On Thu, Jan 22, 2026 at 02:53:16PM +0000, Stuart Henderson wrote: > On 2026/01/22 14:04, Stuart Henderson wrote: > > On 2026/01/22 14:15, Stefan Sperling wrote: > > > On Thu, Jan 22, 2026 at 12:56:21PM +0000, Stuart Henderson wrote: > > > > An AP which is configured to broadcast an SSID with WPA3 (only) > > > > Enterprise shows like this in ifconfig scan: > > > > > > > > nwid some_ssid chan 1 bssid 76:ac:b9:yy:yy:yy 29% > > > > HT-MCS15 privacy,wpa2,802.1x !wpaproto > > > > nwid some_ssid chan 149 bssid 76:ac:b9:xx:xx:xx 23% > > > > HT-MCS31 privacy,spectrum_mgmt,wpa2,802.1x !wpaproto > > > > > > > > which makes it hard to spot why it's not possible to associate > > > > (i.e. no WPA3 on client). > > > > > > > > debug looks like > > > > > > > > iwx0: - 76:ac:b9:xx:xx:xx 149 +16 54M ess privacy rsn! > > > > "some_ssid"! > > > > iwx0: - 76:ac:b9:yy:yy:yy 1 +20 54M ess privacy rsn! > > > > "some_ssid"! > > > > > > > > beacons look like > > > > > > > > 802.11 flags=0<>: beacon, timestamp 424490087208, interval 100, > > > > caps=21<ESS,PRIVACY>, ssid (some_ssid), rates 18M 36M 54M, ds (chan 1), > > > > xrates 12M 24M 48M, country 'GB ', channels 1-13 limit 20dB, tim > > > > 0x00010000, rsn=<version 1,groupcipher ccmp,cipher ccmp,akm > > > > SHA256-802.1x,rsncap 0xc0>, erp 0x04, > > > > htcaps=<20MHz,SGI@20MHz,TXSTBC,RXSTBC 1 stream,A-MSDU 3839,A-MPDU max > > > > 65535,A-MPDU spacing 4.00us,RxMCS 0xffff0000000000000000>, htop=<20MHz > > > > chan 1,STA chanw 20MHz,htprot non-HT-mixed,non-greenfield STA,basic MCS > > > > set 0x0000000000000000>, 127:8 0x0000080000000000, vendor > > > > 0x0050f2020101000003a4000027a4000042435e0062322f00, 6 stations, 4% > > > > utilization, admission capacity 976us/s, vendor 0x000c4303000000, > > > > vendor > > > > 0x00156d00010100010220ec810674acb915ede5892438366432346265332d383833662d343732382d623265312d366235343536343561653661, > > > > <radiotap v0, tsf 78924676, 0Mbit/s, chan 1, 11n, sig 18dBm, noise > > > > -127dBm> > > > > > > > > > > Unfortunately, there is no WPA version number anywhere. The peers > > > negotiate > > > a suitable AKM, and each version of WPA supports a different subset of > > > AKMs. > > > > > > In order to identify wpa3-capable access points. ifconfig looks for AKM > > > SAE, > > > which is only used with WPA3 Personal, but not with WPA3 Enterprise / > > > 802.1x. > > > > > > As far as I understand, AKM SHA256-802.1x could be used in Enterprise > > > mode with either WPA2 or WPA3. There doesn't seem to be a way to reliably > > > detect this particular AP configuration as WPA3-only. > > > Am I missing something? > > > > > > > Aruba utilities does distinguish between them in the AP list > > (WPA3e vs WPA3et) so it looks like there is a way. > > > > If I switch between 2/3 and 3-only I get this difference in rsn: > > > > 2/3 transition rsn=<version 1,groupcipher ccmp,cipher ccmp,akms 802.1x > > SHA256-802.1x,rsncap 0x80> > > WPA3 only rsn=<version 1,groupcipher ccmp,cipher ccmp,akm > > SHA256-802.1x,rsncap 0xc0>, > > > > does that help? > > > > Oh I see what you're saying now. Hmm. So listing wpa2 in the output > isn't really right either there, but listing AKMs is probably going to > be too confusing. > > Any idea if WPA2 with AKM5 is at all common? > > I found > https://arubanetworking.hpe.com/techdocs/aos/wifi-design-deploy/security/modes/ > which has this; > > " The Wi-Fi Alliance WPA3 specification defines the following: > " > " WPA3-Personal (AKM:8, Wi-Fi 7 uses AKM:24) > " WPA3-Personal Transition (AKM:2 + AKM:8) > " WPA3-Enterprise Only (AKM:5) > " WPA3-Enterprise Transition Mode (AKM:1 + AKM:5) > " WPA3-Enterprise 192-bit mode (AKM:12) > > though obviously that doesn't go into the possibility of AKM5 with > WPA2...
Indeed, there is ambiguity with AKM 5. See the "802.1X Security Mode" table here, for example: https://arista.my.site.com/AristaCommunity/s/article/AKM-Suites-and-Ciphers Your case falls into the row which just shows 5 (WPA_1x) for WPA2 and WPA3. So far I could only find a reference in German which states it explicitly: "802.1X kann entweder WPA 2 oder WPA3 sein, daher ist es für den WLC oder den AP unmöglich festzustellen, welche WPA-Version der Client bei Verwendung dieser AKMs verwendet." https://www.cisco.com/c/de_de/support/docs/wireless/catalyst-9800-series-wireless-controllers/220712-configure-and-verify-wi-fi-6e-wlan-layer.html Maybe we could use the PMF-required bit as an additional indicator. This bit is only set by default with WPA3. Even though a smart person might set this bit with WPA2+802.1x, they would likely be using non-default AP settings and maybe even lock some clients out.
