-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wi-Fi Protected Access 3 (WPA3) support #4718
Comments
Which AP is this that doesn't support WPA2? It seems a bit premature. |
Is wpa3 possible with debian bullseye with Pi zero w2? |
No Raspberry Pi currently supports WPA3. |
So the RPI 3 and 4 supports WPA3 and the RPI Zero 2 not? |
"No Raspberry Pi supports WPA3" As in, none of the Raspberry Pi's with wireless support WPA3. |
@JamesH65 is this because wpa_supplicant version which supports WPA3 is 2:2.9-4, but the wpa_supplicant version available on Raspberry Pi 10.11 is 2.8-devel. Or will it require a kernel driver update from Broadcom? Or a new Wifi chipset? |
I believe it will need at minimum new firmware, quite possibly a new chip. |
According to https://forum.openwrt.org/t/wpa3-support-in-openwrt/10554/144 there is no special hardware support needed for WPA3 with OpenWRT devices. |
Connecting to a WPA3-Personal network works fine for me with a Pi 3 Model B when I use iwd. I recently bought a Pi Zero 2 W thinking it would behave similarly since supposedly the wifi hardware is almost identical, but unfortunately that's not the case. Same kernel/driver, same network, but it fails to connect.
The 02w wifi firmware then looks rather "beta" to me, going by the version string:
I suppose it's incomplete? Are there any plans to release an updated firmware in the foreseeable future? |
Why can't the raspberry pi broadcom wifi chips support WPA3 ?!? |
I take the lack of a response to mean "no." That's too bad. But I noticed there are commits in the firmware repo referencing a new Zero 2 W revision with a different wifi chipset. Hope you get those wifi issues sorted out, it's a nice device otherwise. Cheers |
I'm also longing for my Raspi Zero 2 W to support WPA3. I thought that's a matter of course these days. |
No issue on my end:
|
Fails on a mixed WPA2/WPA3 or a pure WAP3 network against OpenWrt HEAD as of late May 2022.
repeatedly. AP does not have any issues with macOS or iOS devices on the same VAP. |
@taylorkline - This configuration example is a step in the right direction, but it is not WPA3-Personal. WPA3-Personal uses Simultaneous Authentication of Equals (SAE) as key_mgmt and requires Protected Management Frames (PMF) aka Management Frame Protection (MFP) as in your example (PMF/MFP is standardised via IEEE 802.11w and mandatory in Wi-Fi 6 certification (as WPA3 is mandatory, which requires 802.11w support)). Thanks for sharing! In my opinion, 802.11w is one of the most important elements to secure the network (clients) against DoS-type attacks (de-assoc/de-auth-attack) - often ESP32-based as previously mentioned in this (or other) threads. (This is also what I tell my partners/customers) Here is a (validated) WPA3 configuration for wpa_supplicant:
Fortunately it (often) doesn't require new hardware, at least not for Pi3B+/Pi4. I haven't tried on Pi Zero - subject to be tested. Infineon (Ex-Broadcom => Ex-Cypress) issues patches against 5.10.9 on their website/community: There are multiple elements to take into consideration:
I've looked at the perspective of being a Wi-Fi client (wpa_supplicant), as I'm in the (comfortable and much appreciated) position to have plenty of Stellar Wireless APs around. Here is how to make WPA3(-Personal) work:
Edit:
|
I've got devices ~10 and 20 years old, and running Ubuntu on them enables WPA3 out of the box. So I somehow doubt we need a new chip on the Raspi for WPA3. |
@BennyE I followed the Arch Wiki instructions for connecting to a mixed WPA2 / WPA3 AP. Are these instructions incorrect, then? |
Just the wrong ones for connecting with SAE |
In my previous comment I forgot to add: The output of iw list needs to tell you Device supports SAE with AUTHENTICATE command, just replacing the Infineon/Cypress Firmware (without the corresponding Kernel with Infineon/Cypress Patches) will not give you this output. Note that, while the output of iw list lacks the Cipher suite 00-0f-ac:8, it can still use the SAE/SHA-256 Auth-Key-Management (AKM) if the proper wpa_supplicant is used (v2.10 with defconfig -> .config) - the shipped version (v2.9) didn't work for me. |
For me connecting at least to a mixed WPA2/WPA3 network would already be a win!
To be more specific, the following
The same is true for all variations with or without Do you guys know if there's a way to construct wpa_supplicant.conf from a manually connected WiFi? |
On Raspberry Pi 3 Model B Rev 1.2 (as communicated by /proc/cpuinfo) |
It will not display this unless you run a patched kernel + latest Cypress/Infineon firmware (April'22 as of this writing). |
I'm having the same issue as @aannenko -- my Pi3 won't even connect to a WPA2/WPA3 mixed-mode network. |
My RPi 3 connected again to my new WPA2/WPA3 mixed network (OpenWRT) after adding |
Any progress on this? |
I have a similar configuration as @herrernst, WPA2/WPA3 mixed in OpenWRT. The changes in this comment were the proper combination to get my Pi3 online. |
I've read the relevant source codes and came to the conclusion that |
@BennyE , I see this corresponds to |
1. Use iwd with old firmware
2. Use patched wpa-supplicant with new firmware
The upcoming wpa_supplicant version 2.11 will also include support for "old firmware" (SAE_OFFLOAD extended feature).
And in general it looks like having firmware handle SAE is what current Broadcom does (judging by firmware from macOS and bcmdhd out of tree kernel driver used by many android devices).
BTW, have you found anything that's better with the "new firmware" compared to the old?
|
Seems like they did the opposite in this case. Used to offload it to the chip firmware, but now do not. I have reached out to infineon to understand why, but they haven't answered this question yet.
Nothing concrete. Anecdotally, I think Bluetooth coexistance and roaming is better on the new firmware, and I also used to see issues with the driver ocassionally crashing under heavy load, but it is has been hard to disambiguate what is caused by brcm driver changes, and what is a result of the firmware. I'm not the only one with this question. Consistently, when infineon posts a new FMAC release, they share a list of "fixes" but are never clear on what is being fixed by firmware, driver, or some combination. For example, see this comment on the september 2023 release where they provided the latest firmware for the 43455 (7.45.265). |
Infineon confirmed to me that they removed offload SAE support because they ran out of memory for other changes on the chip. I asked them about putting in back on instead of some other features, or providing a few varieties of the firmware that would support different options. They said that they will not do that. I also asked about supporting IWD for the user-space SAE R3 implementation. They also said no, and that they will only support wpa-supplicant, which apparently supports this natively now in the newest version. So for now, the options are:
In the future, using IWD with the latest firmware might be possible, if it can be configured to support however the infineon chipset handles this. I have no idea what would be required to enable that. |
@jebanon Could you give me an idea how big the impact of SAE_OFFLOAD is? AFAIK SAE is only used during association / authentication. So missing SAE_OFFLOAD could result in slightly slower or less energy efficient connection to APs but presumably wouldn't have an impact on throughput, latency, jitter - correct? |
I haven't quantified it, but I'm doubtful that it has any meaningful performance impact when in station mode, as you've noted. For my own usage, I certainly don't care about whether the userspace network manager is doing it (iwd or wpa-supplicant), or whether it is happening on the chip firmware. If infineon wants to move towards the userspace software handling the SAE handshake, that is fine with me - the bummer is just that however they have accomplished that (at least for now), doesn't appear to work with iwd in my testing. That means iwd users are stuck on very old chip firmware (and that raspberry pi is "shipping" old firmware that is probably missing newer security fixes, features, etc). |
FYI I'm working on a minimal set of downstream driver patches that add support for the SAE_EXT feature using wpa_supllicant on as many of our devices as possible, at which point we'll be able to update to the latest firmwares. Two or three patches is sufficient for the 43455, but it's not working on the Synaptics-sourced devices yet. |
@pelwell my understanding from infineon was that the latest upstream wpa-supplicant "just works" (have not confirmed) with the latest downstream drivers from infineon (these). Is that not the case? I was under the impression that the SAE_EXT support was already in there and worked with the new firmware, and with wpa-supplicant, but just doesn't work with iwd. |
214 patches is not minimal. |
PR #5945 is the three-patch set required to get WPA3 working with our current wpa_supplicant on Pi 5, Pi 4 and CM4. Whether we can also get it working on Pi 400 and Pi Zero 2 W is the subject of an open support ticket with Synaptics. |
Does not work in so-called mixed mode on pi4 fresh is install bookworm 64bits, followed by sudo rpi-update pulls/5945the white rider(Het leuke van ... is weten op reis te zijn; geboren te Vught, opgegroeid in Amsterdam en gezworven door Eurazië…)On 12 Feb 2024, at 17:51, Phil Elwell ***@***.***> wrote:
PR #5945 is the three-patch set required to get WPA3 working with our current wpa_supplicant on Pi 5, Pi 4 and CM4. Whether we can also get it working on Pi 400 and Pi Zero 2 W is the subject of an open support ticket with Synaptics.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>
|
That's not a great bug report:
|
Mixed mode is when the Wi-Fi router I connect to has the same name for 2.4 GHZ and five ghz and wpa2/wpa3 mode both on. Router is a fritzbox 7590 latest os 7.57As written in original post installed a fresh bookworm 64 bits on a pi 4 . Applied the rip-update as mentioned in this message chain.Expexted The system to connect to wpa3 5ghz.the white rider(Het leuke van ... is weten op reis te zijn; geboren te Vught, opgegroeid in Amsterdam en gezworven door Eurazië…)On 13 Feb 2024, at 09:56, Phil Elwell ***@***.***> wrote:
Does not work in so-called mixed mode on pi4 fresh is install bookworm 64bits
That's not a great bug report:
What is "mixed mode"?
What did you do?
What did you expect to happen?
What actually happened?
On which software did this last work?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>
|
And:
i.e. is this a regression compared to the current |
Never worked the white rider(Het leuke van ... is weten op reis te zijn; geboren te Vught, opgegroeid in Amsterdam en gezworven door Eurazië…)On 13 Feb 2024, at 12:28, Phil Elwell ***@***.***> wrote:
And:
On which software did this last work?
i.e. is this a regression compared to the current sae firmware+ iwd solution?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>
|
@paulfertser Following back up on this question:
I have now confirmed empirically: BLE pairing connections fail more often on the older (v.234) firmware. BLE connections succeed on the first try consistently when on the newer (v.265) firmware, with all other variables unchanged. On the older firmware, it sometimes takes a few tries to get the initial connection to work. |
I have now confirmed empirically: BLE pairing connections fail more often on the older (v.234) firmware. BLE connections succeed on the first try consistently when on the newer (v.265) firmware, with all other variables unchanged. On the older firmware, it sometimes takes a few tries to get the initial connection to work.
Good to know, thank you for sharing! Probably BT coex is better implemented or configured there somehow and it also affects e.g. BT headphones while doing heavy WiFi traffic?
|
Probably some coexistence tuning, as you've noted, so yes, I would assume it impacts BT Classic too, but I can't say for certain. I only validated BLE. There are different tuning parameters for BT Classic vs BLE in the NVRAM, so I don't know exactly how their handling of the two differs in the firmware. |
+1 My Wi-Fi network has a WPA2 'regular' SSID and a WPA3 'secure' SSID. I only want NAS servers, etc. connected to the secure network. A Raspberry Pi makes for a great NAS server, but I don't want it on the less secure network. |
Been playing with this in May 2024. on a Pi of flavors which have 5Ghz capability (3b+,4,5), none can advertise or connect to a functional WPA3/SAE protected network. Tried The current (3 year old) driver/firmware advertises that it does:
This is with RPiOS Bookworm updated and running this kernel:
What is stopping functionality other than it is a brcmfmac card. |
What do you mean by ”patched firmware”? |
Probably the one you linked here: #5945 |
If you've done an apt update to a bookworm install on your Pi, you should have the latest firmware. You can confirm by this:
Note the version 7.45.265 with a date of Aug 29 2023. It will connect to SAE3 with wpa_supplicant. I was unable to use wpa_cli but was able to use nmcli to connect. It does not yet work with connman afaict. It also is not yet compatible with iwd. |
Does anybody know if compatibility of the latest firmware (.265) with iwd will ever be possible? Is anybody working on the changes to iwd that would enable it to support the SAE changes? Is there any indication that iwd would someday replace wpa_supplicant as the default on Raspbian or other distros (I kinda hope so, but only if it supports WPA3)? |
The iwd team posted a patch yesterday. I tested it today and it gets further but still does not grab an IP. Based on this development, I think they are 'working on it'. |
Just to clarify: No, Its not. Just tested myself. |
As I understand it, someone is working on an upstream fix, but this is not
yet done? Regardless, it will need to be backported to support
'external_auth' for WPA3 on our 6.6.x kernels. This backporting has not
been done nor tested. I do not even know if the upstream is built or
tested. The current/broken brcmfmac driver on 6.6.x appears to work with
NetworkManager/wpa_supplicant. (At least it did with an earlier kernel, I
have not tried it lately.) There are still some problems with it, but I
have been able to negotiate a WPA3 connection with this setup. It will
connect and pass data. I have not been able to with wpa_suppliocant alone,
nor with connman and wpa_supplicant. There seems to be some failure of the
driver where info is passed from wpa_s to the kernel and it does not accept
it, but it seems to 'power thru' and will make a connection with NM/wpa_S.
Once the driver works properly with external_auth on our 6.6.x kernel with
wpa_supplicant, I believe the development of iwd to support WPA3 can be
started, but until the driver is fixed, I do not think that will start.
Keith
…On Mon, Oct 14, 2024 at 4:36 PM Kai P. ***@***.***> wrote:
Is wpa3 possible with debian bullseye with Pi zero w2?
Just to clarify: No, Its not. Just tested myself.
—
Reply to this email directly, view it on GitHub
<#4718 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAARWJGBIMU36EGJ7LJ6XSTZ3Q2PRAVCNFSM5IM7CE32U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TENBRGIZTQMRUGA4A>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
I bought a Raspberry Pi Zero 2 W and apparently it does not support my home wifi which uses WPA3.
I excepted that to be the case, since on Debian usually works just fine, and this device is a new release.
It should be at last officialy stated somewhere that is not supported. I basically bought something I can't use.
Notice that WPA3 is not anymore a theory, many commercial routers now ship with it in mixed mode or add that through firmware update.
Side note: actually run just fine on common operating systems from Windows to Android, including Linux if you have no firmware issues.
The text was updated successfully, but these errors were encountered: