On Thu, Jan 22, 2026 at 12:56:21PM +0000, Stuart Henderson wrote: > An AP which is configured to broadcast an SSID with WPA3 (only) > Enterprise shows like this in ifconfig scan: > > nwid some_ssid chan 1 bssid 76:ac:b9:yy:yy:yy 29% HT-MCS15 > privacy,wpa2,802.1x !wpaproto > nwid some_ssid chan 149 bssid 76:ac:b9:xx:xx:xx 23% HT-MCS31 > privacy,spectrum_mgmt,wpa2,802.1x !wpaproto > > which makes it hard to spot why it's not possible to associate > (i.e. no WPA3 on client). > > debug looks like > > iwx0: - 76:ac:b9:xx:xx:xx 149 +16 54M ess privacy rsn! "some_ssid"! > iwx0: - 76:ac:b9:yy:yy:yy 1 +20 54M ess privacy rsn! "some_ssid"! > > beacons look like > > 802.11 flags=0<>: beacon, timestamp 424490087208, interval 100, > caps=21<ESS,PRIVACY>, ssid (some_ssid), rates 18M 36M 54M, ds (chan 1), > xrates 12M 24M 48M, country 'GB ', channels 1-13 limit 20dB, tim 0x00010000, > rsn=<version 1,groupcipher ccmp,cipher ccmp,akm SHA256-802.1x,rsncap 0xc0>, > erp 0x04, htcaps=<20MHz,SGI@20MHz,TXSTBC,RXSTBC 1 stream,A-MSDU 3839,A-MPDU > max 65535,A-MPDU spacing 4.00us,RxMCS 0xffff0000000000000000>, htop=<20MHz > chan 1,STA chanw 20MHz,htprot non-HT-mixed,non-greenfield STA,basic MCS set > 0x0000000000000000>, 127:8 0x0000080000000000, vendor > 0x0050f2020101000003a4000027a4000042435e0062322f00, 6 stations, 4% > utilization, admission capacity 976us/s, vendor 0x000c4303000000, vendor > 0x00156d00010100010220ec810674acb915ede5892438366432346265332d383833662d343732382d623265312d366235343536343561653661, > <radiotap v0, tsf 78924676, 0Mbit/s, chan 1, 11n, sig 18dBm, noise -127dBm> >
Unfortunately, there is no WPA version number anywhere. The peers negotiate a suitable AKM, and each version of WPA supports a different subset of AKMs. In order to identify wpa3-capable access points. ifconfig looks for AKM SAE, which is only used with WPA3 Personal, but not with WPA3 Enterprise / 802.1x. As far as I understand, AKM SHA256-802.1x could be used in Enterprise mode with either WPA2 or WPA3. There doesn't seem to be a way to reliably detect this particular AP configuration as WPA3-only. Am I missing something?
