On Thu, Jan 22, 2026 at 09:37:51PM +0100, Stefan Sperling wrote: > So far I could only find a reference in German which states it explicitly: > > "802.1X kann entweder WPA 2 oder WPA3 sein, daher ist es für den WLC oder den > AP unmöglich festzustellen, welche WPA-Version der Client bei Verwendung > dieser > AKMs verwendet." > https://www.cisco.com/c/de_de/support/docs/wireless/catalyst-9800-series-wireless-controllers/220712-configure-and-verify-wi-fi-6e-wlan-layer.html > > Maybe we could use the PMF-required bit as an additional indicator. > This bit is only set by default with WPA3. > Even though a smart person might set this bit with WPA2+802.1x, they would > likely be using non-default AP settings and maybe even lock some clients out.
Actually, reading this closer, cisco seems to be treating 802.1x-SHA256 as WPA3-only, at least "nowadays". The sentence I quoted flags the older 802.1x SHA1 variant as ambiguous. However, I suppose we still cannot assume that 802.1x-SHA256 won't ever be used with WPA2.
