Below is a proof-of-concept script providing this output:
root@router1:/etc# ./wifi_suite.sh
Associated wifi stations' AKM suites:
wlan0: AKM suite of e0:c3:77:ae:0a:30 is 00-0f-ac-8 (WPA3-SAE)
wlan0: AKM suite of ac:57:75:56:c1:e0 is 00-0f-ac-6 (WPA-PSK-SHA256)
wlan1: AKM suite of 30:cd:a7:b3:33:5d is 00-0f-ac-2 (WPA-PSK)
Script:
#!/bin/sh
# Copyright 2021-2023 Hannu Nyman
# SPDX-License-Identifier: GPL-2.0-only
echo "Associated wifi stations' AKM suites:"
cd /var/run/hostapd
for socket in *; do
[ -S "$socket" ] || continue
[ "$socket" = "global" ] && continue
for assoc in $(hostapd_cli -i "$socket" list_sta); do
suite=$(hostapd_cli -i "$socket" sta "$assoc" | grep "AKMSuiteSelector" | cut -f 2 -d"=")
case "$suite" in
00-0f-ac-1) akm=802.1x ;;
00-0f-ac-2) akm=WPA-PSK ;;
00-0f-ac-3) akm=FT-802.1x ;;
00-0f-ac-4) akm=WPA-PSK-FT ;;
00-0f-ac-5) akm=802.1x-SHA256 ;;
00-0f-ac-6) akm=WPA-PSK-SHA256 ;;
00-0f-ac-7) akm=TDLS ;;
00-0f-ac-8) akm=WPA3-SAE ;;
00-0f-ac-9) akm=FT-SAE ;;
00-0f-ac-10) akm=AP-PEER-KEY ;;
00-0f-ac-11) akm=802.1x-suite-B ;;
00-0f-ac-12) akm=802.1x-suite-B-192 ;;
00-0f-ac-13) akm=FT-802.1x-SHA384 ;;
00-0f-ac-14) akm=FILS-SHA256 ;;
00-0f-ac-15) akm=FILS-SHA384 ;;
00-0f-ac-16) akm=FT-FILS-SHA256 ;;
00-0f-ac-17) akm=FT-FILS-SHA384 ;;
00-0f-ac-18) akm=OWE ;;
00-0f-ac-19) akm=FT-WPA2-PSK-SHA384 ;;
00-0f-ac-20) akm=WPA2-PSK-SHA384 ;;
*) akm="undefined" ;;
esac
echo "$socket: AKM suite of $assoc is $suite ($akm)"
done
done
Ps. Based on hostapd sources, it looks like the deciding byte is handled as decimal, although the preceding bytes are hex.