[Networkmanager] Cannot connect to an AP managed with NM and WPA

Beniamino Galvani bgalvani at redhat.com
Thu Dec 22 08:46:48 UTC 2022 

On Wed, Dec 21, 2022 at 07:02:57PM +0100, Krystian Heberlein wrote:
> Hi,
> 
> Recently I was struggling to establish a connection with a WiFi Access
> Point managed by NetworkManager with WPA supplicant plugin.
> Although most available devices are able to connect with the AP, my
> RasberryPi 4B won't cooperate.
> On the RPi4 I'm trying to connect as a client with WPA supplicant, but
> constantly the association gets rejected:

Hi,

the message about an invalid MIC can be caused either by a wrong
password (but I suppose you checked that) or by a different
key-management protocols selected on AP and STA. This last problem was
supposedly fixed by commits [1][2], which are already included in NM
1.38.0.

[1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/a66e054bd67432673b8cc022c862937b95dae348
[2] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/1a7db1d7f712d7696f64b089011bc45fc86e7924

Since you said that the same client is able to connect when using NM
but not with wpa_supplicant alone, I would compare wpa_supplicant
configuration with the the one sent by NM to the supplicant. After
connecting with NM, do:

  # journalctl -u NetworkManager -e | grep "Config: added "
  <info>  [1671697112.3658] Config: added 'ssid' value 'Hotspot'
  <info>  [1671697112.3658] Config: added 'mode' value '2'
  <info>  [1671697112.3658] Config: added 'frequency' value '2462'
  <info>  [1671697112.3658] Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 SAE'
  <info>  [1671697112.3658] Config: added 'psk' value '<hidden>'
  <info>  [1671697112.3658] Config: added 'proto' value 'RSN'
  <info>  [1671697112.3658] Config: added 'pairwise' value 'CCMP'
  <info>  [1671697112.3659] Config: added 'group' value 'CCMP'

and compare the values with wpa_supplicant configuration.

If you have SAE in "key_mgmt", that could be the cause of the issue.
NM adds SAE automatically when it detects it is supported by the
supplicant; however if you disable PMF that would also disable SAE:

  nmcli connection modify Hotspot wifi-sec.pmf disable
  nmcli connection up Hotspot

If none of the suggestions above work, increase the logging level of
wpa_supplicant on both AP and client with:

  # busctl set-property fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1 fi.w1.wpa_supplicant1 DebugLevel s excessive

then try to connect and analyze logs.

Beniamino
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/networkmanager/attachments/20221222/2fafc36e/attachment.sig>

More information about the Networkmanager mailing list