Posts: 13,443
Threads: 305
Joined: Mar 2018
Reputation:
545
02-18-2023, 08:41 PM
(This post was last modified: 02-18-2023, 08:41 PM by Tim Curtis.)
You mean add the two lines below to the network block?
key_mgmt=WPA-PSK WPA-PSK-SHA256
ieee80211w=1
And then user no longer has to choose a security protocol?
Assume the "No security" option is removed.
That would be nice :-)
Posts: 20
Threads: 1
Joined: Feb 2023
Reputation:
0
(02-18-2023, 08:41 PM)Tim Curtis Wrote: You mean add the two lines below to the network block?
key_mgmt=WPA-PSK WPA-PSK-SHA256
ieee80211w=1
And then user no longer has to choose a security protocol?
Assume the "No security" option is removed.
That would be nice :-)
Those 2 lines should handle most of the security protocols (except WPA3-SAE) so the user doesn't need to chose from a dropdown.
Then you would need to provide a way for the user to use no security, like a checkbox, but I think this also shouldn't be needed if you put NONE as a last fallback in wpa_supplicant. So in theory what they fill in for the Password wouldn't matter, if they actually don't use any security then it will try and fail the security options and eventually end up on NONE anyways and connect successfully to No security. (I haven't tested this scenario yet but I don't see why it wouldn't work)
Code: key_mgmt=WPA-PSK WPA-PSK-SHA256 NONE
ieee80211w=1
The only disadvantage that I see is that it won't be as clear to the user when they are connecting to an unsecure network, so probably this needs to be explained somehow in the UI.
Posts: 13,443
Threads: 305
Joined: Mar 2018
Reputation:
545
(02-18-2023, 09:53 PM)adam_zzz Wrote: (02-18-2023, 08:41 PM)Tim Curtis Wrote: You mean add the two lines below to the network block?
key_mgmt=WPA-PSK WPA-PSK-SHA256
ieee80211w=1
And then user no longer has to choose a security protocol?
Assume the "No security" option is removed.
That would be nice :-)
Those 2 lines should handle most of the security protocols (except WPA3-SAE) so the user doesn't need to chose from a dropdown.
Then you would need to provide a way for the user to use no security, like a checkbox, but I think this also shouldn't be needed if you put NONE as a last fallback in wpa_supplicant. So in theory what they fill in for the Password wouldn't matter, if they actually don't use any security then it will try and fail the security options and eventually end up on NONE anyways and connect successfully to No security. (I haven't tested this scenario yet but I don't see why it wouldn't work)
Code: key_mgmt=WPA-PSK WPA-PSK-SHA256 NONE
ieee80211w=1
The only disadvantage that I see is that it won't be as clear to the user when they are connecting to an unsecure network, so probably this needs to be explained somehow in the UI.
That would be confusing.
I like the idea of automatic protocol handling (we do a bit of this in our Samba SCAN) but I also want the user to know that a secure WiFI protocol is being used. Maybe having explicit choices is still best.
WPA2-Personal
WPA3-Personal Transition Mode
No Security
Posts: 20
Threads: 1
Joined: Feb 2023
Reputation:
0
(02-18-2023, 11:02 PM)Tim Curtis Wrote: (02-18-2023, 09:53 PM)adam_zzz Wrote: (02-18-2023, 08:41 PM)Tim Curtis Wrote: You mean add the two lines below to the network block?
key_mgmt=WPA-PSK WPA-PSK-SHA256
ieee80211w=1
And then user no longer has to choose a security protocol?
Assume the "No security" option is removed.
That would be nice :-)
Those 2 lines should handle most of the security protocols (except WPA3-SAE) so the user doesn't need to chose from a dropdown.
Then you would need to provide a way for the user to use no security, like a checkbox, but I think this also shouldn't be needed if you put NONE as a last fallback in wpa_supplicant. So in theory what they fill in for the Password wouldn't matter, if they actually don't use any security then it will try and fail the security options and eventually end up on NONE anyways and connect successfully to No security. (I haven't tested this scenario yet but I don't see why it wouldn't work)
Code: key_mgmt=WPA-PSK WPA-PSK-SHA256 NONE
ieee80211w=1
The only disadvantage that I see is that it won't be as clear to the user when they are connecting to an unsecure network, so probably this needs to be explained somehow in the UI.
That would be confusing.
I like the idea of automatic protocol handling (we do a bit of this in our Samba SCAN) but I also want the user to know that a secure WiFI protocol is being used. Maybe having explicit choices is still best.
WPA2-Personal
WPA3-Personal Transition Mode
No Security
I understand if you want to make it clear for the user what security they are using but in that case maybe those 3 options wouldn't be enough and it would require more coding.
- Would WPA1 and WPA1/WPA2 mixed mode still be supported? Keep in mind with those 2 lines suggested it will still connect to WPA1 and WPA1/WPA2 mixed mode.
- WPA3-Personal Transition Mode gives a false sense of security, it gives you the feeling that it would use WPA3 when possible but that will never happen since Raspberry PI doesn't support it so it will actually use WPA2.
When WPA3 starts being supported by Raspbian OS, your option would still be misleading unless you update the config to support it in wpa_supplicant.
- There are less secure cyphers that will still work with the 2 lines (TKIP) and this is not visible to the user.
Maybe I'm a bit biased, but I would be satisfied with a message saying something like "moOde will make an effort to connect to the most secure protocol supported by your router, if your router has no security or week security it will use that. WPA3 is not yet supported in Raspberry PIs."
So I would only have to enter an SSID and optional Password. Ideally whatever moOde/my router negotiated you should inform the user in the UI (wireless section), and for the cases when week or no security was negotiated, a warning message should be displayed.
It shouldn't be too hard to find out and display the protocol used:
Code: wpa_cli -i wlan0 status
Posts: 13,443
Threads: 305
Joined: Mar 2018
Reputation:
545
The current listed protocol options are below and they have worked for many years.
WPA/WPA2-Personal
No security
The proposal is to add "WPA3-Personal Transition Mode" to the list so that Pi can connect to Routers configured in WPA2/WPA3 mixed mode. Anyone that configures a Router that way should know whats going on.
When RaspiOS gets around to supporting WPA3 the protocol options can be revisited.
It's really not any more complex than that.
Posts: 6,029
Threads: 177
Joined: Apr 2018
Reputation:
235
(02-19-2023, 01:18 PM)Tim Curtis Wrote: The current listed protocol options are below and they have worked for many years.
WPA/WPA2-Personal
No security
The proposal is to add "WPA3-Personal Transition Mode" to the list so that Pi can connect to Routers configured in WPA2/WPA3 mixed mode. Anyone that configures a Router that way should know whats going on.
When RaspiOS gets around to supporting WPA3 the protocol options can be revisited.
It's really not any more complex than that.
Agreed. That's all I was trying to demonstrate could be done and it seems that it can be done with no user-selection at all. From what we've done, I don't see a compelling reason to get baroque with this. At most, I'd add a line about moOde can't connect to a WPA3 router unless that router can and is configured to support the WPA2/WPA3 mixed-mode aka transition-mode.
Remember, all we're doing is telling moOde what security protocols and what encryption methods it's allowed to use, either because we haven't specified a configuration option for which there is a default value/s or because we have restricted a configuration option to one or more values. It's the router which dictates which can actually be used so the two negotiate to a mutually agreeable set (similar to what Samba does). I'm not the expert here, but AIUI they negotiate to the highest mutually available set.
As an aside, don't mix up security protocols (WEP, WPA, WPA2, WPA3), encryption protocols (fixed-key, TKIP, CCMP), cipher types (RC4, TKIP, AES, ...), key-exchange methods (whatever WEP did, PSK, SAE, ...), .... Which goes with which is a matter of the standards and configuration within the context of the standards.
@ adam_zzz
I'm curious. What does wpa_cli tell you after you've connected with your mixed-mode router?
Regards,
Kent
Posts: 20
Threads: 1
Joined: Feb 2023
Reputation:
0
(02-19-2023, 01:18 PM)Tim Curtis Wrote: The current listed protocol options are below and they have worked for many years.
WPA/WPA2-Personal
No security
The proposal is to add "WPA3-Personal Transition Mode" to the list so that Pi can connect to Routers configured in WPA2/WPA3 mixed mode. Anyone that configures a Router that way should know whats going on.
When RaspiOS gets around to supporting WPA3 the protocol options can be revisited.
It's really not any more complex than that.
It's a matter of taste in the end, I'm just sharing as a consumer, it would be the only device in my house where I would actively need to select the right security protocol to be able to connect to wifi, none of my other devices asked more than SSID and Password or had any issues connecting to WPA2/WPA3 mixed mode.
If you're going to add the extra option to the dropdown just be sure to use this configuration then:
key_mgmt=WPA-PSK-SHA256
ieee80211w=2
Posts: 20
Threads: 1
Joined: Feb 2023
Reputation:
0
(02-19-2023, 02:13 PM)TheOldPresbyope Wrote: @adam_zzz
I'm curious. What does wpa_cli tell you after you've connected with your mixed-mode router?
Regards,
Kent
Sure, I've obfuscated some IDs for safety but this is what I get:
Code: bssid=XX:XX:XX:XX:XX:XX
freq=2412
ssid=HOMENETWORK
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2-PSK-SHA256
pmf=1
mgmt_group_cipher=BIP
wpa_state=COMPLETED
ip_address=192.168.X.X
p2p_device_address=YY:YY:YY:YY:YY:YY
address=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
uuid=uuuuuu-uuuu-uuuu-uuuu-uuuuuuuuuu
Posts: 6,029
Threads: 177
Joined: Apr 2018
Reputation:
235
Thanks. That makes sense.
I'm out and on my phone so will comment in more detail later.
It's possible, perhaps likely, that my stanza is too restrictive to accommodate open APs.
Later.
Regards,
Kent
Posts: 6,029
Threads: 177
Joined: Apr 2018
Reputation:
235
@ adam_zzz
Sorry, I should have asked this before
Could you ask wpa_cli to scan for access points and show the results. The scanning computer doesn't have to be connected; it just has to have a WiFi interface. In the case of a moOde player, that interface is wlan0.
In the following transcript, I used the interactive wpa_cli commands scan and scan_results. There will be a brief pause between when the scan starts and when results are ready.
Code: pi@m825p3bp:~ $ wpa_cli -iwlan0
wpa_cli v2.9
Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> and contributors
This software may be distributed under the terms of the BSD license.
See README for more details.
Interactive mode
> scan
OK
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
> scan_results
bssid / frequency / signal level / flags / ssid
xx:xx:xx:xx:xx:xx 5220 -33 [WPA2-PSK-CCMP][WPS][ESS] <my AP SSID>
xx:xx:xx:xx:xx:xx 2437 -25 [WPA2-PSK-CCMP][ESS] m825p3a
xx:xx:xx:xx:xx:xx 2437 -31 [WPA2-PSK-CCMP][WPS][ESS] <my AP SSID>
xx:xx:xx:xx:xx:xx 2437 -47 [WPA2-PSK-CCMP][WPS][ESS][P2P] DIRECT-1C-HP ENVY 7640 series
xx:xx:xx:xx:xx:xx 5785 -84 [ESS] xfinitywifi
xx:xx:xx:xx:xx:xx 5220 -33 [WPA2-PSK-CCMP][ESS]
xx:xx:xx:xx:xx:xx 5220 -33 [WPA2-EAP-CCMP][ESS] XFINITY
xx:xx:xx:xx:xx:xx 5220 -33 [WPA2-EAP-CCMP][ESS]
xx:xx:xx:xx:xx:xx 5220 -33 [ESS] xfinitywifi
> quit
We see my dual-band router/AP offering WPA2-PSK-CCMP which we knew; also WPS (WiFI protected setup) and ESS (extended service set), neither of which is relevant here. The wpa_cli status output from a connected moOde player I posted earlier is consistent with this.
We see another moOde player running in AP mode (SSID=m825p3a) also offering WPA2-PSK-CCMP.
We see my HP printer offering P2P (peer-to-peer, aka direct) service as well.
Then there's some neighbor apparently running an enterprise-level WPA2-EAP-CCMP (woot!).
So what is your WPA2/WPA3 mixed-mode router/AP offering? I think I can guess at this point but knowing is better.
Regards,
Kent
|