WPA2 Protected Management Frames

WiFiLuke · March 6, 2024, 12:18am

I see that PMF is configurable for WPA3 networks, but is there a way to enable it for a WPA/WPA2-EAP network profile?

pvouzis · March 6, 2024, 12:49am

Hi Luke,

We don’t have support PMF with WPA2. Are you using an external dongle with your agent. Which dongle are you usinjg?

WiFiLuke · March 6, 2024, 1:25am

My network is WPA2-EAP with PMF required on 2.4 & 5 plus WPA3-EAP (with PMF required by the spec) on 6GHz.

The profiles I’m testing are WPA2 but without PMF so I’m seeing tons of this spamming in the logs:

Tue, Mar 5, 2024 05:06:47 PM	wpa_supplicant		1709683607.790399: wlan0: reject due to mismatch with WPA/WPA2
Tue, Mar 5, 2024 05:06:47 PM	wpa_supplicant		1709683607.788809: wlan0: skip RSN IE - no mgmt frame protection enabled but AP requires it

If it is a question of wireless adapter or driver capabilities, please let me know exactly what to use. I’ve got dozens of different Linux compatible Wi-Fi adapters and SBCs I could use.

So far I have tried both a COMFAST CF-953AX (mt7921au) and a Panda PAU0A (MediaTek mt7610u).

pvouzis · March 6, 2024, 6:50pm

With your current image you can use the Comfast 802.11ac [Realtek RTL8812AU]? Do you have one?

If yes, that’s the preferred way to go for now.

Otherwise, if you have the 953ax then use this image that will support that card, and also support 6GHz:

https://netbeez-public.s3.amazonaws.com/eduroam_rpi-model-b-4_bullseye_wifi6-14.0.4_20240306.img.zip

The thing is what we introduced PMF with WPA3 only with the latest release. But we can do a manual change in wpa_supplicant.conf to support pmf for you and maybe patch your agent for now to work with your profile.

But first, let me know how it goes with what I suggested above for the usb dongles.

WiFiLuke · March 6, 2024, 10:05pm

Comfast CF-912AC installed on my agent, I’m still seeing the following:

Wed, Mar 6, 2024 02:59:53 PM	wpa_supplicant		1709762393.450829: wlan0: No suitable network found
Wed, Mar 6, 2024 02:59:53 PM	wpa_supplicant		1709762393.448892: wlan0: skip RSN IE - no mgmt frame protection enabled but AP requires it
Wed, Mar 6, 2024 02:59:53 PM	wpa_supplicant		1709762393.448931: wlan0: reject due to mismatch with WPA/WPA2

Let me know if there is any other testing you’d like for me to do with this setup.

I’m interested in 6GHz testing though, so I’m going to get another agent set up with a CF-953AX plugged in.

WiFiLuke · March 6, 2024, 10:12pm

Oh and testing with a WPA3 profile with PMF set to optional seems to work against my network, so good news that there is hope for it to work.

Topic		Replies	Views
Announcing Support for WiFi 6 and WPA3! Announcements feature , release	0	302	February 20, 2024
Wifi 6 Dongle for Wifi sensors Deploy & Configure on-prem	3	323	June 29, 2023
Multiple Tenant Wi-Fi General	0	210	October 31, 2023
Self-built WiFi hardware sensors Network Agents	1	286	May 2, 2023
Enable SSL websocket on Netbeez NetBeez Dashboard/Server deployment , on-prem	2	357	May 17, 2023

WPA2 Protected Management Frames

Related Topics