Configuring access control for mixed WPA2-PSK and WPA3-SAE modes

Tomáš Vostřel tomas.vostrel at racom.eu
Thu Jan 2 00:42:02 PST 2025 

Hello everyone,

I have a question about configuring access control and password usage in 
`hostapd` for mixed WPA2-PSK and WPA3-SAE modes.

I would expect the following AP behavior:

     WPA2-PSK clients
         Should connect using the WPA password (`wpa_passphrase`).
         Should not use the SAE password (even if specified in 
`sae_password_file`), as that would imply WPA3-SAE compatibility.

     WPA3-SAE clients
         Should connect using either the WPA password (`wpa_passphrase`) 
or the SAE password (if specified in `sae_password_file`).

I attempted to configure `hostapd` to achieve this, but I could not find 
any combination of settings that worked as described. Specifically:

If I specified the SAE password to allow a client to connect using 
WPA3-SAE only, the client would indeed need to use the SAE password. 
However, the same password could also be used to connect using WPA2-PSK, 
which bypasses the intended access control. I do not consider this 
behavior to be correct.

Could you confirm whether this is a limitation of `hostapd`, a 
misunderstanding or error in my configuration, or a potential bug?

Any response would be greatly appreciated.

Best regards,
Tomáš Vostřel


Configuration file
```
interface=wlan0
driver=nl80211
ctrl_interface=/var/run/wifi/hostapd
logger_syslog=0
ssid=Test Wi-Fi
country_code=US
ieee80211d=1
hw_mode=a# cat /var/run/wifi/hostapd.conf
interface=wlan0
driver=nl80211
ctrl_interface=/var/run/wifi/hostapd
logger_syslog=0
ssid=Test Wi-Fi
country_code=US
ieee80211d=1
hw_mode=a
channel=36
ieee80211n=1
ieee80211ac=1
ht_capab=[SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
macaddr_acl=1
accept_mac_file=/var/run/wifi/hostapd.acl
wpa=2
wpa_passphrase=0123456789
wpa_key_mgmt=WPA-PSK SAE
wpa_pairwise=CCMP
group_cipher=CCMP
ieee80211w=1
ocv=1
sae_password_file=/var/run/wifi/hostapd.sae
```

File /var/run/wifi/hostapd.acl
```
00:1A:2B:3C:4D:5E
```

File /var/run/wifi/hostapd.sae
```
9876543210|mac=00:1A:2B:3C:4D:5E
```

More information about the Hostap mailing list