WPA3 on Raspberry Pis

WPA3 should work but is getting closer to working, on all generations of raspberry pis. I can confirm success with a pi4b so far.

There are a number of complaints and possibly a fix^H^H^H painful workaround.

2024 activity

A quick success then failure 11 hours later. It also turns out there was quite a bit of LKML dra^H^H^Hactivity about the state of the cypress and infineon firmware being abandoned. Lastly there's a nicer way to use update-alternatives to manage the firmware.

Thanks to the Asahi devs and Rachel for keeping atop of this and a memorable quote:

This is the Linux experience I remember from the 90s: poring over compatibility lists and making sure you buy the right thing every time.

pi4b

Originally was running buster from 2019 with wifi disabled.

  • installed new bookworm 12.2 -> update to 12.4
  • apt install iwd
  • nmtui to connect to wpa3 AP. Change to WPA3 SAE for auth and reboot!
  • successs!!!
  • wait 11 hours for doom...
  • no deauth yet (23h)

seeing these messages in the kernel log every 4-8 seconds or so:

[   40.408230] ieee80211 phy0: brcmf_p2p_send_action_frame: Unknown Frame: category 0x5, action 0x1
[   48.315796] ieee80211 phy0: brcmf_p2p_send_action_frame: Unknown Frame: category 0x5, action 0x1


$ dmesg | grep brcmf_p2p | wc
   1364   13640  136400

also seen on libelec

pi zero2w

The firmware change catches the new version but no joy on getting iwd to connect to anything with nmtui.

Have tried the latest official and upstream firmware without success connecting to a wpa3 network.

        $ iw phy |grep SAE
            * [ SAE_OFFLOAD ]: SAE offload support

other pi4b

SAE showing in iw phy but the test machine hasn't suffered the upgrade of NetworkManager yet.

verifying WPA3 on Openwrt

wifi_suite.sh which requires hostapd-utils.

older fallbacks

I encounted this mess which tangled with 802.11w protected management frames, a requirement for WPA3.

  • missing from iw list: Device supports SAE with AUTHENTICATE command
  • kernel 5.15.32-v7+
  • wpa_supplicant v2.10
  • mixed WPA2-PSK/WPA3-SAE tested successfully with rpi zero2w
    • this used to work without fuss on older wpa_supplicants

Motivation

I blindly apt upgraded the other day and lost wifi on my pi zero2. This may have happened a few other times on a pi4 a couple of years previously where I was only able to downgrade wpa_supplicant as a fix. Rebooting, wpa_supplicant no longer connected to the mixed WPA2-PSK/WPA3-SAE or WPA3-SAE access points. wpa-cli showed it was trying to connect but failed to authenticate and gave up.

I think this is what nuked the connection:

[UPGRADE] wpasupplicant:armhf 2:2.9.0-21 -> 2:2.10-9+b2
[UPGRADE] raspberrypi-kernel:armhf 1:1.20220120-1 -> 1:1.20220331-1

WPA3-SAE

Note key_mgmt=SAE, sae_pasword, and iee80211w=2

ssid="name"
key_mgmt=SAE
sae_password="saepasswordy"
ieee80211w=2
proto=RSN

mixed WPA2-PSK/WPA3-SAE

This is how I restored the connection since wpa_supplicant wasn't clever enough to work through this.

ssid="name"
key_mgmt=WPA-PSK-SHA256
psk=somepsk1
ieee80211w=2
proto=RSN

arch linux - wpa_supplicant

802.11w issue - raspberrypi 3619

wpa3 issue - raspberrypi 4718