From ba7a13789fef4b304cf935f7f861ede68ae18ed2 Mon Sep 17 00:00:00 2001
From: Andrew Zaborowski <andrew.zaborowski@intel.com>
Date: Fri, 27 Nov 2020 12:42:32 +0100
Subject: [PATCH 1/3] setting-8021x: Fix descriptions for phase2-auth &
 phase2-autheap

phase2-auth applies for EAP-TTLS and EAP-PEAP but the interpretation is
different for one than for the other, clarify the difference.
phase2-auth is for the non-EAP inner methods of EAP-TTLS but is also for
the EAP inner methods of EAP-PEAP.  EAP-PEAP doesn't use phase2-autheap
and doesn't support any non-EAP methods.

Given how complicated EAP configuration is it's likely that people just
use example configurations rather than look at the docs.  The example
configuration in man/nm-settings-keyfile.xsl is correct in using PEAP
together with phase2-auth=mschapv2.

[thaller@redhat.com: regenerate documentation files]
---
 .../generate-docs-nm-settings-nmcli.xml.in    |  4 +--
 clients/common/settings-docs.h.in             |  4 +--
 libnm-core/nm-setting-8021x.c                 | 27 +++++++++++--------
 3 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/clients/cli/generate-docs-nm-settings-nmcli.xml.in b/clients/cli/generate-docs-nm-settings-nmcli.xml.in
index 99b7a1165a..1044ae0d38 100644
--- a/clients/cli/generate-docs-nm-settings-nmcli.xml.in
+++ b/clients/cli/generate-docs-nm-settings-nmcli.xml.in
@@ -145,9 +145,9 @@
         <property name="phase1-auth-flags"
                   description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details." />
         <property name="phase2-auth"
-                  description="Specifies the allowed &quot;phase 2&quot; inner non-EAP authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  Recognized non-EAP &quot;phase 2&quot; methods are &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot;, &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
+                  description="Specifies the allowed &quot;phase 2&quot; inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  For TTLS this property selects one of the supported non-EAP inner methods: &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot; while &quot;phase2-autheap&quot; selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot; and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both &quot;phase2-auth&quot; and &quot;phase2-autheap&quot; cannot be specified." />
         <property name="phase2-autheap"
-                  description="Specifies the allowed &quot;phase 2&quot; inner EAP-based authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  Recognized EAP-based &quot;phase 2&quot; methods are &quot;md5&quot;, &quot;mschapv2&quot;, &quot;otp&quot;, &quot;gtc&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
+                  description="Specifies the allowed &quot;phase 2&quot; inner EAP-based authentication method when TTLS is specified in the &quot;eap&quot; property.  Recognized EAP-based &quot;phase 2&quot; methods are &quot;md5&quot;, &quot;mschapv2&quot;, &quot;otp&quot;, &quot;gtc&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
         <property name="phase2-ca-cert"
                   description="Contains the &quot;phase 2&quot; CA certificate if used by the EAP method specified in the &quot;phase2-auth&quot; or &quot;phase2-autheap&quot; properties. Certificate data is specified using a &quot;scheme&quot;; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate&apos;s DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string &quot;file://&quot; and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory." />
         <property name="phase2-ca-cert-password"
diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in
index 5e1aaf447e..2c275a99c8 100644
--- a/clients/common/settings-docs.h.in
+++ b/clients/common/settings-docs.h.in
@@ -67,8 +67,8 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPLABEL N_("Forces use of the new PEAP label during key derivation.  Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1.  Set to \"1\" to force use of the new PEAP label.  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPVER N_("Forces which PEAP version is used when PEAP is set as the EAP method in the \"eap\" property.  When unset, the version reported by the server will be used.  Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version.  To do so, this property may be set to \"0\" or \"1\" to force that specific PEAP version.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES N_("List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner \"phase 2\" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner non-EAP authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property.  Recognized non-EAP \"phase 2\" methods are \"pap\", \"chap\", \"mschap\", \"mschapv2\", \"gtc\", \"otp\", \"md5\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property.  Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property.  For TTLS this property selects one of the supported non-EAP inner methods: \"pap\", \"chap\", \"mschap\", \"mschapv2\" while \"phase2-autheap\" selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: \"gtc\", \"otp\", \"md5\" and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both \"phase2-auth\" and \"phase2-autheap\" cannot be specified.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication method when TTLS is specified in the \"eap\" property.  Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT N_("Contains the \"phase 2\" CA certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD N_("The password used to access the \"phase2\" CA certificate stored in \"phase2-ca-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-ca-cert-password\" property.")
diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index 9361f035d8..1b38aa1416 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -3998,19 +3998,24 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
     /**
      * NMSetting8021x:phase2-auth:
      *
-     * Specifies the allowed "phase 2" inner non-EAP authentication method when
-     * an EAP method that uses an inner TLS tunnel is specified in the
-     * #NMSetting8021x:eap property.  Recognized non-EAP "phase 2" methods are
-     * "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls".
+     * Specifies the allowed "phase 2" inner authentication method when an EAP
+     * method that uses an inner TLS tunnel is specified in the #NMSetting8021x:eap
+     * property.  For TTLS this property selects one of the supported non-EAP
+     * inner methods: "pap", "chap", "mschap", "mschapv2" while
+     * #NMSetting8021x:phase2-autheap selects an EAP inner method.  For PEAP
+     * this selects an inner EAP method, one of: "gtc", "otp", "md5" and "tls".
      * Each "phase 2" inner method requires specific parameters for successful
      * authentication; see the wpa_supplicant documentation for more details.
+     * Both #NMSetting8021x:phase2-auth and #NMSetting8021x:phase2-autheap cannot
+     * be specified.
      **/
     /* ---ifcfg-rh---
      * property: phase2-auth
      * variable: IEEE_8021X_INNER_AUTH_METHODS(+)
      * values: "PAP", "CHAP", "MSCHAP", "MSCHAPV2", "GTC", "OTP", "MD5" and "TLS"
-     * description: Inner non-EAP authentication methods. IEEE_8021X_INNER_AUTH_METHODS
-     *   can contain values both for 'phase2-auth' and 'phase2-autheap' properties.
+     * description: Inner non-EAP authentication methods for TTLS or the inner EAP
+     *   authentication method for PEAP. IEEE_8021X_INNER_AUTH_METHODS can contain
+     *   values both for 'phase2-auth' and 'phase2-autheap' properties.
      * example: IEEE_8021X_INNER_AUTH_METHODS=PAP
      * ---end---
      */
@@ -4025,11 +4030,11 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
      * NMSetting8021x:phase2-autheap:
      *
      * Specifies the allowed "phase 2" inner EAP-based authentication method
-     * when an EAP method that uses an inner TLS tunnel is specified in the
-     * #NMSetting8021x:eap property.  Recognized EAP-based "phase 2" methods are
-     * "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method
-     * requires specific parameters for successful authentication; see the
-     * wpa_supplicant documentation for more details.
+     * when TTLS is specified in the #NMSetting8021x:eap property.  Recognized
+     * EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and
+     * "tls". Each "phase 2" inner method requires specific parameters for
+     * successful authentication; see the wpa_supplicant documentation for
+     * more details.
      **/
     /* ---ifcfg-rh---
      * property: phase2-autheap

From 4aea512b1571c520d763b5cf0f18cc1fcbe873aa Mon Sep 17 00:00:00 2001
From: Andrew Zaborowski <andrew.zaborowski@intel.com>
Date: Thu, 19 Nov 2020 03:28:12 +0100
Subject: [PATCH 2/3] iwd: Rename NM_IWD_NETWORK_SECURITY_NONE to _OPEN

IWD doesn't expose on D-Bus, or in the network profile files, the
information on whether a network has no security or uses OWE so they
should be the same thing to the iwd backend (similarly WPA2-Personal and
WPA3-Personal/SAE).  But OWE implies some security against some attacks
so the NONE naming could be misleading.
---
 src/core/devices/wifi/nm-device-iwd.c  |  6 +++---
 src/core/devices/wifi/nm-iwd-manager.c | 10 +++++-----
 src/core/devices/wifi/nm-wifi-utils.c  |  2 +-
 src/core/devices/wifi/nm-wifi-utils.h  |  2 +-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/core/devices/wifi/nm-device-iwd.c b/src/core/devices/wifi/nm-device-iwd.c
index 63c5255607..02ed0d8672 100644
--- a/src/core/devices/wifi/nm-device-iwd.c
+++ b/src/core/devices/wifi/nm-device-iwd.c
@@ -789,7 +789,7 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
                 return FALSE;
             }
         } else if (!NM_IN_SET(security,
-                              NM_IWD_NETWORK_SECURITY_NONE,
+                              NM_IWD_NETWORK_SECURITY_OPEN,
                               NM_IWD_NETWORK_SECURITY_PSK)) {
             nm_utils_error_set_literal(error,
                                        NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@@ -819,7 +819,7 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
             return FALSE;
         }
 
-        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_NONE, NM_IWD_NETWORK_SECURITY_PSK)) {
+        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_OPEN, NM_IWD_NETWORK_SECURITY_PSK)) {
             nm_utils_error_set_literal(
                 error,
                 NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@@ -1740,7 +1740,7 @@ act_check_interface(NMDeviceIwd *self)
                                                       &security))
         goto failed;
 
-    if (security == NM_IWD_NETWORK_SECURITY_NONE) {
+    if (security == NM_IWD_NETWORK_SECURITY_OPEN) {
         g_dbus_proxy_call(proxy,
                           "StartOpen",
                           g_variant_new("(s)", ssid),
diff --git a/src/core/devices/wifi/nm-iwd-manager.c b/src/core/devices/wifi/nm-iwd-manager.c
index 3aa29e6d45..b4b019d3e5 100644
--- a/src/core/devices/wifi/nm-iwd-manager.c
+++ b/src/core/devices/wifi/nm-iwd-manager.c
@@ -533,7 +533,7 @@ mirror_connection(NMIwdManager *        self,
 
         switch (id->security) {
         case NM_IWD_NETWORK_SECURITY_WEP:
-        case NM_IWD_NETWORK_SECURITY_NONE:
+        case NM_IWD_NETWORK_SECURITY_OPEN:
         case NM_IWD_NETWORK_SECURITY_PSK:
             break;
         case NM_IWD_NETWORK_SECURITY_8021X:
@@ -642,7 +642,7 @@ mirror_connection(NMIwdManager *        self,
     case NM_IWD_NETWORK_SECURITY_WEP:
         key_mgmt = "none";
         break;
-    case NM_IWD_NETWORK_SECURITY_NONE:
+    case NM_IWD_NETWORK_SECURITY_OPEN:
         key_mgmt = NULL;
         break;
     case NM_IWD_NETWORK_SECURITY_PSK:
@@ -758,7 +758,7 @@ interface_added(GDBusObjectManager *object_manager,
             return;
 
         if (nm_streq(type_str, "open"))
-            security = NM_IWD_NETWORK_SECURITY_NONE;
+            security = NM_IWD_NETWORK_SECURITY_OPEN;
         else if (nm_streq(type_str, "psk"))
             security = NM_IWD_NETWORK_SECURITY_PSK;
         else if (nm_streq(type_str, "8021x"))
@@ -840,7 +840,7 @@ interface_removed(GDBusObjectManager *object_manager,
             return;
 
         if (nm_streq(type_str, "open"))
-            id.security = NM_IWD_NETWORK_SECURITY_NONE;
+            id.security = NM_IWD_NETWORK_SECURITY_OPEN;
         else if (nm_streq(type_str, "psk"))
             id.security = NM_IWD_NETWORK_SECURITY_PSK;
         else if (nm_streq(type_str, "8021x"))
@@ -1242,7 +1242,7 @@ nm_iwd_manager_get_ap_mirror_connection(NMIwdManager *self, NMWifiAP *ap)
     NMIwdManagerPrivate *  priv = NM_IWD_MANAGER_GET_PRIVATE(self);
     KnownNetworkData *     data;
     char                   name_buf[33];
-    KnownNetworkId         kn_id = {name_buf, NM_IWD_NETWORK_SECURITY_NONE};
+    KnownNetworkId         kn_id = {name_buf, NM_IWD_NETWORK_SECURITY_OPEN};
     const guint8 *         ssid_bytes;
     gsize                  ssid_len;
     NM80211ApFlags         flags     = nm_wifi_ap_get_flags(ap);
diff --git a/src/core/devices/wifi/nm-wifi-utils.c b/src/core/devices/wifi/nm-wifi-utils.c
index 5887cafb96..4764f40ee8 100644
--- a/src/core/devices/wifi/nm-wifi-utils.c
+++ b/src/core/devices/wifi/nm-wifi-utils.c
@@ -923,7 +923,7 @@ nm_wifi_connection_get_iwd_ssid_and_security(NMConnection *        connection,
 
     s_wireless_sec = nm_connection_get_setting_wireless_security(connection);
     if (!s_wireless_sec) {
-        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_NONE);
+        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_OPEN);
         return TRUE;
     }
 
diff --git a/src/core/devices/wifi/nm-wifi-utils.h b/src/core/devices/wifi/nm-wifi-utils.h
index 6646bca3ba..474bea41ce 100644
--- a/src/core/devices/wifi/nm-wifi-utils.h
+++ b/src/core/devices/wifi/nm-wifi-utils.h
@@ -13,7 +13,7 @@
 #include "nm-setting-8021x.h"
 
 typedef enum {
-    NM_IWD_NETWORK_SECURITY_NONE,
+    NM_IWD_NETWORK_SECURITY_OPEN,
     NM_IWD_NETWORK_SECURITY_WEP,
     NM_IWD_NETWORK_SECURITY_PSK,
     NM_IWD_NETWORK_SECURITY_8021X,

From 9fd0f0c4fae58959cd2ef0a3068bdf4b313c9fb3 Mon Sep 17 00:00:00 2001
From: Andrew Zaborowski <andrew.zaborowski@intel.com>
Date: Thu, 19 Nov 2020 03:50:51 +0100
Subject: [PATCH 3/3] iwd: Match IWD networks to existing OWE and SAE
 connection

IWD's "open" networks can be either unsecured or use OWE and "psk"
networks may be using WPA2 personal or WPA3 personal so when looking for
an exsiting NMSettingsConnection matching an IWD KnownNetwork, also
check for these connection key_mgmt types.

Add explicit checks for AP and ADHOC connection modes to exclude OWE and
SAE as they're not supported by IWD in those modes and we don't want to
make it appear like a connection of this type was successfully
activated.
In Infrastructure mode there's won't be any way to know whether IWDxi
established an OWE or unsecured connection (or WPA2-PSK vs. SAE)
regardless of what was set in the NMConnection and it's not considered
to be meaningful (also isn't normally exposed in a GUI) although you
could argue OWE vs. unsecured is a big difference.
---
 src/core/devices/wifi/nm-device-iwd.c | 24 ++++++++++++++++++++++--
 src/core/devices/wifi/nm-wifi-utils.c |  4 +++-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/core/devices/wifi/nm-device-iwd.c b/src/core/devices/wifi/nm-device-iwd.c
index 02ed0d8672..75b0f81aa5 100644
--- a/src/core/devices/wifi/nm-device-iwd.c
+++ b/src/core/devices/wifi/nm-device-iwd.c
@@ -798,6 +798,9 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
             return FALSE;
         }
     } else if (nm_streq(mode, NM_SETTING_WIRELESS_MODE_AP)) {
+        NMSettingWirelessSecurity *s_wireless_sec =
+            nm_connection_get_setting_wireless_security(connection);
+
         if (!(priv->capabilities & NM_WIFI_DEVICE_CAP_AP)) {
             nm_utils_error_set_literal(error,
                                        NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@@ -805,13 +808,17 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
             return FALSE;
         }
 
-        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_PSK)) {
+        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_PSK) || !s_wireless_sec
+            || !nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec), "wpa-psk")) {
             nm_utils_error_set_literal(error,
                                        NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
                                        "IWD backend only supports PSK authentication in AP mode");
             return FALSE;
         }
     } else if (nm_streq(mode, NM_SETTING_WIRELESS_MODE_ADHOC)) {
+        NMSettingWirelessSecurity *s_wireless_sec =
+            nm_connection_get_setting_wireless_security(connection);
+
         if (!(priv->capabilities & NM_WIFI_DEVICE_CAP_ADHOC)) {
             nm_utils_error_set_literal(error,
                                        NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@@ -819,7 +826,10 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
             return FALSE;
         }
 
-        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_OPEN, NM_IWD_NETWORK_SECURITY_PSK)) {
+        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_OPEN, NM_IWD_NETWORK_SECURITY_PSK)
+            || (s_wireless_sec
+                && !nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec),
+                              "wpa-psk"))) {
             nm_utils_error_set_literal(
                 error,
                 NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@@ -2234,6 +2244,7 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
     if (NM_IN_STRSET(mode, NULL, NM_SETTING_WIRELESS_MODE_INFRA)) {
         gs_unref_object GDBusProxy *network_proxy = NULL;
         NMWifiAP *                  ap            = priv->current_ap;
+        NMSettingWirelessSecurity * s_wireless_sec;
 
         if (!ap) {
             NM_SET_OUT(out_failure_reason, NM_DEVICE_STATE_REASON_SUPPLICANT_FAILED);
@@ -2335,6 +2346,15 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
         if (!priv->cancellable)
             priv->cancellable = g_cancellable_new();
 
+        s_wireless_sec = nm_connection_get_setting_wireless_security(connection);
+        if (s_wireless_sec
+            && nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec), "owe")) {
+            _LOGI(LOGD_WIFI,
+                  "An OWE connection is requested but IWD may connect to either an OWE "
+                  "or unsecured network and there won't be any indication of whether "
+                  "encryption is in use -- proceed at your own risk!");
+        }
+
         /* Call Network.Connect.  No timeout because IWD already handles
          * timeouts.
          */
diff --git a/src/core/devices/wifi/nm-wifi-utils.c b/src/core/devices/wifi/nm-wifi-utils.c
index 4764f40ee8..aed236ccaa 100644
--- a/src/core/devices/wifi/nm-wifi-utils.c
+++ b/src/core/devices/wifi/nm-wifi-utils.c
@@ -932,7 +932,9 @@ nm_wifi_connection_get_iwd_ssid_and_security(NMConnection *        connection,
 
     if (NM_IN_STRSET(key_mgmt, "none", "ieee8021x"))
         NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_WEP);
-    else if (nm_streq(key_mgmt, "wpa-psk"))
+    else if (nm_streq(key_mgmt, "owe"))
+        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_OPEN);
+    else if (NM_IN_STRSET(key_mgmt, "wpa-psk", "sae"))
         NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_PSK);
     else if (nm_streq(key_mgmt, "wpa-eap"))
         NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_8021X);