WPA3: no go on Raspberry Pi (plus some Mac gotchas)

WPA3: no go on Raspberry Pi (plus some Mac gotchas)

If you've been doing the wifi thing for a while, you've probably followed the successive rounds of "security" that get layered on top. Back more than 20 years now, it was WEP, the so-called "wired equivalent privacy". That claimed to be 64 or 128 bits, but was closer to 40 or 104 due to the whole 24-bit "IV" thing, and a whole bunch of dumb problems with the crypto generally meant it was weaker than that in practice. Collect enough packets and burn some CPU power and the network is yours.

Then we got WPA, and then WPA2, and now the new hotness is WPA3. You might have noticed this last one in the settings of your newer network stuff and thought "hey, maybe I can benefit from it". Maybe you can, but a lot of it comes down to just how much you're willing to abandon.

Perhaps you have a thing for Raspberry Pis. They gained the ability to do 2.4 GHz wifi natively when the 3B came out, and picked up the 5 GHz band with the 3B+, so now you can have reasonable connectivity anywhere you can find power. The trouble is that the stock hardware and software absolutely will not do a true WPA3 network.

By "true WPA3", I mean a network that's only speaking WPA3 in SAE mode, which requires protected management frames (802.11w), and which does not support any kind of WPA2 fallback. This is a network that you can scan with something like Kismet and it'll say "WPA3-SAE" and nothing else. A stock RPi will absolutely fail to connect to them. This has been known for years and yet still persists.

If you spend far too much time digging around through the bug reports and forum posts, you may discover the angle of starting from the Linux kernel source, applying Infineon patches, fixing compilation errors, and then installing new Cypress firmware as well. Assuming you're willing to go through all of that, then yes, you may find yourself able to join it up to a WPA3-only network.

Wonderful. You now get to track this abomination of a kernel yourself, since you'll now be off whatever upstream decides to push out - security fixes, bug fixes, new features, or whatever else. Have fun!

In the Apple ecosystem, things are a little better. Support is pretty good for such things, and you should find that any Mac or iPhone made in the past few years should work just fine with a WPA3-only network. Even a first generation HomePod can handle it.

But, there's a catch, at least on the Macs. This assumes you are running in normal mode, i.e., booting from your SSD or whatever and running macOS in the usual way. If something happens to your machine and you need network recovery mode, it'll just fail to associate with the WPA3-only wireless network.

At that point, you'd better hope you have another network around that still has WPA2 mode available. Otherwise, you're kind of stuck. These machines haven't had built-in Ethernet ports for many many years so that's not an easy option, either.

I should point out that if you get the bright idea to plug your ailing Mac into a Thunderbolt 3 dock with an Ethernet port with the intent of having it "phone home" for recovery mode that way, you will find that it does not work. It seems that whatever drivers are necessary to notice and/or use that NIC just don't exist in that world, just like how WPA3 support is also somehow missing.

If you have an old Apple Thunderbolt Ethernet adapter for some reason, and also have the requisite USB-C TB3 to mini-DP type TB2 dongle, then you just got lucky. That much will actually be recognized in recovery mode, and you can bootstrap into network recovery mode without standing up a WPA2 network.

Some day, these things will be fixed and this whole post will be a sour footnote in history, but for the moment I figured I'd warn people before they blew too much time trying to make this stuff work.