From: Stefan Sperling Subject: Re: wifi protected management frame (PMF) support To: Remi Locherer Cc: tech@openbsd.org Date: Fri, 28 Nov 2025 10:41:16 +0100 On Fri, Nov 28, 2025 at 09:29:06AM +0100, Remi Locherer wrote: > Yes it connects whrn I disable PMF for the SSID. > --> openbsd-arista_pmf-disabled_r-optional.pcap Thanks, that is good to know. Nothing seems wrong in this case. > > Are there any obvious AP settings for enabling the AKM "PSK"? > > Could you try disabling fast-transition roaming (11k / 11r) in AP settings? > > Perhaps this will switch "FT using PSK" to regular "PSK"? > > No success when I disable 11r but keep 11w required. Also not with the > patch below applied on top of the PMF patches. > --> openbsd-arista_pmf-required_r-disabled.pcap Now this AP is only advertising PSK 256, no PSK anymore. And the AP doesn't even announce its management frame group cipher. Not sure yet what to make of that. Maybe BIP is the implied default? I'll put this on my todo list, But I won't treat this is a blocking problem for PMF patches to start going in. This is an interop issue of the nature to be expected when we start using a feature with code first written by damien@ in 2009. It is remarkable how well it works across many APs already, given that Damien probably never got to point of actually testing this code with a driver. If he had any driver-side PMF code, it was never committed.