Possible to disable SAE and force WPA2-PSK-AES on wpa_supplicant v2.10?

Theron Spiegl theron at nnter.net
Thu Mar 16 17:15:02 PDT 2023

Hi, I'm using a Qualcomm Atheros QCA6174 with wpa_supplicant v2.10. When I start a hotspot with the commands below, it can be joined by most devices (Linux, Windows, iOS) but not an M1 MacBook Pro. I've determined that this is because of SAE/WPA3 support: if I run macOS's `airport` CLI utility, I see that the wpa_supplicant 2.10 hotspot offers `WPA(PSK/AES/AES) RSN(PSK,PSK-SHA256,SAE/AES/AES)` in the Security column. When I use wpa_supplicant 2.9, it offers `WPA(PSK/AES/AES) RSN(PSK,PSK-SHA256/AES/AES)`, and the MacBook can join.

Is there a way to disable SAE and force the use of WPA2-PSK with AES on wpa_supplicant 2.10? (Whether through nmcli or wpa_cli or something else?)

Sample hotspot commands:
nmcli con add type wifi ifname wlp2s0 con-name test_ssid autoconnect yes ssid test_ssid
nmcli con modify test_ssid 802-11-wireless.mode ap ipv4.method shared
nmcli con modify test_ssid wifi-sec.key-mgmt wpa-psk
nmcli con modify test_ssid wifi-sec.pairwise ccmp
nmcli con modify test_ssid wifi-sec.group ccmp
nmcli con modify test_ssid wifi-sec.psk testpassword
nmcli con up test_ssid

Unimportant side notes: specifying `wifi-sec.proto rsn` works on 2.9 but prevents any devices from joining on 2.10. And if I try to just opt into WPA3 with `wifi-sec.key-mgmt sae` on 2.10, standing up the network times out with error "802.1X supplicant took too long to authenticate". I'm not sure if that's because my card is too old but `iw list` includes "Device supports SAE with AUTHENTICATE command".


More information about the Hostap mailing list