Multiple AP with the same SSID and WPA2/3 mixmode returns undesired alerts.

[RobertWi]

Observation.

Clients are able to choose WPA3 or WPA2 (mixed mode) on 5.5 SSID but this results in many of these alerts
CRYPTO_CHANGE_BEACON
Using same SSID with different mac results in many
UNEXPECTED_SSID_BEACON
using different mac on same SSID results in many
UNEXPECTED_BSSID_BEACON

AP1
radio 1 SSID Network23 2.4 WPA2-PSK-CCMP c4:41:1e:f8:9b:9c
radio 1 SSID Network23_W 2.4 WPA2-PSK-CCMP c4:41:1e:f8:9b:9c
radio 2 SSID Network23 5.5 WPA2-PSK-CCMP and WPA3-PSK-PSKSHA256-SAE-CCMP c4:41:1e:f8:9b:9d
AP2
radio 1 SSID Network23 2.4 WPA2-PSK-CCMP c4:41:1e:f5:36:44
radio 1 SSID Network23_W 2.4 WPA2-PSK-CCMP c4:41:1e:f5:36:44
radio 2 SSID Network23 5.5 WPA2-PSK-CCMP and WPA3-PSK-PSKSHA256-SAE-CCMP 2 C4:41:1E:F5:36:45

UNEXPECTED_BSSID_BEACON
SSID [Network23_W] was advertised with beacon frame by unexpected BSSID [c6:41:1e:f8:9b:9c]
true can also be c4:41:1e:f5:36:44

CRYPTO_CHANGE_BEACON
SSID [Network23] was advertised with unexpected security settings [WPA2-PSK-CCMP]
SSID [Network23] was advertised with unexpected security settings [WPA3-PSK-PSKSHA256-SAE-CCMP]
true can be both on 2.4 and 5.5 with the same SSID

Most interesting bits from nzyme.conf

  {
    ssid: Network23
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140]
    security: [
               WPA2-PSK-CCMP 
               WPA3-AES-CCMP
              ]
    beacon_rate: 40
    bssids: [
      {
        address: "c4:41:1e:f5:36:44" 
        fingerprints: [ 
          4a60082d10b05d7b8714bcbc778729ca91df196fba81e2eda2ac6ff62b4e3f19
          ]
      }       
      {
        address: "c4:41:1e:f5:36:45" 
        fingerprints: [ 
          775ebfd7baea1ac1d72dca2e6b71c28f91ed12893ef41ebf8babfa4a2809ab92
          ]
      }       
      {
        address: "c4:41:1e:f8:9b:9c"
        fingerprints: [ 
          4a60082d10b05d7b8714bcbc778729ca91df196fba81e2eda2ac6ff62b4e3f19 
          ]
      }
      {
        address: "c4:41:1e:f8:9b:9d"
        fingerprints: [ 
          775ebfd7baea1ac1d72dca2e6b71c28f91ed12893ef41ebf8babfa4a2809ab92
          ]
      }
    ]
  }
  {
    ssid: Network23_W
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13]
    security: [WPA2-PSK-CCMP]
    beacon_rate: 40
    bssids: [
      {
        address: "c6:41:1e:f5:36:44"
        fingerprints: [ 
          4a60082d10b05d7b8714bcbc778729ca91df196fba81e2eda2ac6ff62b4e3f19 
          ]
      }
      {
        address: "c4:41:1e:f8:9b:9c"
        fingerprints: [ 
          4a60082d10b05d7b8714bcbc778729ca91df196fba81e2eda2ac6ff62b4e3f19
          ]
      }
    ]
  }
]

in ui the sec settings a presented like this.

[lennartkoopmann]

It looks like nzyme is getting confused here with two different SSIDs served by the same BSSID. I'm looking into it.

[lennartkoopmann]

Took a deeper look and actually nzyme appears to operate correctly here. Let's look at the two alerts you posted:

SSID [Network23_W] was advertised with beacon frame by unexpected BSSID [c6:41:1e:f8:9b:9c]

This is correct. Your configuration for Network23_W only expects c6:41:1e:f5:36:44 and c4:41:1e:f8:9b:9c. Add c6:41:1e:f8:9b:9c to the list.

SSID [Network23] was advertised with unexpected security settings [WPA2-PSK-CCMP]
SSID [Network23] was advertised with unexpected security settings [WPA3-PSK-PSKSHA256-SAE-CCMP]

This is correct. Your configuration for Network23 only expects WPA2-PSK-CCMP and WPA3-AES-CCMP.

You should be able to simply extend your configuration and no longer receive the alerts.

[RobertWi]

Took a deeper look and actually nzyme appears to operate correctly here. Let's look at the two alerts you posted:

Thanks

SSID [Network23_W] was advertised with beacon frame by unexpected BSSID [c6:41:1e:f8:9b:9c]

This is correct. Your configuration for Network23_W only expects c6:41:1e:f5:36:44 and c4:41:1e:f8:9b:9c. Add c6:41:1e:f8:9b:9c to the list.

Think this is already in config see Network23_W entry where both c6:41:1e:f5:36:44 and c4:41:1e:f8:9b:9c are listed.

SSID [Network23] was advertised with unexpected security settings [WPA2-PSK-CCMP]
SSID [Network23] was advertised with unexpected security settings [WPA3-PSK-PSKSHA256-SAE-CCMP]

This is correct. Your configuration for Network23 only expects WPA2-PSK-CCMP and WPA3-AES-CCMP.

You should be able to simply extend your configuration and no longer receive the alerts.

Ok, replaced WPA3-AES-CCMP to WPA3-PSK-PSKSHA256-SAE-CCMP is this what you intended. Extending with multiple SSID with the same name is not possible.

[lennartkoopmann]

Think this is already in config see Network23_W entry where both c6:41:1e:f5:36:44 and c4:41:1e:f8:9b:9c are listed.

Those two are, but the alerted BSSID c6:41:1e:f8:9b:9c is not. Note the difference between c6 and c4 at the beginning of the BSSID address.

Ok, replaced WPA3-AES-CCMP to WPA3-PSK-PSKSHA256-SAE-CCMP is this what you intended. Extending with multiple SSID with the same name is not possible.

Not sure if I understand correctly. Did this solve the false alerts?

[peter-reimann-1]

Hi here my screenshots. I think it is the same problem. Two different security settings within one SSID but two BSSID.

SSID [Router1] was advertised with unexpected security settings [WPA2-PSK-CCMP].
SSID [Router1] was advertised with unexpected security settings [WPA3-PSK-SAE-CCMP].
Alert Type ID CRYPTO_CHANGE_BEACON

SSID [Router1] was advertised with unexpected security settings [WPA2-PSK-CCMP].
SSID [Router1] was advertised with unexpected security settings [WPA3-PSK-SAE-CCMP].
Alert Type ID CRYPTO_CHANGE_PROBERESP

The related config:

802_11_networks: [
  {
    ssid: Router1
    channels: [1,2,3,4,5,6,7,8,9,10,11,12,13]
    security: [WPA3-PSK-SAE-CCMP,WPA2-PSK-CCMP]
    beacon_rate: 60
    bssids: [
      {
        address: "74:42:7f:03:ae:52",
        fingerprints: [ ...e3b ]
      }
      {
        address: "e8:df:70:c6:ac:f6",
        fingerprints: [ ...b3f ]
      }
    ]
  }
...

I think the array of the security mechanism isn't handled in the right way. For me it seems that the alarms are coming alternating. So if WPA3 is expected WPA2 is seen -> Alarm!. But WPA2 is stored internally and if WPA3 comes up the alarm raises again and store WPA3 for the next comparison.

[RobertWi]

Firstly error-ed indeed on c6 or c4 in mac address config caused by some reworked SSIDs with alternative mac address set.
Secondly mixed mode an AP allowed to use WPA3-PSK-PSKSHA256-SAE-CCMP and WPA3-AES-CCMP so fixed setting now now to WPA3-AES-CCMP only
With these out of the way I think I concur with peter.
Config allows to set different security setting in the array on a single SSID but if it's one or the other in the array these alerts are seen
CRYPTO_CHANGE_BEACON
CRYPTO_CHANGE_PROBERESP

[RobertWi]

Duplicate #527

[lennartkoopmann]

I think I understand the problem now. Could one of you send me a PCAP of this environment so I can confirm?

It appears like the networks are advertised with different frames per security mechanism. Nzyme expects them to be advertised all in one frame. A PCAP would let me confirm this.

[StarkZarn]

Any traction on this? I'm still seeing this with a fresh install as of yesterday.

[tzepterbvv]

Any traction on this? I'm still seeing this with a fresh install as of yesterday.

Nothing heard about it, unfortunally.

[lennartkoopmann]

This will be solved with the architecture in v2.0.