Individual per-passphrase Wifi VLANs using wpa_psk_file (no RADIUS required)

Fantastic thread overall. I've read the whole thing from start to finish and am a little unclear on a few questions:

  • Is there a full How-to document for this functionality posted somewhere on the Wiki yet?

  • Is it still necessary to replace wpad-basic-wolfssl with the full wpad-wolfssl, or has this been rendered unecessary by later OpenWRT versions?

  • Is it true/correct that basically this feature won't work with WPA3 / SAE, and that there's not likely to be a fix for that due to the way SAE itself works?

(Fwiw: my setup is a single Unifi UAP-AC-LITE running OpenWRT 23.05.2, configured as a pure WAP AP with 3 VLANs, routing handled upstream by a separate Opnsense router/firewall/gateway.)
(ath79/generic, kernel 5.15.137)

No.

Yes.

To answer your third question:

As I have understood the rumors, no, wpa3 and dynamic VLAN does not play well together.