Can't get WPA3 to work...

Robert Senger robert.senger at
Thu May 18 13:23:44 PDT 2023

Thanks. No, I was not aware that WPA3-EAP only supports certificate
based authentication. So I keep this for later and concentrate on WPA3-
PSK for now.

Well, even WPA3-PSK does not work, at least not as intended. 

I managed to set up a working WPA3-PSK connection by running
wpa_supplicant and dhclient in a terminal on the client machine, and by
setting wpa_passphrase=<secretpassword> in hostapd.conf on the AP.

But NetworkManager failed locally on the client when trying to connect.
It turned out that this was caused by the Intel wifi driver, which does
not support PMF. But NetworkManager insists on ieee80211w=2 (required).
So I patched NetworkManager to set ieee80211w=1 (optional) in
wpa_supplicant configuration, now NetworkManager can connect to the
WPA3-PSK AP. This is not the best solution, of course...

The other problem is on the AP side. Only setting a single
wpa_passphrase=<somepassword> in hostapd.conf works. Connection fails
with "authentication denied" message on the client side when I try to
use a file, e.g. wpa_psk_file=/etc/hostapd/hostapd.psk, or when I try
to use the freeradius server for authentication. Both, file and radius,
works fine with WPA2-PSK. 

So, WPA3-PSK works basically. I will start a new thread about the
question why hostapd fails to obtain passwords from a file or from the
radius server for WPA3-PSK, while it succeeds for WPA2-PSK.

Thanks for now!


Am Mittwoch, dem 17.05.2023 um 20:36 +0300 schrieb rany:
> You have to keep in mind that WPA3-EAP only supports certificate
> based 
> authentication.
> If your RADIUS setup uses username/password it will not work in WPA3-
> EAP 
> only mode, you need to keep WPA2-EAP support.
> At any rate I don't think WPA2-EAP is insecure, I think it is still
> fine 
> for the most part with no real security vulnerabilities; unlike WPA2-
> PSK.
> You just need to enable KRACK and KRACK-like mitigations on the AP
> end 
> if you aren't sure if the clients are updated.
> On 5/17/23 19:55, Robert Senger wrote:
> > Hi all,
> > 
> > I am trying to set up APs with WPA3, but can't get it to work. WPA2
> > works fine on the same hardware and software since more that 10
> > years. This is my third try with WPA3 in the past 3 years...
> > 
> > This is my setup:
> > 
> > __access_points__
> > 
> > Debian 11 Bullseye
> > hostapd 2.9.0 (or 2.10 from backports)
> > Qualcomm Atheros AR922X Wireless Network Adapter
> > 
> > __client_machines__
> > 
> > Debian 11 Bullseye
> > wpasupplicant 2.9.0 (or 2.10 from backports)
> > NetworkManager 1.30.6 (or 1.42.4 from backports)
> > Intel Centrino Advanced-N 6205 Wireless Network Adapter
> > 
> > Neither SAE nor WPA-EAP-SUITE-B-192 work, that means, either
> > connection
> > attempts fail (without useful logs), or the SSID is greyed out on
> > the
> > client machine. I will post configuration and logs, but first of
> > all,
> > if you take a look at the software versions and the hardware above,
> > is
> > there a "no-go" somewhere?
> > 
> > Thanks,
> > 
> > Robert
> > 
> _______________________________________________
> Hostap mailing list
> Hostap at

Robert Senger

More information about the Hostap mailing list