Authentication error when creating a WiFi hotspot on Trixie #7247
Description
Describe the bug
Any attempt to create a Wifi hotspot on Trixie through NMCLI (on a Pi Zero W) fails with the error:
Error: Connection activation failed: 802.1X supplicant took too long to authenticate
...see users talking about it here:
https://forums.raspberrypi.com/viewtopic.php?t=394710
An open Wifi hotspot works fine, add security and the connection can no longer be brought up journalctl shows:
wlan0: Could not connect to kernel driver
nl80211: Station flush failed: ret=-14 (Bad address)
nl80211: flush -> DEL_STATION wlan0 (all)
wlan0: Flushing old station entries
WPA: group state machine entering state FATAL_FAILURE
nl80211: set_key failed; err=-22 Invalid argument
nl80211: kernel reports: key setting validation failed
broadcast key
nl80211: KEY_DATA - hexdump(len=16): [REMOVED]
nl80211: NEW_KEY
wpa_driver_nl80211_set_key: ifindex=2 (wlan0) alg=4 addr=0x2089cc key_idx=4 set_tx=1 seq_len=0 key_len=16 key_flag=0x1a
nl80211: NL80211_CMD_SET_KEY - default key
broadcast key
nl80211: KEY_DATA - hexdump(len=16): [REMOVED]
nl80211: NEW_KEY
wpa_driver_nl80211_set_key: ifindex=2 (wlan0) alg=3 addr=0x2089cc key_idx=1 set_tx=1 seq_len=0 key_len=16 key_flag=0x1a
WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)
IGTK - hexdump(len=16): [REMOVED]
GTK - hexdump(len=16): [REMOVED]
WPA: group state machine entering state GTK_INIT (VLAN-ID 0)
WPA: Start group state machine to set initial keys
...and, I don't know whether this is relevant or not, but earlier in the log there is a warning:
Note: nl80211 driver interface is not designed to be used with ap_scan=2; this can result in connection failures
It was my understanding that ap_scan=0 should be used for an access point but I'm no expert.
Steps to reproduce the behaviour
-
Find the names of any existing Wifi client connections with:
sudo nmcli connection --active -
Take any existing Wifi client connections down with:
sudo nmcli connection down MyWifiConnectionName -
Set any existing Wifi clients to not connect automatically in future with:
sudo nmcli connection modify MyWifiConnectionName connection.autoconnect no -
Create the new connection with:
sudo nmcli connection add type wifi ifname wlan0 con-name Hotspot autoconnect yes ssid Hotspot -
Make it an access point with:
sudo nmcli connection modify Hotspot 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared -
Bring it up with:
sudo nmcli connection up Hotspot -
Using something like a mobile phone, check that it is possible to connect to this open access point: SUCCESS.
-
Take the access point down again with:
sudo nmcli connection down Hotspot -
Configure security key management with:
sudo nmcli connection modify Hotspot 802-11-wireless-security.key-mgmt wpa-psk -
For WPA2 the SSID "Hotspot" and the desired passphrase need to first be hashed into a 64 character key. Do this with the command:
wpa_passhrase <SSID> <passphrase>You will get back something like:
network={ ssid="Hotspot" #psk="my_password" psk=fd4dca36408d56c976db9d8c59e015b4419c71cd5ea5124a9042fc9da68782f3 }Note the value of
psk -
Apply the password with:
sudo nmcli connection modify Hotspot 802-11-wireless-security.psk <the psk value from above> -
Set the connection protocol with:
sudo nmcli connection modify Hotspot 802-11-wireless-security.proto wpa -
Set the security algorithm with:
sudo nmcli connection modify Hotspot 802-11-wireless-security.pairwise ccmp -
Bring the access point up again with:
sudo nmcli connection up Hotspot -
Hope for success, but get the authentication error.
Device (s)
Raspberry Pi Zero W / WH
System
Logs
Attached find the output of sudo journalctl -u NetworkManager -u wpa_supplicant -r from a NetworkManager restart to steady-state with wpa_cli -i wlan0 log_level debug and sudo nmcli general logging level DEBUG domain ALL.
Additional context
I wondered if the [inactive] p2p Wifi connection that seems to be created automagically was causing a problem, making the ap_mode turn out wrong, but unfortunately I was unable to get rid of it.
I tried all of the one-liner nmcli connection creation mechanisms, and writing the configuration file myself manually, before I adopted the above sequence; nothing ever, ever, worked.