On 2026/01/22 14:15, Stefan Sperling wrote: > On Thu, Jan 22, 2026 at 12:56:21PM +0000, Stuart Henderson wrote: > > An AP which is configured to broadcast an SSID with WPA3 (only) > > Enterprise shows like this in ifconfig scan: > > > > nwid some_ssid chan 1 bssid 76:ac:b9:yy:yy:yy 29% HT-MCS15 > > privacy,wpa2,802.1x !wpaproto > > nwid some_ssid chan 149 bssid 76:ac:b9:xx:xx:xx 23% > > HT-MCS31 privacy,spectrum_mgmt,wpa2,802.1x !wpaproto > > > > which makes it hard to spot why it's not possible to associate > > (i.e. no WPA3 on client). > > > > debug looks like > > > > iwx0: - 76:ac:b9:xx:xx:xx 149 +16 54M ess privacy rsn! "some_ssid"! > > iwx0: - 76:ac:b9:yy:yy:yy 1 +20 54M ess privacy rsn! "some_ssid"! > > > > beacons look like > > > > 802.11 flags=0<>: beacon, timestamp 424490087208, interval 100, > > caps=21<ESS,PRIVACY>, ssid (some_ssid), rates 18M 36M 54M, ds (chan 1), > > xrates 12M 24M 48M, country 'GB ', channels 1-13 limit 20dB, tim > > 0x00010000, rsn=<version 1,groupcipher ccmp,cipher ccmp,akm > > SHA256-802.1x,rsncap 0xc0>, erp 0x04, htcaps=<20MHz,SGI@20MHz,TXSTBC,RXSTBC > > 1 stream,A-MSDU 3839,A-MPDU max 65535,A-MPDU spacing 4.00us,RxMCS > > 0xffff0000000000000000>, htop=<20MHz chan 1,STA chanw 20MHz,htprot > > non-HT-mixed,non-greenfield STA,basic MCS set 0x0000000000000000>, 127:8 > > 0x0000080000000000, vendor > > 0x0050f2020101000003a4000027a4000042435e0062322f00, 6 stations, 4% > > utilization, admission capacity 976us/s, vendor 0x000c4303000000, vendor > > 0x00156d00010100010220ec810674acb915ede5892438366432346265332d383833662d343732382d623265312d366235343536343561653661, > > <radiotap v0, tsf 78924676, 0Mbit/s, chan 1, 11n, sig 18dBm, noise -127dBm> > > > > Unfortunately, there is no WPA version number anywhere. The peers negotiate > a suitable AKM, and each version of WPA supports a different subset of AKMs. > > In order to identify wpa3-capable access points. ifconfig looks for AKM SAE, > which is only used with WPA3 Personal, but not with WPA3 Enterprise / 802.1x. > > As far as I understand, AKM SHA256-802.1x could be used in Enterprise > mode with either WPA2 or WPA3. There doesn't seem to be a way to reliably > detect this particular AP configuration as WPA3-only. > Am I missing something? >
Aruba utilities does distinguish between them in the AP list (WPA3e vs WPA3et) so it looks like there is a way. If I switch between 2/3 and 3-only I get this difference in rsn: 2/3 transition rsn=<version 1,groupcipher ccmp,cipher ccmp,akms 802.1x SHA256-802.1x,rsncap 0x80> WPA3 only rsn=<version 1,groupcipher ccmp,cipher ccmp,akm SHA256-802.1x,rsncap 0xc0>, does that help?
