Hello guys,
This period I have been dealing with WLANs as I have added a new WPA3
SSID and fell on some trouble and limitations(more messages will
follow on this). Long story short, some WLAN cards do not work and
some Android based mobile phones do not work(like my Android 12 based
SAMSUNG M31 which is not detecting such SSIDs at all!). On one hand,
vendors like Atheros have done a good job. As a result, all cards were
able to connect successfully at SSID using the WPA3 encryption. This
includes miniPCI, PCI, miniPCIe, Cardbus and USB adapters. On the
other hand vendors like Intel haven't done a really good job. miniPCI
cards from Intel are out of question due to legacy driver and custom
802.11 implementation. Initial miniPCIe cards like 4965 series do not
support it similar to many iwlwifi cards. I believe that all iwlwifi
supported cards should be able to use WPA3. My 2006 Atheros cards
connect successfully so I expect the same for intel cards launched a
decade after the old Atheros cards otherwise we should blacklist such
devices to save lots of noise from bug reports about undetected
networks. Hopefully the Intel team will fix everything so that noone
will not need to switch cards on laptops. Some of those like HP and
Lenovo laaptops have the famous blacklist so they need lots of work to
replace the WLAN card and get it working. On the rest like my brothers
Dell, you just switch the card and it works!
Starting with the tests, I have used a single antenna setup on all
miniPCI & miniPCIe devices tested at my PC. On laptops I have used 2
antennas except my CQ57 which has only one antenna installed... M2
cards were tested with 2 antennas. Most devices were initially tested
with live Ubuntu 22.04 and later using 22.10. Now I am using Debian
11. Just for testing I used Debian 10 as well but it is not able to
detect WPA3 enabled SSIDs. Also I have a combo WPA2,3 SSID. In
addition to the 2,4GHz WPA3 SSID, I have added a 5GHz one at my WFA
certified router. What is more, I have tested a set of Unify APs after
adding a WPA SSID at 2,4 GHz.
I have prepared a new 6.0 kernel at my Debian 11 based AMD PC for
testing but I will wait for your response prior doing further testing.
Back to the 2200BG, here is how it boots on Ubuntu:
[ 217.324956] lib80211: common routines for IEEE802.11 drivers
[ 217.324960] lib80211_crypt: registered algorithm 'NULL'
[ 217.347417] libipw: 802.11 data/management/control stack, git-1.1.13
[ 217.347422] libipw: Copyright (C) 2004-2005 Intel Corporation
<[email protected]>
[ 217.402564] ipw2200: Intel(R) PRO/Wireless 2200/2915 Network
Driver, 1.2.2kmprq
[ 217.402570] ipw2200: Copyright(c) 2003-2006 Intel Corporation
[ 217.402868] ipw2200: Detected Intel PRO/Wireless 2200BG Network Connection
[ 217.642903] ipw2200: Detected geography ZZR (14 802.11bg channels,
0 802.11a channels)
[ 217.650646] ipw2200 0000:05:06.0 wlp5s6: renamed from eth0
It can't connect to WPA3 2,4GHz SSID and I got no logs.
At combo WPA2,3 2,4GHz SSID it was able to connect successfully:
[ 618.159511] lib80211_crypt: registered algorithm 'CCMP'
[ 618.194283] IPv6: ADDRCONF(NETDEV_CHANGE): wlp5s6: link becomes ready
This is the device:
05:06.0 Network controller [0280]: Intel Corporation PRO/Wireless
2200BG [Calexico2] Network Connection [8086:4220] (rev 05)
Subsystem: Intel Corporation PRO/Wireless 2200BG [Calexico2]
Network Connection [8086:2702]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 32 (750ns min, 6000ns max)
Interrupt: pin A routed to IRQ 20
NUMA node: 0
Region 0: Memory at fdbff000 (32-bit, non-prefetchable) [size=4K]
Capabilities: [dc] Power Management version 2
Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA
PME(D0+,D1-,D2-,D3hot+,D3cold+)
Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=1 PME-
Kernel driver in use: ipw2200
Kernel modules: ipw2200
00: 86 80 20 42 06 00 90 02 05 00 80 02 00 20 00 00
10: 00 f0 bf fd 00 00 00 00 00 00 00 00 00 00 00 00
20: 00 00 00 00 00 00 00 00 00 00 00 00 86 80 02 27
30: 00 00 00 00 dc 00 00 00 00 00 00 00 05 01 03 18
40: 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
d0: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 22 c8
e0: 00 20 00 13 00 00 00 00 00 00 00 00 00 00 00 00
f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Hi,
> This period I have been dealing with WLANs as I have added a new WPA3
> SSID and fell on some trouble and limitations(more messages will
> follow on this).
>
Well, keep in mind that WPA3 requires all kinds of new things, and the
*most recent* NIC you tried is already ~11 years old afaict.
> Long story short, some WLAN cards do not work and
> some Android based mobile phones do not work(like my Android 12 based
> SAMSUNG M31 which is not detecting such SSIDs at all!). On one hand,
> vendors like Atheros have done a good job. As a result, all cards were
> able to connect successfully at SSID using the WPA3 encryption. This
> includes miniPCI, PCI, miniPCIe, Cardbus and USB adapters.
>
This probably means they use SW crypto for everything.
> On the
> other hand vendors like Intel haven't done a really good job. miniPCI
> cards from Intel are out of question due to legacy driver and custom
> 802.11 implementation. Initial miniPCIe cards like 4965 series do not
> support it similar to many iwlwifi cards. I believe that all iwlwifi
> supported cards should be able to use WPA3.
What makes you believe that?
> My 2006 Atheros cards
> connect successfully so I expect the same for intel cards launched a
> decade after the old Atheros cards otherwise we should blacklist such
> devices to save lots of noise from bug reports about undetected
> networks.
Umm, no? Why would we break NICs that work well with most existing
networks, just not WPA3 ones?
> Hopefully the Intel team will fix everything so that noone
> will not need to switch cards on laptops.
>
Unlikely. The newest Intel NIC in your list was 6205, which was released
in 2011.
Without wpa_supplicant logs I'm not even sure why it's broken, but
likely the reason is that it doesn't advertise management frame
protection support since the firmware handles certain management frames,
and there was no hardware offload for those at the time.
(This might be a difference to Atheros NICs.)
>
> It can't connect to WPA3 2,4GHz SSID and I got no logs.
Well, you should look at wpa_supplicant logs.
johannes
> Well, keep in mind that WPA3 requires all kinds of new things, and the
> *most recent* NIC you tried is already ~11 years old afaict.
Yes and no. Yes it needs new things. No this is not the case here. I
tested cards from 2021 back to 2003.
> This probably means they use SW crypto for everything.
Sounds good to me since it works.
> What makes you believe that?
The fact that some just work. Why not use SW crypto on legacy devices?
> Umm, no? Why would we break NICs that work well with most existing
> networks, just not WPA3 ones?
You got it wrong here. What I mean is to use a flag that some devices
are not WPA3 compatible. That way when an attempt to connect at such
an SSID would print a message suggesting to use a WPA2 network. This
will help novice users and save time from bug reports. Most routers
now support WPA3.
> Unlikely. The newest Intel NIC in your list was 6205, which was released
> in 2011.
That is a good one :) I have much more hardware than I need. I just
sent what made errors here. Rest assured that I have tested all intel
cards including mPCIe and CNVi M2 except the AX411. Also do not own
any wimax ones from Intel and Marvell based cards. To be honest,
tomorrow I will receive two more mPCIe cards having PCIe adapter using
Mediatek chips for testing since we had only two of them borrowed from
ADSL routers and are locked at 5GHz only operation. But they connected
successfully to a 5GHz WPA3 SSID.
> Well, you should look at wpa_supplicant logs.
Will do tomorrow as I will switch to custom 6.0 as well since I have
another one card facing issues. A Cardbus based Atheros ath9k failing
WPA3 without any logs so will hopefully check both.
> And btw, your clock is off by a day:
Debian default time zone was set to US by default but switched to MX
Linux today since I could not bare Gnome! Used the right time zone now
Hi Ioannis,
>> Well, keep in mind that WPA3 requires all kinds of new things, and the
>> *most recent* NIC you tried is already ~11 years old afaict.
> Yes and no. Yes it needs new things. No this is not the case here. I
> tested cards from 2021 back to 2003.
>
>> This probably means they use SW crypto for everything.
> Sounds good to me since it works.
>
>> What makes you believe that?
> The fact that some just work. Why not use SW crypto on legacy devices?
>
>> Umm, no? Why would we break NICs that work well with most existing
>> networks, just not WPA3 ones?
> You got it wrong here. What I mean is to use a flag that some devices
> are not WPA3 compatible. That way when an attempt to connect at such
> an SSID would print a message suggesting to use a WPA2 network. This
> will help novice users and save time from bug reports. Most routers
> now support WPA3.
have you tried iwd instead of wpa_supplicant? I think we have taken care
of ensuring that WPA3 (or more precise SAE) is only tried when all
ciphers are correctly supported by the card. Otherwise it is going to
stick with WPA2. In case of WPA3-only network, we will have to see
what happens and if the error reported is correct.
You can try iwd behind NM or standalone with iwctl command line client
and it will also give you iwmon tracing tool that allows more capturing
the nl80211 traffic.
Regards
Marcel