[Networkmanager] Cannot connect to an AP managed with NM and WPA

Thu Dec 22 09:15:08 UTC 2022

Hi Beniamino,

Thank you very much for your response and comprehensive explanation.
Exactly this is what I did yesterday and finally managed to make it work.
First sniffed the configuration that is injected by NetworkManager on the
AP side,
---
Dec 21 18:36:35 NetworkManager[1475]: <info>  [1671647795.2306] Config:
added 'ssid' value 'CLMAP'
Dec 21 18:36:35 NetworkManager[1475]: <info>  [1671647795.2309] Config:
added 'mode' value '2'
Dec 21 18:36:35 NetworkManager[1475]: <info>  [1671647795.2311] Config:
added 'frequency' value '2472'
Dec 21 18:36:35 NetworkManager[1475]: <info>  [1671647795.2313] Config:
added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256'
Dec 21 18:36:35 NetworkManager[1475]: <info>  [1671647795.2315] Config:
added 'psk' value '<hidden>'
---
then added the key protocols on the client side, which runs the wpa
supplicant only
---
network={
ssid="CLMAP"
+  key_mgmt=WPA-PSK WPA-PSK-SHA256
---

For some reason, the RPi4 (Raspberry Pi 4 Model B Rev 1.5; Debian GNU/Linux
11 (bullseye)),
failed to select the correct key protocol, but the hint in the wpa
configuration solve the problem.
Thanks for your help!

Best regards,
Krystian Heberlein

czw., 22 gru 2022 o 09:47 Beniamino Galvani <bgalvani at redhat.com>
napisał(a):

> On Wed, Dec 21, 2022 at 07:02:57PM +0100, Krystian Heberlein wrote:
> > Hi,
> >
> > Recently I was struggling to establish a connection with a WiFi Access
> > Point managed by NetworkManager with WPA supplicant plugin.
> > Although most available devices are able to connect with the AP, my
> > RasberryPi 4B won't cooperate.
> > On the RPi4 I'm trying to connect as a client with WPA supplicant, but
> > constantly the association gets rejected:
>
> Hi,
>
> the message about an invalid MIC can be caused either by a wrong
> password (but I suppose you checked that) or by a different
> key-management protocols selected on AP and STA. This last problem was
> supposedly fixed by commits [1][2], which are already included in NM
> 1.38.0.
>
> [1]
> https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/a66e054bd67432673b8cc022c862937b95dae348
> [2]
> https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/1a7db1d7f712d7696f64b089011bc45fc86e7924
>
> Since you said that the same client is able to connect when using NM
> but not with wpa_supplicant alone, I would compare wpa_supplicant
> configuration with the the one sent by NM to the supplicant. After
> connecting with NM, do:
>
>   # journalctl -u NetworkManager -e | grep "Config: added "
>   <info>  [1671697112.3658] Config: added 'ssid' value 'Hotspot'
>   <info>  [1671697112.3658] Config: added 'mode' value '2'
>   <info>  [1671697112.3658] Config: added 'frequency' value '2462'
>   <info>  [1671697112.3658] Config: added 'key_mgmt' value 'WPA-PSK
> WPA-PSK-SHA256 SAE'
>   <info>  [1671697112.3658] Config: added 'psk' value '<hidden>'
>   <info>  [1671697112.3658] Config: added 'proto' value 'RSN'
>   <info>  [1671697112.3658] Config: added 'pairwise' value 'CCMP'
>   <info>  [1671697112.3659] Config: added 'group' value 'CCMP'
>
> and compare the values with wpa_supplicant configuration.
>
> If you have SAE in "key_mgmt", that could be the cause of the issue.
> NM adds SAE automatically when it detects it is supported by the
> supplicant; however if you disable PMF that would also disable SAE:
>
>   nmcli connection modify Hotspot wifi-sec.pmf disable
>   nmcli connection up Hotspot
>
> If none of the suggestions above work, increase the logging level of
> wpa_supplicant on both AP and client with:
>
>   # busctl set-property fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1
> fi.w1.wpa_supplicant1 DebugLevel s excessive
>
> then try to connect and analyze logs.
>
> Beniamino
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/networkmanager/attachments/20221222/fc589c84/attachment.htm>