Bug 2057352 - Hotstop with WPA2+AES (ccmp) not working with ipad as client (ios 15.3.1)
Summary: Hotstop with WPA2+AES (ccmp) not working with ipad as client (ios 15.3.1)
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: wpa_supplicant
Version: 35
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lubomir Rintel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-23 09:35 UTC by Toon Verstraelen
Modified: 2022-03-01 08:29 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Toon Verstraelen 2022-02-23 09:35:42 UTC
Description of problem:

When I enable a Wi-Fi hotspot on my Linux laptop (Fedora 35), my ipad cannot connect to it, while my android phone is just doing this without any problems. I was intuitively going to blame the ipad for this (which may still be the right judgement). However, I have just checked whether I could reproduce the same issue with Fedora 34 (booted from a USB live image) and with that setup. On Fedora 34, this issue cannot be reproduced. That said, I cannot easily rule out that this may also be related to an iOS update. There is no simple way to downgrade it back to iOS 14.

More technical details can be found below.

Version-Release number of selected component (if applicable):

wpa_supplicant-2.10-2.fc35.x86_64
NetworkManager-1.32.12-2.fc35.x86_64


How reproducible:

Systematic, 100% reproducible.


Steps to Reproduce:

1. Activate the hotspot in the Settings application, with a password.
2. Connect to the network from the iPad, using the same passward.

Alternatively, one may also define a hotspot through nmcli and activate it as follows

```bash
# Define the hotspot
nmcli con add type wifi ifname wlan0 con-name HSPLOCAL autoconnect yes ssid HSPLOCAL
nmcli con modify HSPLOCAL 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared
nmcli con modify HSPLOCAL wifi-sec.key-mgmt wpa-psk
nmcli con modify HSPLOCAL wifi-sec.psk "goodpasswordhere"
nmcli con modify HSPLOCAL ifname "yourwifidevice"
# Enforce WPA2
nmcli con modify HSPLOCAL 802-11-wireless.proto rsn
nmcli con modify HSPLOCAL 802-11-wireless-security.proto rsn
# Enfore AES encryption
nmcli con modify HSPLOCAL 802-11-wireless-security.pairwise ccmp
nmcli con modify HSPLOCAL 802-11-wireless-security.group ccmp
# Active the hotspot
nmcli con up HSPLOCAL
```


Actual results:

When trying to connect to the Wi-Fi hotspot from my iPad, I get the following error message:

Unable to join the network "{name of the ESSID}".


Expected results:

The iPad should connect to the hotspot without showing this error message.


Additional info:

Mind that the steps to reproduce the issue, result in a faulty internal state of wifid on the iPad, making it impossible to connect to any access point. To fix this, turn off the hotspot and reboot the tablet. After that, it will just connect fine to APs that used to work before.


I also found the following workaround. When manually setting up the hotspot through nmcli, one may configure it to use TKIP instead of AES/CCMP as follows:

```bash
nmcli con modify HSPLOCAL 802-11-wireless-security.pairwise tkip
nmcli con modify HSPLOCAL 802-11-wireless-security.group tkip
```

With these settings, the iPad can connect without problems, but the downside of this workaround is obviously the weakened security of the Wi-Fi connection.

Comment 1 Toon Verstraelen 2022-02-23 09:37:17 UTC
More additional info:

I did try resetting the network settings on the iPad, and I have also performed a reset to factory settings on the iPad. Neither of these had any effect.

Comment 2 Adam Pribyl 2022-02-28 17:28:35 UTC
I have similar issue with wpa_supplicant, but on Android phone. After upgrade to latest wpa_supplicant, the phone reports some hard to understand message "WPA3 SAE mode, stored" but refuses to connect.

For me the solution now is to dnf downgrade wpa_supplicant
Downgrade wpa_supplicant-1:2.9-12.fc34.x86_64 @fedora
Downgraded wpa_supplicant-1:2.10-2.fc34.x86_64 @@System

my hotspot is only setup to use WPA2 Personal, thus this is really weired why the phone suddely started to complain about WPA3.

iwlist wlp0s20f0u3 auth
wlp0s20f0u3 Authentication capabilities :
WPA
WPA2
CIPHER-TKIP
CIPHER-CCMP

I see more such bugs here now related to 2.10 update...

Comment 3 Toon Verstraelen 2022-03-01 08:29:07 UTC
Adam: Thanks for the suggestion to try wpa_supplicant-2.9. (I tested with wpa_supplicant-2.9-13.fc35.x86_64 specifically, because this was easily installed.) After downgrading to 2.9, I could no longer reproduce the issue. With 2.9, the CCMP cipher can be used without problems.

I'd guess the error message on your android phone may not be very accurate. On my tablet, I had no sensible error message either.


Note You need to log in before you can comment on or make changes to this bug.