WifiWave2 OWE authentication fails with Linux client using iwd

RouterOS Wireless Networking
1

Hello everyone,

I am running into a problem with a Linux client that can’t connect to an open access point using OWE.
The AP is a cAP ax (Model: cAPGi-5HaxD2HaxD, Firmware Version: 7.12) and I am trying to connect with a laptop running Arch Linux and iwd (iNet Wireless Daemon).

AP configuration is as follows:

  • Main SSID for home network with WPA2 + WPA3 (VLAN 1000)


  • Guest SSID for Guest network with OWE (VLAN1003)

Both are provisioned on 2.4GHz and 5GHz radios.

The log of iwd shows this error message when trying to connect:

Nov 13 22:10:19 emilia iwd[525]: OWE AKM was not included in the RSNE. This AP is out of spec!

When I disable OWE for the Guest network, my laptop successfully connects with no complaints. My smartphone connects regardless whether OWE is enabled or not.

I suspect that this might be an issue with the cAP ax / WifiWave2 implementation if the error message is anything to go by.
Can someone reproduce this?

2

Can you take a capture of the traffic when you connect to your guest network with OWE enabled?

3

Use Wireshark or tcpdump to capture the Wi-Fi traffic during the connection attempt. Analyzing the captured packets might reveal more details about the issue.

4

TCPdump on my wifi interface just shows unanswered DHCP requests.

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:35:21.423313 IP6 fe80::9eb6:d0ff:fe89:d7ed > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
16:35:21.435755 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 9c:b6:d0:89:d7:ed, length 290
16:35:21.443203 IP6 fe80::9eb6:d0ff:fe89:d7ed > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
16:35:21.587579 IP6 fe80::9eb6:d0ff:fe89:d7ed.5355 > ff02::1:3.5355: UDP, length 24
16:35:21.713285 IP6 fe80::9eb6:d0ff:fe89:d7ed.5355 > ff02::1:3.5355: UDP, length 24
16:35:21.963196 IP6 fe80::9eb6:d0ff:fe89:d7ed.5355 > ff02::1:3.5355: UDP, length 24
16:35:22.153335 IP6 fe80::9eb6:d0ff:fe89:d7ed > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
16:35:22.713229 IP6 fe80::9eb6:d0ff:fe89:d7ed > ff02::2: ICMP6, router solicitation, length 16
16:35:24.713353 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 9c:b6:d0:89:d7:ed, length 290
16:35:26.418550 IP6 fe80::9eb6:d0ff:fe89:d7ed > ff02::2: ICMP6, router solicitation, length 16
16:35:28.380768 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 9c:b6:d0:89:d7:ed, length 290
16:35:34.096077 IP6 fe80::9eb6:d0ff:fe89:d7ed > ff02::2: ICMP6, router solicitation, length 16
16:35:36.848878 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 9c:b6:d0:89:d7:ed, length 290
16:35:50.034762 IP6 fe80::9eb6:d0ff:fe89:d7ed > ff02::2: ICMP6, router solicitation, length 16
16:35:52.036009 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 9c:b6:d0:89:d7:ed, length 290

The log of the AP on the other hand shows a normal connect and disconnect to the Guest network. Somehow iwd seems to block any traffic from that interface after it throws that error. Or it never actually connects.

5

Which tells nothing else than “can’t connect.”

I found this: https://bbs.archlinux.org/viewtopic.php?id=278571, which I guess you did too. Just to confirm: dh group is 19 on the mikrotik? If not, can you give it a try?