Correct settings for WPA3 Enterprise transition mode?

Robert Senger robert.senger at
Wed May 24 16:19:27 PDT 2023

Hi all,

I wonder, what exactly WPA3 Enterprise transition mode is and how it is
expected to behave and to be be configured on the AP.

As far as I understood, WPA3 Enterprise transition mode should allow
WPA3 Enterprise capable client machines to connect using WPA3
Enterprise, and also allow not WPA3 capable client machines to connect
using WPA2 Enterprise.

But I can't get this to work.


	Access Point: Debian 11, hostapd 2.10
	Client 1: Windows 11, WPA3 compatible
	Client 2: Windows 10, not WPA3 compatible (hardware limitation, no PMF)
	Client 3: Debian 11, not WPA3 compatible (hardware linitation, no PMF)

	wpa_key_mgmt=WPA-EAP-SUITE-B-192 WPA-EAP-SHA256
	rsn_pairwise=GCMP-256 CCMP

This allows only the Windows 11 machine to connect. Not WPA3 compatible
machines cannot connect. Changing to default group_mgmt_cipher=AES-
128_CMAC (or removing the option from config), allows the Windows 10
and Debian machines to connect using WPA2 Enterprise. But then, the
Windows 11 machine can't connect anymore.

What am I doing wrong? And, what is the exact difference between "WPA3
Enterprise only", "WPA3 Enterprise transition" and "WPA3 Enterprise
192-bit"? I am a bit confused about that...

Thank you for help!


Robert Senger

More information about the Hostap mailing list