So I'd like to have three isolated WiFi networks on my openwrt router: Lan, guest, iot.
Using three different SSID names is going to waste some air time due to many control messages. So I wonder if there's an option to use one SSID with three different passwords one for each network time. I need openwrt to figure out according to the password which network to associate a client to. Some commercial routers support such functionality, is there something similar in openwrt?
The alternative would be to use wpa2 Enterprise but I wonder if any iot client will support it.
I've also seen that it's possible to use MAC addresses with a RADIUS server to assign different clients to different vlans but that does not seem very secure.
So I understand there is no option in hostapd to define multiple passwords for a single SSID and assign a vlan per password? Could have been useful to avoid the beacon pollution or the requirement to setup an Enterprise configuration.
You can also consider adding IOT devices on the guest Network. That's what I am using for my own network. Client isolation is enabled so clients cannot communicate with each other, and both type of devices are only able to connect to WAN IPs for internet access. That will bring your particular case down to 2 SSIDs per radio. Though honestly as already said before, even 3 SSIDs isn't bad at all in terms of beacon pollution.
... are not a feature of the 802.11 specs for "personal" authentication.
Three SSIDs on a radio generally isn't an issue. (I run five or more, separating out the IoT devices into multiple SSIDs/VLANs). For me, as IoT is on 2.4 GHz and my "important" clients connect on 5 GHz, it is even less of an issue.