WPA3

WPA3, released in June 2018, is the successor to WPA2, adding new capabilities to enhanced Wi-Fi protection in public, personal and enterprise networks. This guide describes how to deploy it on HD Wireless Connectivity products.

Support

This table sums up the current product and driver version support for WPA3:

Product Driver WPA3-Personal (SAE)Sorted ascending WPA3-Enterprise (Suite B)
SPB228 USB-USB No No
SPB228 PCIe-UART-32 No No
SPB228 SDIO-SDIO Yes Yes
SPB228 PCIe-USB Yes Yes
SPB228 PCIe-UART Yes Yes
SPB229 SDIO-SDIO Yes No
SPB209A SDIO-SDIO Yes No

Future driver releases should add support for WPA3 (notably SPB228 - USB-USB driver). This table will be updated accordingly.

Software requirements

Make sure to use a Linux kernel version no older than 3.8 and hostapd/wpa_supplicant version 2.7 and above. Note that WPA3 support is optional in hostapd/wpa_supplicant, you might need to recompile it manually if the version of your distribution does not offer WPA3 support. If you build them manually, you may need to activate these following flags. In hostapd .config: CONFIG_IEEE80211N=y, CONFIG_IEEE80211AC=y, and CONFIG_SAE=y. And in wpa_supplicant .config: CONFIG_IEEE80211W=y and CONFIG_SAE=y.

You will need to load the module driver with the parameter host_mlme=1. For example:

insmod pcie8997.ko drv_mode=3 mfg_mode=0 fw_name=mrvl/pcieuart8997_combo_v4.bin cal_data_cfg=none host_mlme=1 cfg80211_wext=0xF reg_alpha2=US cntry_txpwr=1

WPA3 SAE security

Client

Here is an example of the wpa_supplicant.conf configuration file to connect to a WPA3 capable access point:
ctrl_interface=/var/run/wpa_supplicant
sae_groups=19 20 21 25 26       # If parameter is not set, 19 is the default value.
network={
    ssid="SoftAP-WPA3"
    scan_ssid=1
    key_mgmt=SAE
    proto=RSN
    pairwise=CCMP
    group=CCMP
    psk="1234567890"
    ieee80211w=2
}

Access Point

Example hostapd.conf configuration file for SAE Mode:

ctrl_interface=/var/run/hostapd
interface=uap0
driver=nl80211
ssid=SoftAP-WPA3
hw_mode=a
channel=36
beacon_int=100
dtim_period=1
wmm_enabled=1
ignore_broadcast_ssid=0
ieee80211n=1
rts_threshold=2347
fragm_threshold=2346
send_probe_response=1
ieee80211ac=1
vht_oper_chwidth=1
vht_oper_centr_freq_seg0_idx=42
vht_capab=[HTC-VHT][SOUNDING-DIMENSION-2][TX-STBC-2BY1][RX-STBC-1][SU-BEAMFORMEE][MAX-A-MPDU-LEN-EXP7][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][SHORT-GI-80][RXLDPC]
ht_capab=[HT40+][SHORT-GI-20][SHORT-GI-40][LDPC][RX-STBC1]

#SAE
auth_algs=1
wpa=2
wpa_pairwise=CCMP
wpa_passphrase=1234567890
wpa_key_mgmt=SAE
wpa_group_rekey=1800
rsn_pairwise=CCMP
ieee80211w=2
sae_groups=19 20 21 25 26           # If parameter is not set, 19 is the default value.
sae_require_mfp=1
sae_anti_clogging_threshold=10      # If parameter is not 9 set, 5 is the default value.

WPA3 Suite B security

Here is an example of the wpa_supplicant.conf configuration file to connect to a WPA3 Suite B capable access point:

ctrl_interface=/var/run/wpa_supplicant
update_config=1
interworking=1
gas_address3=1
sae_groups=19 20 21 25 26           # If parameter is not set, 19 is the default value.
network={
    ssid="YourAP"
    key_mgmt=WPA-EAP-SUITE-B-192
    pairwise=GCMP-256
    group=GCMP-256
    group_mgmt=BIP-GMAC-256
    eap=TLS
    proto=RSN
    identity="Client Certificate IDL"
    password=""
    ca_cert="ec2-ca.pem"
    client_cert="ec2-ser.pem"
    private_key="ec2-user.pem"
    private_key_passwd="wifi"
    openssl_ciphers="SUITEB192"
    ieee80211w=2
}
This site is powered by Foswiki
Copyright © 2017-2020 H&D Wireless AB.