-SAE all is well, it was able to connect after restart:
Code: key_mgmt=WPA-PSK-SHA256
ieee80211w=2
Maybe an improvement for Moode would be to be able to select WPA2-PSK/WPA3-SAE in the dropdown and update wpa_supplicant.conf with these 2 lines when selected...
For sure. I'll add to the TODO list for upcoming 8.3.0.
Btw, thanks for all the testing :-)
Posts: 20
Threads: 1
Joined: Feb 2023
Reputation:
0
(02-16-2023, 10:23 PM)TheOldPresbyope Wrote: So it's actually working the way it's supposed to. I thought that wasn't the case.
For reference, the ever helpful Arch LInux wiki wpa_supplicant page gives exactly the same instructions for connections to mixed WPA2-PSK/WPA3-SAE access points so it's not just a Pi thing.
Regards,
Kent Indeed, and even a different way for pure WPA3-SAE access points, where it asks for clear text password
I'm starting to believe that this is a problem with devices relying on wpa_supplicant, maybe the ones that didn't require any extra configuration were using a different tool to manage wi-fi, after all when I checked in Kerberos.io that file was almost empty.
Or maybe previous firmware versions were able to handle it without explicit configuration.
Going to try again in the weekend and get to the bottom of this...
But to me this seems like a bug in wpa_supplicant more than "working the way it's supposed to" since all the other devices and SOs are smart enough to detect what encryption to use...
Posts: 20
Threads: 1
Joined: Feb 2023
Reputation:
0
(02-16-2023, 10:56 PM)Tim Curtis Wrote: (02-16-2023, 09:23 PM)adam_zzz Wrote: Ok, so I tried again Tim's suggestion to add the extra parameters to the wpa_supplicant.conf mentioned here:
https://github.com/raspberrypi/linux/iss...1279951709
I've added these 2 lines and with my router set to WPA2-PSK/WPA3-SAE all is well, it was able to connect after restart:
Code: key_mgmt=WPA-PSK-SHA256
ieee80211w=2
Maybe an improvement for Moode would be to be able to select WPA2-PSK/WPA3-SAE in the dropdown and update wpa_supplicant.conf with these 2 lines when selected...
For sure. I'll add to the TODO list for upcoming 8.3.0.
Btw, thanks for all the testing :-)
No problem, let me know if I can help with testing or otherwise.
I'm still evaluating Moode myself (being a Volumio user for a few years...) and so far I like it so I'm glad to contribute!
Posts: 6,024
Threads: 176
Joined: Apr 2018
Reputation:
235
(02-17-2023, 06:07 AM)adam_zzz Wrote: (02-16-2023, 10:23 PM)TheOldPresbyope Wrote: So it's actually working the way it's supposed to. I thought that wasn't the case.
For reference, the ever helpful Arch LInux wiki wpa_supplicant page gives exactly the same instructions for connections to mixed WPA2-PSK/WPA3-SAE access points so it's not just a Pi thing.
Regards,
Kent Indeed, and even a different way for pure WPA3-SAE access points, where it asks for clear text password
I'm starting to believe that this is a problem with devices relying on wpa_supplicant, maybe the ones that didn't require any extra configuration were using a different tool to manage wi-fi, after all when I checked in Kerberos.io that file was almost empty.
Or maybe previous firmware versions were able to handle it without explicit configuration.
Going to try again in the weekend and get to the bottom of this...
But to me this seems like a bug in wpa_supplicant more than "working the way it's supposed to" since all the other devices and SOs are smart enough to detect what encryption to use...
At this point, I'm not yet convinced it is a bug in wpa_supplicant per se but in the way it's built/and or configured. It's ubiquitous in Linux-based systems including Android and I see that recent Android releases explicitly claim they support the various WPA3 modes including this mixed WPA2/WPA3 mode (aka transition mode in some of the things read).
In any case, you're the man of the hour for bringing up the issue and doing the digging. Without a suitable WiFi testbed, either a commercial router or a openwrt install, I'm not in a position to do what you can do.
F
Sadly, the documentation of the WiFi subsystem of Linux is as obscurely documented as the ALSA subsystem. If you like waltzing through alphabet soup, have a look at the wpa_supplicant.conf docs: /usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf
Regards,
Kent
Posts: 20
Threads: 1
Joined: Feb 2023
Reputation:
0
02-18-2023, 05:38 AM
(This post was last modified: 02-18-2023, 01:25 PM by adam_zzz.)
(02-17-2023, 06:35 PM)TheOldPresbyope Wrote: At this point, I'm not yet convinced it is a bug in wpa_supplicant per se but in the way it's built/and or configured. It's ubiquitous in Linux-based systems including Android and I see that recent Android releases explicitly claim they support the various WPA3 modes including this mixed WPA2/WPA3 mode (aka transition mode in some of the things read).
In any case, you're the man of the hour for bringing up the issue and doing the digging. Without a suitable WiFi testbed, either a commercial router or a openwrt install, I'm not in a position to do what you can do.
F
Sadly, the documentation of the WiFi subsystem of Linux is as obscurely documented as the ALSA subsystem. If you like waltzing through alphabet soup, have a look at the wpa_supplicant.conf docs: /usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf
Regards,
Kent
Thanks, haven't checked the docs yet, but it would be amazing if you could add a flag to the network so it goes through all encryption methods from most secure to least until it finds a match.
I have achieved the same effect though with priorities in wpa_supplicant.conf. I was assuming the priority flag is for when you have different networks and want to have a fallback in case one is down, but you can also configure the same network multiple times just for different encryptions giving priority to the most secure.
This will make it easier for a new user to set up Moode since they wouldn't need to go and check in their router to find out what to chose from the dropdown, or have to try each option and restart multiple times until they get it right.
I've tested the below and seems to be working fine for all the different encryption methods, everything except WPA3-SAE, that one not only it didn't work for me (I've tried the example from the ArchLinux website) but it wouldn't try the next priority in line either, instead the Moode's access point popped up, so I had to comment it.
I'll have to dig deeper and maybe do the ethernet cable trick again to be able to see what's happening with WPA3-SAE, maybe some other time.
But this should already be an improvement to the solution I've suggested before of adding a new dropdown option in the UI.
Maybe one of you can also test it and see if it doesn't blow up when your router doesn't support WPA2-PSK/WPA3-SAE mixed mode
Code: #pure WPA3-SAE
#network={
#ssid="HOMENETWORK"
#key_mgmt=SAE
#priority=110
#scan_ssid=1
#sae_password="clearTextPassword"
#ieee80211w=2
#}
#WPA2-PSK/WPA3-SAE mixed mode
network={
ssid="HOMENETWORK"
key_mgmt=WPA-PSK-SHA256
priority=109
scan_ssid=1
psk=psk
ieee80211w=2
}
#WPA/WPA2-PSK mixed mode or pure WPA or pure WPA2-PSK
network={
ssid="HOMENETWORK"
key_mgmt=WPA-PSK
priority=108
scan_ssid=1
psk=psk
}
#No encryption
network={
ssid="HOMENETWORK"
key_mgmt=NONE
priority=-999
scan_ssid=1
}
Edit: The options could also be placed in the same network section, separated by space, see "Catch all" example here: https://linux.die.net/man/5/wpa_supplicant.conf
This works well with my Router, the same as with the config with priorities above, I was able to connect to most of the encryption methods on my router except for WPA3. The global pmf=1 is to handle the different ieee80211w settings in the network section.
Code: country=NL
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
pmf=1
#Catch all
network={
ssid="HOMENETWORK"
scan_ssid=1
key_mgmt=WPA-EAP WPA-PSK-SHA256 WPA-PSK IEEE8021X NONE
pairwise=CCMP TKIP NONE
group=CCMP TKIP WEP104 WEP40
psk=psk
eap=TTLS PEAP TLS
}
Edit 2: ChatGPT suggested to use this for WPA3-SAE, I'm not sure if it is correct and I don't think the Raspberry Pi supports WPA3 so not sure if it's worth to add it but at least with this one Moode access point doesn't start and it will try the next priority and connect successfully to the others.
Code: network={
ssid="your_network_name"
key_mgmt=WPA-PSK
proto=RSN
pairwise=CCMP
group=CCMP
psk="your_network_password"
}
Posts: 6,024
Threads: 176
Joined: Apr 2018
Reputation:
235
02-18-2023, 01:40 PM
(This post was last modified: 02-18-2023, 01:44 PM by TheOldPresbyope.)
+1
Away from my desk ATM but I think you have it. Will test later.
Regards,
Kent
ETA - your Edit 2 seems wrong because it specifies key_mgmt=PSK for an SAE connection.
Posts: 20
Threads: 1
Joined: Feb 2023
Reputation:
0
02-18-2023, 05:52 PM
(This post was last modified: 02-18-2023, 06:23 PM by adam_zzz.)
(02-18-2023, 01:40 PM)TheOldPresbyope Wrote: +1
Away from my desk ATM but I think you have it. Will test later.
Regards,
Kent
ETA - your Edit 2 seems wrong because it specifies key_mgmt=PSK for an SAE connection.
True, there should be another parameter wps_cred_add_sae (see this comment https://forums.raspberrypi.com/viewtopic...1#p1798281)
This one is missing from the Raspbian OS/Debian that moOde is based on, it seems to be one version behind.
Code: pi@moode:~ $ wpa_supplicant -v
wpa_supplicant v2.9
Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi> and contributors
Here you can see that there is a newer version available v2.10 from 2022, maybe the WPA3 issue is solved in this version: https://w1.fi/releases.html
Does anyone know how to upgrade the version of wpa_supplicant to v2.10?
I tried sudo apt-get upgrade wpasupplicant but it's telling me "wpasupplicant is already the newest version (2:2.9.0-21)."
Edit: Right, so v2.10 is included in Debian Bullseye the testing/unstable version so not yet on the stable... https://manpages.debian.org/testing/wpas....8.en.html
Edit 2: This also doesn't return anything so I think it's safe to say for now there is no point trying to connect to WPA3
Posts: 6,024
Threads: 176
Joined: Apr 2018
Reputation:
235
02-18-2023, 06:39 PM
(This post was last modified: 02-18-2023, 06:40 PM by TheOldPresbyope.
Edit Reason: fix the inevitable typo
)
@ adam_zzz
@ Tim Curtis
So I skimmed through the fully annotated 1920-line file /usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf I mentioned before and concluded this single network configuration stanza should allow my moOde player to connect to my WPA2-PSK router and---in principle!---should work for your mixed-mode WPA2-PSK/WPA3-SAE router too. It obviously builds on some points you brought up.
Code: #########################################
# This file is automatically generated by
# the player Network configuration page.
#########################################
country=US
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="<my AP>"
priority=100
# allow for either WPA2-PSK or mixed WPA2-PSK/WPA3-SAE using only PSK
key_mgmt=WPA-PSK WPA-PSK-SHA256
scan_ssid=1
psk=<my psk>
# WPA2-PSK router never uses ieee80211w
# mixed-mode WPA2-PSK/WPA3-SAE router apparently always uses ieee80211w
# so make it optional
ieee80211w=1
}
I created a rough-n-ready testbed by hooking the moOde player up to the router via Ethernet, ssh'ing into it, and playing games with wpa_supplicant.conf settings. After each change, I'd kill the wpa_supplicant process and restart it from the command line, e.g.,
Code: sudo killall wpa_supplicant
sudo wpa_supplicant -B -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf
The stanza shown above works with my moOde player connecting with my WPA2-PSK router. Whether with the original wpa_supplicant.conf in moOde 8.2.5 or with this one, I see the same output if I ask wpa_cli to show the connection status:
Code: pi@m825p3bp:~ $ wpa_cli -iwlan0 status
bssid=<elided>
freq=5220
ssid=<elided>
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2-PSK
wpa_state=COMPLETED
ip_address=10.0.0.10
p2p_device_address=<elided>
address=<elided>
uuid=<elided>
ieee80211ac=1
Other tools show similar results.
A quick test shows that I fail to connect if ieee80211w=2.
Let me know if this single stanza works for you too. It would greatly simplify Tim's coding burden.
Personal - I deliberately left out pure WPA3-SAE because we have nothing to test it against and I can't bring myself to suggest allowing unprotected or known to be vulnerable modes.
Regards,
Kent
PS - I wrote this before you posted but got interrupted.
Posts: 13,426
Threads: 304
Joined: Mar 2018
Reputation:
545
(02-18-2023, 05:38 AM)adam_zzz Wrote: (02-17-2023, 06:35 PM)TheOldPresbyope Wrote: At this point, I'm not yet convinced it is a bug in wpa_supplicant per se but in the way it's built/and or configured. It's ubiquitous in Linux-based systems including Android and I see that recent Android releases explicitly claim they support the various WPA3 modes including this mixed WPA2/WPA3 mode (aka transition mode in some of the things read).
In any case, you're the man of the hour for bringing up the issue and doing the digging. Without a suitable WiFi testbed, either a commercial router or a openwrt install, I'm not in a position to do what you can do.
F
Sadly, the documentation of the WiFi subsystem of Linux is as obscurely documented as the ALSA subsystem. If you like waltzing through alphabet soup, have a look at the wpa_supplicant.conf docs: /usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf
Regards,
Kent
Thanks, haven't checked the docs yet, but it would be amazing if you could add a flag to the network so it goes through all encryption methods from most secure to least until it finds a match.
I have achieved the same effect though with priorities in wpa_supplicant.conf. I was assuming the priority flag is for when you have different networks and want to have a fallback in case one is down, but you can also configure the same network multiple times just for different encryptions giving priority to the most secure.
This will make it easier for a new user to set up Moode since they wouldn't need to go and check in their router to find out what to chose from the dropdown, or have to try each option and restart multiple times until they get it right.
I've tested the below and seems to be working fine for all the different encryption methods, everything except WPA3-SAE, that one not only it didn't work for me (I've tried the example from the ArchLinux website) but it wouldn't try the next priority in line either, instead the Moode's access point popped up, so I had to comment it.
I'll have to dig deeper and maybe do the ethernet cable trick again to be able to see what's happening with WPA3-SAE, maybe some other time.
But this should already be an improvement to the solution I've suggested before of adding a new dropdown option in the UI.
Maybe one of you can also test it and see if it doesn't blow up when your router doesn't support WPA2-PSK/WPA3-SAE mixed mode
Code: #pure WPA3-SAE
#network={
#ssid="HOMENETWORK"
#key_mgmt=SAE
#priority=110
#scan_ssid=1
#sae_password="clearTextPassword"
#ieee80211w=2
#}
#WPA2-PSK/WPA3-SAE mixed mode
network={
ssid="HOMENETWORK"
key_mgmt=WPA-PSK-SHA256
priority=109
scan_ssid=1
psk=psk
ieee80211w=2
}
#WPA/WPA2-PSK mixed mode or pure WPA or pure WPA2-PSK
network={
ssid="HOMENETWORK"
key_mgmt=WPA-PSK
priority=108
scan_ssid=1
psk=psk
}
#No encryption
network={
ssid="HOMENETWORK"
key_mgmt=NONE
priority=-999
scan_ssid=1
}
Edit: The options could also be placed in the same network section, separated by space, see "Catch all" example here: https://linux.die.net/man/5/wpa_supplicant.conf
This works well with my Router, the same as with the config with priorities above, I was able to connect to most of the encryption methods on my router except for WPA3. The global pmf=1 is to handle the different ieee80211w settings in the network section.
Code: country=NL
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
pmf=1
#Catch all
network={
ssid="HOMENETWORK"
scan_ssid=1
key_mgmt=WPA-EAP WPA-PSK-SHA256 WPA-PSK IEEE8021X NONE
pairwise=CCMP TKIP NONE
group=CCMP TKIP WEP104 WEP40
psk=psk
eap=TTLS PEAP TLS
}
Edit 2: ChatGPT suggested to use this for WPA3-SAE, I'm not sure if it is correct and I don't think the Raspberry Pi supports WPA3 so not sure if it's worth to add it but at least with this one Moode access point doesn't start and it will try the next priority and connect successfully to the others.
Code: network={
ssid="your_network_name"
key_mgmt=WPA-PSK
proto=RSN
pairwise=CCMP
group=CCMP
psk="your_network_password"
}
Going forward the list should be like below. I'm not sure why "No security" is still in the list. It should prolly be deleted.
WPA2-Personal
WPA3-Personal Transition Mode
No Security
I don't think it will be difficult to pick the right protocol because the vast majority of Routers only support WPA2. When WPA3 becomes more prevalent then the word will get out and people will start looking for it in the products they use.
The idea for automated protocol selection is prolly good as long as the process doesn't take too long. I'll add to the TODO list.
Posts: 20
Threads: 1
Joined: Feb 2023
Reputation:
0
02-18-2023, 07:30 PM
(This post was last modified: 02-18-2023, 07:46 PM by adam_zzz.)
@ TheOldPresbyope
@ Tim Curtis
I think the solution from the last post of @ TheOldPresbyope is the cleanest and I just checked, it works also for my router's WPA2-PSK/WPA3-SAE mixed mode, good catch to make ieee80211w optional, I had the impression that it has to be 2 for the mixed mode to work.
But is there a reason why "WPA-PSK WPA-PSK-SHA256" and not "WPA-PSK-SHA256 WPA-PSK" ? is WPA-PSK more secure than WPA-PSK-SHA256? I'm still a bit confused why a different config is needed in order for the WPA2-PSK/WPA3-SAE mixed mode... but I understand also that most users will have WPA2-PSK in their router so it makes sense to try with that first.
I've added No Security as a fallback to prove that it can also be handled by wpa_supplicant so there wouldn't be a need for the Security dropdown in moOde's network config anymore, but of course it's up to you if you want to include it.
I wouldn't say it's taking too long, after changing my router's config moOde is back online in ~10 seconds.
Fully agree on the WPA3, it's not worth to consider it for now.
Edit: By testing I mean I changed the wpa_supplicant and restarted moOde, I haven't done the ethernet wire thing
|