How to configure SAE security in IEEE 802.11s Wi-Fi mesh network based on barman-adv?

I am trying to configure IEEE 802.11s Wi-Fi mesh network with Simultaneous Authentication of Equals (SAE) security. Specifically I want to use batman-adv as routing protocol instead default HWMP protocol. It is possible if mesh_fwding parameter of the Wi-Fi mesh network is set to 0 (0 means that HWMP routing and forwarding is turned off). Obviously it is a bad idea to allow batman-adv and HWMP work simultaneously in the network.

I use AuthSAE project to implement SAE security. But every time I manually launch AuthSAE security on, AuthSAE sets mesh_fwding parameter of my mesh network to 1 back again (i.e. AuthSAE turns HWMP routing and forwarding on again every time it starts working). I use Raspberry PI 3 with Raspbian 10 (Linux 4.19). My /etc/network/interfaces file looks like:

auto mesh0
iface mesh0 inet manual
   pre-up iw dev wlan0 interface add mesh0 type mp mesh_id MESH_NETWORK
   pre-up iw dev mesh0 set channel 11
   post-up ifconfig mesh0 mtu 1532

auto bat0
iface bat0 inet static
    pre-up batctl if add mesh0
    post-up iw mesh0 set mesh_param mesh_fwding=0 

I launch AuthSAE as follows:

meshd-nl80211 -c /usr/local/etc/authsae.cfg -o /var/log/meshd.log -B

The part of /usr/local/etc/authsae.cfg file is shown below:

    debug = 480;
    password = "thisisreallysecret";
    group = [19, 26, 21, 25, 20];
    blacklist = 5;
    thresh = 5;
    lifetime = 3600;
    meshid = "MESH_NETWORK";
    interface = "mesh0";
    passive = 0;
    mediaopt = 1;
    band = "11g";
    channel = 11;
    htmode = "none";
    mcast-rate = 12;

My Wi-Fi mesh network works well with SAE, but always sets mesh_fwding parameter to 1 every time AuthSAE starts working. I can set mesh_fwding to 0 back again and it continues working well. So, my question is:

I know that SAE was introduced in IEEE 802.11s standard, but I did not find that SAE requires HWMP being turned on. Does SAE really requires HWMP? How can I configure SAE in IEEE 802.11s mesh network based on batman-adv without turning mesh_fwding parameter on?

In all shortness: AuthSAE is dead, use wpa_supplicant with a config like this:

1 Like