WPA3 compatibility as a STA

Alex Gavin alex.gavin at candelatech.com
Wed Jun 18 16:00:42 PDT 2025 

Pablo MG:

Apologies for not replying in the thread. Having difficulty getting my email client to import the 
email to reply.

Based on a quick look, it doesn't seem like NetworkManager explicitly supports RSN overriding (in 
fairness, the feature was only recently introduced to WPA3 late last year). I'm also not familiar 
with how NetworkManager may be used with a pre-existing wpa_supplicant configuration file while 
wpa_supplicant uses its DBus interface, so I cannot provide much input there.

That said, I wanted to share a couple example configuration files that may help should you still be 
looking to setup WPA3 Compatibility Mode for your client.

Attached are two config files. One is a hostapd config which will configure an AP to advertise WPA3 
RSN Override and RSN Override 2 IEs while also advertising WPA2 in the regular RSN IE. The other 
file is a wpa_supplicant config which will support connecting to the configured AP in three 
different authentication configurations.

The first is uses SAE-EXT-KEY and GCMP-256 with RSN overriding (WPA3, AP RSN Override 2 IE), the 
second SAE and CCMP with RSN overriding (WPA3, AP RSN Override IE), and the third standard PSK and 
CCMP without RSN overriding (WPA2, RSN IE).

Example usage for hostapd is in the example config [1]. The wpa_supplicant example config [2] 
details the 'rsn_overriding' configurable, but you may be better served by referencing the 
wpa_supplicant hwsim test logic [3].

Hope this helps!

[1] https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
[2] https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
[3] https://w1.fi/cgit/hostap/tree/tests/hwsim/test_rsn_override.py#n374

-- 
Alex Gavin
Candela Technologies, USA (PST/GMT-8)
-------------- next part --------------
hw_mode=a
channel=36
country_code=US
ieee80211n=1
ieee80211ac=1
ieee80211ax=1
#ieee80211be=1

ssid=testssid

wpa=2
wpa_passphrase=password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP

sae_pwe=2
ieee80211w=0

rsn_override_key_mgmt=SAE
rsn_override_pairwise=CCMP
rsn_override_mfp=2

rsn_override_key_mgmt_2=SAE-EXT-KEY
rsn_override_pairwise_2=GCMP-256
rsn_override_mfp_2=2
-------------- next part --------------
# WPA3 Compatibility Mode (SAE GROUP-DEPEND, GCMP-256)
network={
    ssid="testssid"
    sae_password="password"

    rsn_overriding=1

    pairwise=GCMP-256
    key_mgmt=SAE-EXT-KEY
    ieee80211w=2
}

# WPA3 Compatibility Mode (SAE, CCMP)
network={
    ssid="testssid"
    sae_password="password"

    rsn_overriding=1

    pairwise=CCMP
    key_mgmt=SAE
    ieee80211w=2
}

# WPA2 (PSK, CCMP)
network={
    ssid="testssid"
    #psk="password"
    psk=f5c5597eaf6f2374fd24bd4914981750c119ff97ba9dd67988eac97533e5d02b

    pairwise=CCMP
    key_mgmt=WPA-PSK
    ieee80211w=0
}

More information about the Hostap mailing list