WiFi: mandate WPA3 in >= 6GHz bands #7553
Comments
|
@systemcrash thank you for asking for my feedback. From a user perspective similar to 6e WPA3 (OWE haven't tried it) WIFI7 requires these. The banapi4 wifi forum has plenty of examples of users falling on this "trap"... My observation, there are some dependencies - 1. WPA3/OWE if possible, should be forced through the mac80211.sh / hostpad.sh scripts (if not already) or the new ucode implementation. Also, 2. firstboot setup should specify wpa3 (with a default password?) somehow through the json spec of the device ... probably very hard ... regarding luci - yes if it is wifi7 other than wpa3/owe the other options should not be available. worth perhaps also include on this @blogic as he probably has an updated view of the ucode changes and if there is anything on this backlog regarding your question ps. I haven't heard about a force option to use WPA2 or mixed for wifi7 ... why one would allow this ? as it is against the standard so imho i would keep away of implementing this. |
|
Thanks @rmandrad
Yeah, I just don't know the plethora of what various hardware or firmware will tolerate, maybe some users succeed in using WPA2 on a WiFi 7 deployment, despite it not being allowed. By the sounds of things, I can go ahead and add a fix. It should help in new deployments, in any case. 24 is probably a good point to add it since we recently added WiFi 7 support (in luci). |
|
@rmandrad Could you give this change a spin and verify it works as intended on a 6G band? |
|
so tested Test approach replaced wireless.js, removed the luci-indexcache file and restarted the web server. Test - Using the banana pi4 device - with a mt7996 card, radio2 is 6ghz ,operating frequency mode BE only WPA3* and OWE are shown. I believe there is an issue on the code - it shouldn't be the band
but instead the operating mode BE (EHT) that should force the use of WPA3 or OWE. I can use AX on the 6G radio, equally I can use EHT on the 5Ghz radio (radio1). If I select the radio1 and BE I am not constrained anymore to use only WPA3 and OWE potentially perhaps you should use the freqlist range to include 6E another test using radio2 - if I select AX, 5Ghz only WPA3/OWE are shown
|
Why would anybody use WPA2 even if it is supported on a standard where all clients support WPA3 anyway. So yes just make it mandatory to use WPA3 |
|
To support older devices, is one reason. But if a device supports 6ghz, then it'll more than likely support 5 and 2ghz.
I don't see any operating mode which mandates wpa3. Only the 6ghz band. Does your radio 2 have dual band support (including 6ghz)? |
|
yes, the mt7996 has three radios based on what you said the test I have done passed ;) |
|
@systemcrash Thanks for taking this up. I tested your new wireless.js on Linksys MX8500 and it works as expected. The 6ghz settings (Qualcomm Atheros QCN6024/9024/9074 802.11ax) now only allow WPA3 and OWE and so the radio comes up with either option. There is another quirk. 802.11w Management Frame Protection must be set to Required or the radio won't come up. Does it make sense to turn off the other options on this band? Interestingly, on 2ghz (Qualcomm Atheros IPQ8074 802.11ax/b/g/n) and 5ghz (Qualcomm Atheros IPQ8074 802.11ac/ax/n), 802.11w Management Frame Protection can be set to Disabled, Optional, or Required even in WPA3/OWE mode. Somewhat related: #5394 |
MFP is mandated (since it's based on 6GHz). That can go into this change.
MFP is not mandated in other bands, thus setting those options as so is possible. Increased security and MFP in e.g. 5GHz is allowed (undefined?), while MFP and WPA3 is mandated in 6GHz. See first link in top post. |
@blogic: you wrote: But I cannot find this. Maybe it was removed (regression?) or changed location? |
|
Note to self: https://www.wi-fi.org/file/wpa3-specification |
This seems to me to be an odd way to do things: We'll let you configure it any way you want, but then we'll change it behind your back to fix it. Regardless, this would presumably fully address this issue, so must not be currently implemented as described. |
|
Check Hostapd.sh is just one level up |
@systemcrash Appears like rc6 and final are imminent, so if you want it in 24.10, need to merge ASAP. |
|
fyi - just noticed that iface.uc also manages security |
I want to get some feedback before adding a fix for this. It's my understanding that 6GHz bands (WiFi 6E and beyond) mandate WPA3 and OWE only. See here and here. Even there may be some devices which don't care about this.
Forum Example.
How does the One (with WiFi 7) behave here? @Ansuel @aparcar
WiFi 7 in general @rmandrad ?
A 'force' option as the new default is possible, so those wanting older WPA2 in 6GHz can have it.
The text was updated successfully, but these errors were encountered: