NetworkManager does not support Fast BSS Transition (FT, IEEE 802.11r-2008) enabled networks (KeyMgmt wpa-ft-psk or wpa-ft-eap)
Connecting to a Enterprise network that has Fast Transition (FT) fails when using NetworkManager.
This was tested on a PEAP & MSCHAPv2
NW.
The NetworkManager log gives "Activation: failed for connection 'ssid'" and wpa_supplicant log gives "FT: Invalid key management type (1)".
1
is in this case WPA_KEY_MGMT_IEEE8021X
, however the active network needs WPA_KEY_MGMT_FT_IEEE8021X
for wpa_supplicant to connect.
Adding wpa-ft-eap
to the key_mgmt_conf
passed to wpa_supplicant fixes this issue and I am able to connect successfully (see patch).
--- a/src/supplicant/nm-supplicant-config.c
+++ b/src/supplicant/nm-supplicant-config.c
@@ -773,19 +773,21 @@ nm_supplicant_config_add_setting_wireless_security (NMSupplicantConfig *self,
switch (fils) {
case NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL:
key_mgmt_conf = priv->support_pmf
- ? "wpa-eap wpa-eap-sha256 fils-sha256 fils-sha384"
- : "wpa-eap fils-sha256 fils-sha384";
+ ? "wpa-ft-eap wpa-eap wpa-eap-sha256 fils-sha256 fils-sha384"
+ : "wpa-ft-eap wpa-eap fils-sha256 fils-sha384";
break;
case NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED:
key_mgmt_conf = "fils-sha256 fils-sha384";
break;
default:
if (priv->support_pmf)
- key_mgmt_conf = "wpa-eap wpa-eap-sha256";
+ key_mgmt_conf = "wpa-ft-eap wpa-eap wpa-eap-sha256";
break;
}
}
A proper fix would be nice (that also adds wpa-ft-psk
support), possibly with a new setting, though I don't know if that adds any value (why should the user need to specify of even care if FT is present in the nw).
I also tested with the iwd
backend, but that also failed to connect, however I did not do any further troubleshooting on what might be the cause for that (if FT is even supported by iwd
, if NetworkManager has the same issue with that backend, or if I had something miss-configured).