[PATCH] SME: Omit RSNXE for WPA2 connections

Arowa Suliman arowa at chromium.org
Tue Mar 3 12:26:37 PST 2026 

The Robust Security Network eXtended Element (RSNXE) is specific to
WPA3.

Including it in WPA2 handshakes causes authentication failures with some
Access Points, as they do not handle its presence correctly in a WPA2
context.

Known impacted routers: TP-Link EAP320 and TP-Link Archer VR400 and

Test: PASN enabled connect Intel WiFi AX211 to WPA2-PSK network with TP-Link EAP320 router

Signed-off-by: Arowa Suliman <arowa at chromium.org>
---
 ...-SME-Omit-RSNXE-for-WPA2-connections.patch | 40 +++++++++++++++++++
 wpa_supplicant/sme.c                          |  4 ++
 2 files changed, 44 insertions(+)
 create mode 100644 0001-SME-Omit-RSNXE-for-WPA2-connections.patch

diff --git a/0001-SME-Omit-RSNXE-for-WPA2-connections.patch b/0001-SME-Omit-RSNXE-for-WPA2-connections.patch
new file mode 100644
index 000000000..ae58350a0
--- /dev/null
+++ b/0001-SME-Omit-RSNXE-for-WPA2-connections.patch
@@ -0,0 +1,40 @@
+From 643869d24a74ec70c2cab223006dd17957d9a18b Mon Sep 17 00:00:00 2001
+From: Arowa Suliman <arowa at google.com>
+Date: Fri, 27 Feb 2026 23:17:25 +0000
+Subject: [PATCH] SME: Omit RSNXE for WPA2 connections
+
+The Robust Security Network eXtended Element (RSNXE) is specific to
+WPA3.
+
+Including it in WPA2 handshakes causes authentication failures with some
+Access Points, as they do not handle its presence correctly in a WPA2
+context.
+
+Known impacted routers: TP-Link EAP320 and TP-Link Archer VR400 and
+
+Test: Connect to WPA2-PSK network with TP-Link EAP320 router
+
+Signed-off-by: Arowa Suliman <arowa at chromium.org>
+---
+ wpa_supplicant/sme.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
+index a14ff784c..0843c43c8 100644
+--- a/wpa_supplicant/sme.c
++++ b/wpa_supplicant/sme.c
+@@ -1049,6 +1049,11 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
+ 		}
+ 	}
+ 
++	// Omit RSNXE for WPA2 connections.
++	if (wpa_key_mgmt_wpa_psk_no_sae(ssid->key_mgmt)) {
++		omit_rsnxe = 1;
++	}
++
+ #ifdef CONFIG_IEEE80211R
+ 	ie = wpa_bss_get_ie(bss, WLAN_EID_MOBILITY_DOMAIN);
+ 	if (ie && ie[1] >= MOBILITY_DOMAIN_ID_LEN)
+-- 
+2.53.0.473.g4a7958ca14-goog
+
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index a14ff784c..c821a944b 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1047,6 +1047,10 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
 			wpas_connect_work_done(wpa_s);
 			return;
 		}
+	} else if (wpa_s->wpa_proto == WPA_PROTO_RSN &&
+		   wpa_key_mgmt_wpa_psk_no_sae(wpa_s->key_mgmt)) {
+		// Omit RSNXE for WPA2-PSK connections to avoid AP compatibility issues.
+		omit_rsnxe = 1;
 	}
 
 #ifdef CONFIG_IEEE80211R
-- 
2.53.0.473.g4a7958ca14-goog

More information about the Hostap mailing list