[PATCH] AP: Reject WPA-PSK AKM when PMF is required
Jouni Malinen
j at w1.fi
Wed May 20 01:36:12 PDT 2026
On Fri, May 15, 2026 at 11:09:01AM +0800, Jason Huang wrote:
> PMF required mode (ieee80211w=2) must not be combined with WPA-PSK AKM.
Why? That combination is what the PMF program was initially launched
with and I see no reason to suddenly start disallowing it.
> That configuration is internally inconsistent and should be rejected during
> configuration validation instead of being accepted at startup.
What do you mean with being "internally inconsistent"?
> Add a config-time check to fail when PMF is required and the selected AKM
> set includes WPA-PSK. Use a bitmask-based test so this also catches mixed
> AKM sets (for example, WPA-PSK + SAE), not only one specific AKM
> combination.
>
> This makes hostapd fail fast with a clear error for invalid security policy
> selection and prevents deployment of unsupported PMF-required PSK setups.
This would disallow configurations that are valid and as such, I don't
think this is going to be an acceptable change.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list