Wpa3 support in OpenWrt?

I'm not sure, because WPA3 works with Apple clients and LANCOM devices for example (i tried it myself).

So maybe it's a configuration issue or we need an additional hostapd option?

1 Like

Could be that they transfer pmkid in a different way and hostapd doesn't support it? Or openwrt doesn't support it.

confirmed. only wpa3-eap seems to be supported by ios 13.1.2 (no psk)

While settings in MacOS Catalina says "personal WPA3", connecting doesn't work either.

iOS 12 connected fine to a mixed access point (WPA2/WPA3) but iOS 13 doesn't. I think Apple have tried to implement WPA3 but got something wrong which prevents it from falling back to WPA2. See https://www.reddit.com/r/ios/comments/df7mop/ios_13_wont_connect_to_wpa3_networks/.

I'm running an OpenWrt snapshot on my router in sae-mixed mode, and a MacBook running MacOS Catalina and some iOS devices running iOS 13 are all able to successfully connect. The MacBook reports that it is connecting via WPA3 Personal, but I can't find any info from the iOS devices as to which WPA version they're using. All the devices were updated with the network credentials already in place - I haven't tested trying to connect a fresh Catalina/iOS 13 device.

This is a shot in the dark, but the only change from the default in my wifi interface configuration (apart from setting the ssid, key, and encryption mode) is that I enable PMKSA caching (via the 'auth_cache' uci setting). Considering the error message regarding an invalid PMKID, this might be worth a try?

That's supposed to only be relevant for enterprise type encryption... But worth a try I guess.

I'll confirm that option auth_cache '1' does fix Apple devices connecting.
I wonder why? I still think it sounds like an error in the implementation from Apple?

Does anyone closer to the source have a comment?
Also i think this option disables the cache, not enables it? Looking at hostapd conf it looks like it is enabled by default.

1 Like
        I read below from repo of openwrt ,it is used to fix a secure problem
        # You don't really want to enable this unless you are doing
  	# some corner case testing or are using OpenWrt as a work around
  	# for some systematic issues.
  	config_get_bool auth_cache "$vif" auth_cache 0
  	config_get rsn_preauth "$vif" rsn_preauth
  	[ "$auth_cache" -gt 0 ] || [[ "$rsn_preauth" = 1 ]] || append "$var" "disable_pmksa_caching=1" "$N"
  	[ "$auth_cache" -gt 0 ] || [[ "$rsn_preauth" = 1 ]] || append "$var" "okc=0" "$N"


Can confirm option auth_cache '1' worked for me, my iPhone XR running iOS 13.1.3 connected.

it may not be apparent due to the "||", but setting auth_cache=1 will actually ensure that nothing is done here...?!

yes it does nothing so pmksa caching won't be disabled...which makes 802.1x not safe. But WPA3-Personal should be ok.

I am very happy that OpenWRT 19.07 rc has now been released. Thanks a lot!
During my tests, I found, that one part is missing for me. The feature "WPA3 Enterprise" and "WPA3/WPA2 Enterprise" (mixed) should be available:
I can't see it on luci. I have the same dropdown menu as shown in Wpa3 support in OpenWrt? Post #58 by Camis.
Is it possible to add these two menu items, please?
By the way: "WPA2-PSK/WPA3-SAE Mixed Mode" seems to work with my WPA2 only mobile phone using the package wpad-wolfssl.

It seems like wpad-openssl is working in general better then wpad-wolfssl: https://bugs.openwrt.org/index.php?do=details&task_id=2571

I can confirm that WPA3 works when using openssl.
Commands to enable WPA3:
opkg update && opkg remove wpad-basic && opkg install wpad-openssl

ImageBuilder command for generating custom image for MR24 with luci and WPA3 (replace meraki_mr24 with your device):
make image PROFILE=meraki_mr24 PACKAGES="wpad-openssl luci -wpad-basic"


Does the full wpad package support wpa3, or will either wpad-openssl or wpad-wolfssl need to be installed? If so, what's the difference between the full wpad packages and the specific SSL packages? The full wpad package has the largest size, so apparently it has something those specific packages do not have.

Also, has anyone made a performance comparison between using openssl vs wolfssl?

As mentioned earlier in this thread.

wpad-full is not sufficient.


The full package is larger than either wpad-openssl and wpad-wolfssl though. What does it have that the other two packages do not? ie, am I giving anything up by moving from wpad-full to wpad-openssl or wpad-wolfssl?

I think the way it used to work is that the full variant baked in the required SSL functions, and therefore had no external library required, but had the biggest size.

Looking now, it looks as though FULL is the parent variant, and then you select either OPENSSL or WOLFSSL as the child variants. Either of those will enable things like SAE and OWE (many reports of better success on openssl rather than wolfssl).

This is just my guess based on the makefile, which is a little hard to read given how many variants there are.


SSL has always been a separate library package.

Earlier it was a dependency hell and plain wpad could require either openssl, mdedtls or wolfssl, depending on the compile time options used. That was clarified by declaring the SSL dependency already in the package name. Thus there is now wpad-openssl etc.

Functional wise it is also wpad, wpad-basic (without eap/radius), wpad-mini (without 80211r and w, thus no wpa3, without eap radius).

1 Like