wifi: add key_mgmt=WPA-PSK-SHA256 and ieee80211w=1 by default

[cyyself]

Connect to WPA2/WPA3 mixed Access Point without setting key_mgmt=WPA-PSK-SHA256 will fail. Add this note to users to avoid the same trouble.

[mdevaev]

Interesting. Will it work if you set key_mgmt="WPA-PSK WPA-EAP WPA-PSK-SHA256"? Could you check it? I'm thinking about changing the default value in the config.

[cyyself]

Interesting. Will it work if you set key_mgmt="WPA-PSK WPA-EAP WPA-PSK-SHA256"? Could you check it? I'm thinking about changing the default value in the config.

I have tested it on my RPI-4B with pikvm + OpenWRT 23.05.2 Router with mt76 wifi drivers. It works on WPA2-PSK/WPA3-SAE mixed mode, but it does not work on WPA2-PSK with CCMP(AES) encryption. The log shows:

[root@pikvm ~]# systemctl status [email protected]
* [email protected] - WPA supplicant daemon (interface-specific version)
     Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; preset: disabled)
     Active: active (running) since Mon 2024-02-19 20:11:34 UTC; 2min 11s ago
   Main PID: 1531 (wpa_supplicant)
      Tasks: 1 (limit: 4025)
        CPU: 112ms
     CGroup: /system.slice/system-wpa_supplicant.slice/[email protected]
             `-1531 /usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wlan0.conf -iwlan0

Feb 19 20:12:47 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan
Feb 19 20:12:53 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan
Feb 19 20:12:59 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan
Feb 19 20:13:05 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan
Feb 19 20:13:11 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan
Feb 19 20:13:17 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan
Feb 19 20:13:23 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan
Feb 19 20:13:29 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan
Feb 19 20:13:35 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan
Feb 19 20:13:41 pikvm wpa_supplicant[1531]: wlan0: Failed to initiate sched scan

However, I can find my ssid using iw wlan0 scan. It can be reproduced by controlling the variable that sets my router to a fixed wifi channel without DFS in my country and the only difference is the encryption method.

[cyyself]

I have an interesting finding now. I use another AP in my home which model is ZTE AX5400Pro+ with factory firmware and I set the wifi encryption method to WPA2-PSK/WPA3-SAE mixed on the AP side. However, RPI with this wpa_supplicant configuration cannot connect to it when we have key_mgmt=WPA-PSK-SHA256 set, but it will be successfully associated with AP if it is removed. I have checked the mac address on BSSID in wpa_supplicant's log to make sure the problem belongs to the specific AP. So I prefer to not change it until we find out how wpa_supplicant works.

[cyyself]

After some debugging, I found that we also need to set ieee80211w=1 to use 802.11w if AP requires client support 802.11w. So we may need a Wi-Fi configuration like this:

This configuration works on every AP with every configuration except "WPA3-SAE only" and "WPA(2)-PSK with TKIP only" as far as I can try.

country=CN

network={
        ssid="CYY-Test"
        #psk="qwer1234"
        psk=e94332fd467931cc33bd7d5173149a4eae711d2396da6a7395122c3f46f1227d
	key_mgmt=WPA-PSK-SHA256 WPA-PSK
	ieee80211w=1
}

However, WPA with TKIP is hardly used today for weak security reasons. As for "WPA-EAP", it is only used as enterprise wifi which usually needs username + password or smartcard authentication, which is very complex, I don't think we need it for pikvm configuration and expert users should find their way to configure their specific network.

So we might need to set key_mgmt=WPA-PSK WPA-PSK-SHA256 and ieee80211w=1 and also remind the user to set the country code is enough to work on most of the APs of users.

[cyyself]

I force-pushed a new commit which used sed to edit the configuration and added key_mgmt=WPA-PSK-SHA256 WPA-PSK and ieee80211w=1. This should work for most users with newer APs in recent years.

[mdevaev]

Thank you! I'll check it myself in my network too and merge it.