Linux: Configuring WF(M)200 for WPA3

WF(200) can be used with Linux in WPA3 in both AP (Access Point) and STA (STAtion) modes using Linux standard commands.

This article provides generic (i.e. not specific to WF(M)200) information on the Linux configuration of a WPA3 AP as well as a WPA3 STA. You can set up 2 boards and connect them together over WPA3 Wi-Fi.

 

In most cases, WF(M)200 will act either as AP or STA, not with both roles simultaneously. For commissioning purposes, it is possible to enable simultaneous AP+STA. Details on this feature are not provided in this article.

Pre-requisites

WPA3 is working as from

• wfx-linux-driver version 2.5.2-public
• wfx-firmware version 3.8.0
• wpa_supplicant release v2.8-devel.

Please update to the above minimal versions before using WPA3 with WF(M)200.

 

AP (Access Point)

The AP uses hostapd, configured via the hostapd_WPA3_wlan0.conf file.

AP: Allocating an IP address to wlan0

sudo dhcpcd --release wlan0
sudo ip addr flush dev wlan0
sudo ip addr add 192.168.45.1/24 dev wlan0

 

AP: Checking wlan0 IP address

ip addr show wlan0

3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:0d:6f:73:91:57 brd ff:ff:ff:ff:ff:ff
    inet 192.168.45.1/24 scope global wlan0
       valid_lft forever preferred_lft forever

 

AP: DHCP/DNS setup using dnsmasq: allocating an IP address range to wlan0 clients

sudo killall dnsmasq
sudo dnsmasq --conf-file=/dev/null --interface=wlan0 --bind-interfaces --except-interface=lo --dhcp-range=192.168.45.100,192.168.45.200

 

AP interface selection

The AP wlan interface is selectable in the hostapd command line, as the '-i' (list of interface names to use) field. It can also be hard-coded in the hostapd_WPA3.conf file.

 

Typical hostapd command line (in the context of our Raspberry Pi demo, user 'pi' (requiring 'sudo'))

sudo killall hostapd

sudo hostapd -i wlan0 hostapd_WPA3.conf

Configuration file: hostapd_WPA3.conf
wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
Using interface wlan0 with hwaddr 00:0d:6f:73:91:57 and ssid "WPA3_AP"
wlan0: interface state COUNTRY_UPDATE->ENABLED
wlan0: AP-ENABLED

 

We recommend not running hostapd in the background when experimenting, to get an immediate display of any message from the application. Run in the background once you have validated your setup (use '-B' for running in background).

 

AP configuration

Refer to the attached hostapd_WPA3.conf file. Refer to https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for details of hostapd configuration.

 

AP Checks (on the AP)

Checking hostapd version (tested with v2.8-devel)

hostapd -v

hostapd v2.8-devel
User space daemon for IEEE 802.11 AP management,
IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors

Checking if hostapd is running, and what the interface and configuration file are

ps -few | grep hostapd

root       986   807  0 09:47 pts/1    00:00:00 sudo hostapd -i wlan0 hostapd_WPA3.conf
root       991   986  0 09:47 pts/1    00:00:00 hostapd -i wlan0 hostapd_WPA3.conf

 

Checking active lines in hostapd configuration (skipping empty lines and comment lines)

cat hostapd_wpa3.conf | grep -v ^$ | grep -v ^#

driver=nl80211
ctrl_interface=/var/run/hostapd
ctrl_interface_group=netdev
ssid=WPA3_AP
country_code=US
channel=6
auth_algs=1
hw_mode=g
ieee80211n=1
dtim_period=1
max_num_sta=8
wpa=2
wpa_key_mgmt=SAE
rsn_pairwise=CCMP
ieee80211w=2
wpa_passphrase=passphrase

 

WPA3: Make sure 'SAE' is used for wpa_key_mgmt

 

Checking hostapd status

hostapd_cli status

Selected interface 'wlan0'
state=ENABLED
phy=phy0
freq=2437
num_sta_non_erp=0
num_sta_no_short_slot_time=0
num_sta_no_short_preamble=0
olbc=0
num_sta_ht_no_gf=0
num_sta_no_ht=0
num_sta_ht_20_mhz=0
num_sta_ht40_intolerant=0
olbc_ht=0
ht_op_mode=0x0
cac_time_seconds=0
cac_time_left_seconds=N/A
channel=6
secondary_channel=0
ieee80211n=1
ieee80211ac=0
beacon_int=100
dtim_period=1
ht_caps_info=000c
ht_mcs_bitmask=ff000000000000000000
supported_rates=02 04 0b 16 0c 12 18 24 30 48 60 6c
max_txpower=30
bss[0]=wlan0
bssid[0]=00:0d:6f:73:91:57
ssid[0]=WPA3_AP
num_sta[0]=1

 

Checking hostapd configuration

hostapd_cli get_config

Selected interface 'wlan0'
bssid=00:0d:6f:73:91:57
ssid=WPA3_AP
wps_state=disabled
wpa=2
key_mgmt=SAE
group_cipher=CCMP
rsn_pairwise_cipher=CCMP

 

WPA3: Make sure key_mgmt is 'SAE'

 

External AP checks (from a Linux Wi-Fi STAtion)

wpa_cli scan

Selected interface 'wlan0'
OK

wpa_cli scan_results

Selected interface 'wlan0'
bssid / frequency / signal level / flags / ssid
00:0d:6f:73:91:57       2437    -47     [WPA2-SAE-CCMP][ESS]    WPA3_AP

 

WPA3: Make sure 'SAE' is present in the flags

 

AP hostapd messages during STA association

wlan0: STA 00:0d:6f:73:8a:15 IEEE 802.11: associated (aid 1)
wlan0: AP-STA-CONNECTED 00:0d:6f:73:8a:15
wlan0: STA 00:0d:6f:73:8a:15 RADIUS: starting accounting session DE8CB6C3CD1D354B
wlan0: STA 00:0d:6f:73:8a:15 WPA: pairwise key handshake completed (RSN)

 

 

STA (STAtion)

The STA uses wpa_supplicant, configured via the wpa_supplicant_WPA3.conf file.

STA interface selection

The STA wlan interface is selected in the wpa_supplicant command line, as the '-i' (= interface name) field

Typical wpa_supplicant command line (in the context of our Raspberry Pi demo, user 'pi')

sudo killall wpa_supplicant
sudo wpa_supplicant -i wlan0 -c wpa_supplicant_WPA3.conf

 

We recommend not running wpa_supplicant in the background when experimenting, to get an immediate display of any message from the application. Run in the background once you have validated your setup (use '-B' for running in background).

 

STA configuration

Refer to the attached wpa_supplicant_WPA3.conf file. Refer to https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf for details of wpa_supplicant configuration.

 

STA Checks (on the STA)

 

Checking wpa_supplicant version (tested with 2.8-devel)

wpa_supplicant -v

wpa_supplicant v2.8-devel
Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi> and contributors

 

Checking if wpa_supplicant is running, and what the interface and configuration file are

ps -few | grep wpa_supplicant

root      5091   846  0 10:10 pts/3    00:00:00 sudo wpa_supplicant -i wlan0 -c wpa_supplicant_WPA3.conf
root      5096  5091  1 10:10 pts/3    00:00:00 wpa_supplicant -i wlan0 -c wpa_supplicant_WPA3.conf

 

Checking active lines in wpa_supplicant configuration (skipping empty lines and comment lines)

cat wpa_supplicant_WPA3.conf | grep -v ^$ | grep -v ^#

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=0
country=US
network={
    ssid="WPA3_AP"
    proto=RSN
    key_mgmt=SAE
    pairwise=CCMP
    group=CCMP
    ieee80211w=2
    psk="passphrase"
}

 

WPA3: Make sure that 'SAE' is used for key_mgmt

 

Checking wpa_supplicant status

wpa_cli status

Selected interface 'wlan0'
bssid=00:0d:6f:73:91:57
freq=2437
ssid=WPA3_AP
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=SAE
pmf=2
mgmt_group_cipher=BIP
sae_group=19
wpa_state=COMPLETED
ip_address=169.254.95.237
address=00:0d:6f:73:8a:15
uuid=ddc6a32a-0205-5c93-912f-e04979164e16

 

WPA3: Make sure key_mgmt is 'SAE'

 

STA wpa_supplicant messages upon connection

wlan0: SME: Trying to authenticate with 00:0d:6f:73:91:57 (SSID='WPA3_AP' freq=2437 MHz)
wlan0: SME: Trying to authenticate with 00:0d:6f:73:91:57 (SSID='WPA3_AP' freq=2437 MHz)
wlan0: PMKSA-CACHE-ADDED 00:0d:6f:73:91:57 0
wlan0: Trying to associate with 00:0d:6f:73:91:57 (SSID='WPA3_AP' freq=2437 MHz)
wlan0: Associated with 00:0d:6f:73:91:57
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: WPA: Key negotiation completed with 00:0d:6f:73:91:57 [PTK=CCMP GTK=CCMP]
wlan0: CTRL-EVENT-CONNECTED - Connection to 00:0d:6f:73:91:57 completed [id=0 id_str=]

 

STA: Checking wlan0 IP address

ip addr show wlan0

4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:6f:73:8a:15 brd ff:ff:ff:ff:ff:ff
    inet 192.168.45.109/24 brd 192.168.45.255 scope global noprefixroute wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::108f:61b8:531f:3a20/64 scope link
       valid_lft forever preferred_lft forever

 

Check that the IP address is within the range allocated via dnsmasq on the AP

 

 

 

 

WPA3 configuration fields table

The table below lists side-by-side parameters present in hostapd.conf and wpa_supplicant for a setup where a Linux platform is configured as AP while another Linux platform is configured as a STA associated with the AP.

These parameters correspond to the attached configuration files:

• hostapd_WPA3_wlan0.conf
• wpa_supplicant_WPA3.conf

Legend

• User-modifiable fields
• WPA3-forced fields

hostapd/wpa_supplicant configuration fields

hostapd_WPA3.conf	wpa_supplicant_WPA3.conf	comments
interface=wlan0		optional in hostapd config. Can be set via command line '-i' field
driver=nl80211
ctrl_interface=/var/run/hostapd	ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
ctrl_interface_group=netdev
country_code=US	country=US
channel=6
auth_algs=1
hw_mode=g
ieee80211n=1
dtim_period=1
max_num_sta=8
	network={
ssid=WPA3_AP	ssid="WPA3_AP"	Double quotes required in wpa_supplicant.conf
wpa=2	proto=RSN	# The wpa field is a bit field that can be used to enable WPA/WPA2 # bit0 = WPA  (IEEE 802.11i/D3.0) # bit1 = WPA2 (IEEE 802.11i/RSN) (dot11RSNAEnabled) # We don't use WPA: bit0 = 0 # WPA2 and WPA3 use RSN: bit1 = 1 # this leads to wpa=2 / proto=RSN
wpa_key_mgmt=SAE	key_mgmt=SAE	SAE = 'Simultaneous Authentication of Equals' for WPA3-Personal
rsn_pairwise=CCMP	pairwise=CCMP	# 2 'pairwise' fields are used for WPA or RSN: wpa_pairwise and rsn_pairwise # we only use RSN, so only set rsn_pairwise # the value is a space-separated list of accepted encryption algorithms # CCMP = AES in Counter mode with CBC-MAC (CCMP-128)
	group=CCMP
ieee80211w=2	ieee80211w=2	# PMF (protected management frames) # PMF required: ieee80211w=2 # WPA3-Personal-only mode: ieee80211w=2 / key_mgmt=SAE
wpa_passphrase=passphrase	psk="passphrase"	# wpa_passphrase is an ASCII passphrase, converted to PSK (Pre-Shared Key) Double quotes required in wpa_supplicant.conf
	}