On 2026/01/22 14:04, Stuart Henderson wrote: > On 2026/01/22 14:15, Stefan Sperling wrote: > > On Thu, Jan 22, 2026 at 12:56:21PM +0000, Stuart Henderson wrote: > > > An AP which is configured to broadcast an SSID with WPA3 (only) > > > Enterprise shows like this in ifconfig scan: > > > > > > nwid some_ssid chan 1 bssid 76:ac:b9:yy:yy:yy 29% > > > HT-MCS15 privacy,wpa2,802.1x !wpaproto > > > nwid some_ssid chan 149 bssid 76:ac:b9:xx:xx:xx 23% > > > HT-MCS31 privacy,spectrum_mgmt,wpa2,802.1x !wpaproto > > > > > > which makes it hard to spot why it's not possible to associate > > > (i.e. no WPA3 on client). > > > > > > debug looks like > > > > > > iwx0: - 76:ac:b9:xx:xx:xx 149 +16 54M ess privacy rsn! > > > "some_ssid"! > > > iwx0: - 76:ac:b9:yy:yy:yy 1 +20 54M ess privacy rsn! > > > "some_ssid"! > > > > > > beacons look like > > > > > > 802.11 flags=0<>: beacon, timestamp 424490087208, interval 100, > > > caps=21<ESS,PRIVACY>, ssid (some_ssid), rates 18M 36M 54M, ds (chan 1), > > > xrates 12M 24M 48M, country 'GB ', channels 1-13 limit 20dB, tim > > > 0x00010000, rsn=<version 1,groupcipher ccmp,cipher ccmp,akm > > > SHA256-802.1x,rsncap 0xc0>, erp 0x04, > > > htcaps=<20MHz,SGI@20MHz,TXSTBC,RXSTBC 1 stream,A-MSDU 3839,A-MPDU max > > > 65535,A-MPDU spacing 4.00us,RxMCS 0xffff0000000000000000>, htop=<20MHz > > > chan 1,STA chanw 20MHz,htprot non-HT-mixed,non-greenfield STA,basic MCS > > > set 0x0000000000000000>, 127:8 0x0000080000000000, vendor > > > 0x0050f2020101000003a4000027a4000042435e0062322f00, 6 stations, 4% > > > utilization, admission capacity 976us/s, vendor 0x000c4303000000, vendor > > > 0x00156d00010100010220ec810674acb915ede5892438366432346265332d383833662d343732382d623265312d366235343536343561653661, > > > <radiotap v0, tsf 78924676, 0Mbit/s, chan 1, 11n, sig 18dBm, noise > > > -127dBm> > > > > > > > Unfortunately, there is no WPA version number anywhere. The peers negotiate > > a suitable AKM, and each version of WPA supports a different subset of AKMs. > > > > In order to identify wpa3-capable access points. ifconfig looks for AKM SAE, > > which is only used with WPA3 Personal, but not with WPA3 Enterprise / > > 802.1x. > > > > As far as I understand, AKM SHA256-802.1x could be used in Enterprise > > mode with either WPA2 or WPA3. There doesn't seem to be a way to reliably > > detect this particular AP configuration as WPA3-only. > > Am I missing something? > > > > Aruba utilities does distinguish between them in the AP list > (WPA3e vs WPA3et) so it looks like there is a way. > > If I switch between 2/3 and 3-only I get this difference in rsn: > > 2/3 transition rsn=<version 1,groupcipher ccmp,cipher ccmp,akms 802.1x > SHA256-802.1x,rsncap 0x80> > WPA3 only rsn=<version 1,groupcipher ccmp,cipher ccmp,akm > SHA256-802.1x,rsncap 0xc0>, > > does that help? >
Oh I see what you're saying now. Hmm. So listing wpa2 in the output isn't really right either there, but listing AKMs is probably going to be too confusing. Any idea if WPA2 with AKM5 is at all common? I found https://arubanetworking.hpe.com/techdocs/aos/wifi-design-deploy/security/modes/ which has this; " The Wi-Fi Alliance WPA3 specification defines the following: " " WPA3-Personal (AKM:8, Wi-Fi 7 uses AKM:24) " WPA3-Personal Transition (AKM:2 + AKM:8) " WPA3-Enterprise Only (AKM:5) " WPA3-Enterprise Transition Mode (AKM:1 + AKM:5) " WPA3-Enterprise 192-bit mode (AKM:12) though obviously that doesn't go into the possibility of AKM5 with WPA2...
