Correct settings for WPA3 Enterprise transition mode?

Robert Senger robert.senger at
Fri May 26 05:16:38 PDT 2023


I am giving up on this. 

Maybe I misunderstand how "WPA3 Enterprise transition" mode exactly is
defined or I am doing wrong something else, I don't know.

Made some more tests, and in my understanding, it turns out that it's
impossible to create an AP that runs in (what I think is) "WPA 3
Enterprise transition" mode and allows both older machines to connect
with WPA2 Enterprise, and newer machines to connect with WPA3
Enterprise. At least, not with Windows clients...

(However, with PMF set to optional on the AP side, iPhone 7 running iOS
15 is able to connect, most likely using WPA2 Enterprise with PMF
disabled. Linux machines are able to connect using WPA2 Enterprise,
with PMF disabled, and using WPA3 Enterprise, also with PMF disabled
(little client side hack due to hardware limitations...)).

As far as I understand, Windows 10 and Windows 11 machines both insist
on using PMF with both WPA2 (where they use AES-128-CMAC) and WPA3
(where they use BIP-GMAC-256), and fail to connect if group_mgmt_cipher
is set to the wrong cipher on the AP side.

But it's not possible to set more than one group_mgmt_cipher in
hostapd.conf, and decide which one to use, if at all, on the client's

Correct me if I'm wrong... Thanks!


Am Donnerstag, dem 25.05.2023 um 01:19 +0200 schrieb Robert Senger:
> Hi all,
> I wonder, what exactly WPA3 Enterprise transition mode is and how it
> is
> expected to behave and to be be configured on the AP.
> As far as I understood, WPA3 Enterprise transition mode should allow
> WPA3 Enterprise capable client machines to connect using WPA3
> Enterprise, and also allow not WPA3 capable client machines to
> connect
> using WPA2 Enterprise.
> But I can't get this to work.
> Equipment:
>         Access Point: Debian 11, hostapd 2.10
>         Client 1: Windows 11, WPA3 compatible
>         Client 2: Windows 10, not WPA3 compatible (hardware
> limitation, no PMF)
>         Client 3: Debian 11, not WPA3 compatible (hardware
> linitation, no PMF)
> Configuration:
>         ieee8021x=1
>         ieee80211w=1
>         wpa_key_mgmt=WPA-EAP-SUITE-B-192 WPA-EAP-SHA256
>         rsn_pairwise=GCMP-256 CCMP
>         group_mgmt_cipher=BIP-GMAC-256
> This allows only the Windows 11 machine to connect. Not WPA3
> compatible
> machines cannot connect. Changing to default group_mgmt_cipher=AES-
> 128_CMAC (or removing the option from config), allows the Windows 10
> and Debian machines to connect using WPA2 Enterprise. But then, the
> Windows 11 machine can't connect anymore.
> What am I doing wrong? And, what is the exact difference between
> "WPA3
> Enterprise only", "WPA3 Enterprise transition" and "WPA3 Enterprise
> 192-bit"? I am a bit confused about that...
> Thank you for help!
> Robert

Robert Senger

More information about the Hostap mailing list