[closed] Can I disable sha256 handshake in wpa2/wpa3 mixed?

Installing and Using OpenWrt Network and Wireless Configuration
1

I’m trying to maximize roaming with an older (non-openwrt AP). I already wrote a static neighbor script to “hint” to the older AP as well, but the handshake methods seem problematic:
According to android wifi analyzer the non-openwrt AP allows "WPA2-PSK-CCMP", "RSN-PSK+SAE-CCMP", "ESS", "MFPC" and "PSK SAE". On the openwrt AP as well, but shows "RSN-PSK+PSK-SHA256-CCMP+SAE-CCMP" instead of "RSN-PSK+SAE-CCMP". How can I disable the sha256 option? I tried many things, all failed.
The /etc/config/wireless section:

config wifi-iface 'wifinet7'
        option device 'radio6'
        option mode 'ap'
        option ssid 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option encryption 'sae-mixed'
        option key 'xxxxxxxxxxxxxxxxxxxxxxxxxx'
        option network 'lan'
        option ieee80211k '1'
        option ieee80211v '1'
        option ieee80211w '1'
        option wnm_sleep_mode '1'
        option bss_transition '1'
        option wpa_psk_sha256 '0'
        option ocv '0'

… I guess wpa_psk_sha256 isn’t the option I need, but is there anything I could use to disable sha256? I tried to comment out ieee80211w as well, but that did not help.

2

start by not using sae-mixed ?

3

unlikely KVR helps there, make as generic compatible options as possible.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/wireless
4

never mind, I tried hackiing myself into the older AP (Fritz!box), cross-compiled a hostapd_cli command, pushed it into the fritz!box and could activate PSK/SHA256 after all (visible in iw dev wlan0 scan), so topic closed, openwrt can keep using PSK/SHA256. The only thing I could not do is force neighbor registration down there, but hey, if the authentication methods are the same, it will be a leap forward for roaming :slight_smile: topic closed

5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.