It seems that h/w crypto support of these draft-N ath9k chipsets doesn't work with WPA3SAE. Once you disable it and use nl80211's softmac implementation instead, WPA3SAE works just fine (yes, doing this comes at a performance penalty).
Change /etc/modules.d/ath9k
to say (so add nohwcrypt=1
):
ath9k nohwcrypt=1
Router:
# dmesg | grep -e AR9 -e machine
[ 0.000000] MIPS: machine is TP-Link TL-WR1043ND v1
[ 0.000000] SoC: Atheros AR9132 rev 2
[ 23.454604] ieee80211 phy0: Atheros AR9100 MAC/BB Rev:7 AR2133 RF Rev:a2 mem=0xb80c0000, irq=2
# iwinfo
wlan0 ESSID: "XXX"
Access Point: 00:27:19:XX:XX:XX
Mode: Master Channel: 6 (2.437 GHz)
Tx-Power: 20 dBm Link Quality: 70/70
Signal: -24 dBm Noise: -95 dBm
Bit Rate: 54.0 MBit/s
Encryption: WPA3 SAE (CCMP)
Type: nl80211 HW Mode(s): 802.11bgn
Hardware: unknown [Generic MAC80211]
TX power offset: unknown
Frequency offset: unknown
Supports VAPs: yes PHY name: phy0
# hostapd_cli -i wlan0 get_config
bssid=00:27:19:XX:XX:XX
ssid=XXX
wps_state=disabled
wpa=2
key_mgmt=SAE
group_cipher=CCMP
rsn_pairwise_cipher=CCMP
# hostapd_cli -i wlan0 status
state=ENABLED
phy=phy0
freq=2437
num_sta_non_erp=0
num_sta_no_short_slot_time=0
num_sta_no_short_preamble=0
olbc=0
num_sta_ht_no_gf=0
num_sta_no_ht=1
num_sta_ht_20_mhz=0
num_sta_ht40_intolerant=0
olbc_ht=1
ht_op_mode=0x13
cac_time_seconds=0
cac_time_left_seconds=N/A
channel=6
secondary_channel=0
ieee80211n=1
ieee80211ac=0
ieee80211ax=0
beacon_int=100
dtim_period=2
ht_caps_info=104e
supported_rates=02 04 0b 16 0c 12 18 24 30 48 60 6c
max_txpower=20
bss[0]=wlan0
bssid[0]=00:27:19:XX:XX:XX
ssid[0]=XXX
num_sta[0]=1
chan_util_avg=26
Client:
# wpa_cli -i wlp3s0 status
bssid=00:27:19:XX:XX:XX
freq=2437
ssid=XXX
id=3
id_str=tl-wr1043nd
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=SAE
pmf=2
mgmt_group_cipher=BIP
sae_group=19
wpa_state=COMPLETED
ip_address=192.168.2.154
address=00:22:68:XX:XX:XX
uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
These draft-N chipsets have a lot of problems, both in terms of stability and plain bugs. If you can, scheduling a replacement with a newer chipset (ath9k, ath10k, maybe ath11k in the future) is a good idea, before even thinking about the RAM constraints and the low-end CPU performance (e.g. luci is effectively unusable).