Mixed WPA2/WPA3 encryption

Hello,

I activate mixed WPA2/WPA3 encryption in my APs, I have problems with some devices, they can not connect.

Is there any way to check the encryption that the device choose to connect? I didn't find it in the web interface.

How does the mixed work in the client side, is the client who choose the encryption to use?

Thanks for your help.

Best regards.

Very dependent on device and operating system.

Android shows encryption but doesn’t even have WPA3 support on my device so it only sees and connect to wpa2 wifi’s.
iOS connect to WPA3 but it is impossible in iOS to see what encryption it use.
Ubuntu runs wpa3 and you can see it in wifi settings.

Do they work with only wpa2?

Do the devices even see the ssid name in the list?

But I would say wpa3 is many years away before being a working hardware standard with working AP drivers as wpa2 is today.

Thanks @flygarn12,

But I want to check in the AP side, is it possible to see with a command which encryption is using each connected devices?

Yes, I think I will change to WPA2.

Regards.

I haven’t found any way to see this but I haven’t played with wifi and OpenWRT that long so it might be some package out there doing this job?

Did you leave encrypted management frames as optional?

It is possible. But requires manual interpretation of the long output of a console command.

See "AKMSuiteSelector" of each device

Edit:

Definitions

#define WLAN_AKM_SUITE_8021X			SUITE(0x000FAC, 1)
#define WLAN_AKM_SUITE_PSK			SUITE(0x000FAC, 2)
#define WLAN_AKM_SUITE_FT_8021X			SUITE(0x000FAC, 3)
#define WLAN_AKM_SUITE_FT_PSK			SUITE(0x000FAC, 4)
#define WLAN_AKM_SUITE_8021X_SHA256		SUITE(0x000FAC, 5)
#define WLAN_AKM_SUITE_PSK_SHA256		SUITE(0x000FAC, 6)
#define WLAN_AKM_SUITE_TDLS			SUITE(0x000FAC, 7)
#define WLAN_AKM_SUITE_SAE			SUITE(0x000FAC, 8)
#define WLAN_AKM_SUITE_FT_OVER_SAE		SUITE(0x000FAC, 9)
#define WLAN_AKM_SUITE_AP_PEER_KEY		SUITE(0x000FAC, 10)
#define WLAN_AKM_SUITE_8021X_SUITE_B		SUITE(0x000FAC, 11)
#define WLAN_AKM_SUITE_8021X_SUITE_B_192	SUITE(0x000FAC, 12)
#define WLAN_AKM_SUITE_FT_8021X_SHA384		SUITE(0x000FAC, 13)
#define WLAN_AKM_SUITE_FILS_SHA256		SUITE(0x000FAC, 14)
#define WLAN_AKM_SUITE_FILS_SHA384		SUITE(0x000FAC, 15)
#define WLAN_AKM_SUITE_FT_FILS_SHA256		SUITE(0x000FAC, 16)
#define WLAN_AKM_SUITE_FT_FILS_SHA384		SUITE(0x000FAC, 17)
#define WLAN_AKM_SUITE_OWE			SUITE(0x000FAC, 18)
#define WLAN_AKM_SUITE_FT_PSK_SHA384		SUITE(0x000FAC, 19)
#define WLAN_AKM_SUITE_PSK_SHA384		SUITE(0x000FAC, 20)

I've had good luck with SAE-Mixed mode on ath10k devices. It all comes down to 802.11w support on your devices. It needs to be supported and impeccable.

Out of about 20~devices I have, two refuse to work when 802.11w is set to optional. And it doesn't matter what the encryption is set to (WPA/WPA2/SAE/SAE-Mixed). One device is a french phone with bugged support in firmware, the other is an old Intel WiFi card that never supported it.

I have two SSIDs for my 2,4GHz and 5GHz networks. One for 802.11w compatible devices set to SAE-Mixed, and the other one for the misfits with WPA2 set.