WPA3 Configuration and Compatibility
WPA3 Configuration and Compatibility
Section titled “WPA3 Configuration and Compatibility”WPA3 is the current WiFi security standard, providing stronger protection than WPA2 through Simultaneous Authentication of Equals (SAE), Opportunistic Wireless Encryption (OWE), and mandatory Protected Management Frames (PMF). RouterOS 7.x with the wifi package supports WPA3 natively.
:::info RouterOS Requirement WPA3 requires RouterOS 7.x with the wifi (wifiwave2) package. RouterOS 6.x is limited to WPA2. Upgrade to 7.3.1 or later — earlier 7.x versions had WPA2/WPA3 disconnection bugs. :::
WPA3 Variants
Section titled “WPA3 Variants”| Variant | Use Case | Key Feature |
|---|---|---|
| WPA3-Personal (SAE) | Home and small office | Replaces PSK with SAE handshake |
| WPA3-Enterprise | Corporate/RADIUS environments | 192-bit security, mandatory PMF |
| OWE | Open/guest networks | Encryption without password |
| WPA2/WPA3 Transition | Mixed device environments | Supports both old and new clients |
WPA3-Personal (SAE)
Section titled “WPA3-Personal (SAE)”SAE (Simultaneous Authentication of Equals) replaces the PSK handshake used in WPA2. It eliminates offline dictionary attacks — an attacker who captures the handshake cannot brute-force the passphrase offline.
Basic Configuration
Section titled “Basic Configuration”/interface wifi securityadd name="wpa3-home" \ authentication-types=wpa3-psk \ pmf=required \ passphrase="YourSecurePassphrase"With Custom SAE Parameters
Section titled “With Custom SAE Parameters”/interface wifi securityadd name="wpa3-tuned" \ authentication-types=wpa3-psk \ pmf=required \ passphrase="YourSecurePassphrase" \ sae-anti-clogging-threshold=5 \ sae-max-failure-rate=40Tip: If clients report SAE handshake failures, adjusting
sae-anti-clogging-threshold(default 5) andsae-max-failure-rate(default 40) can resolve intermittent connection issues.
WPA3-Enterprise
Section titled “WPA3-Enterprise”WPA3-Enterprise requires a RADIUS server and provides 192-bit security with mandatory GCMP-256 encryption.
/interface wifi securityadd name="wpa3-corp" \ authentication-types=wpa3-eap \ pmf=required \ eap-methods=eap-tls \ eap-tls-certificate=server-cert \ encryption=gcmp-256OWE (Opportunistic Wireless Encryption)
Section titled “OWE (Opportunistic Wireless Encryption)”OWE encrypts open network traffic without requiring a password. Clients connect as to an open network but traffic is encrypted end-to-end.
Basic OWE
Section titled “Basic OWE”/interface wifi securityadd name="owe-guest" \ authentication-types=owe \ pmf=requiredOWE Transition Mode (Recommended for Guest Networks)
Section titled “OWE Transition Mode (Recommended for Guest Networks)”Transition mode broadcasts both an open SSID (for older devices) and an OWE-encrypted SSID simultaneously. Modern clients automatically use OWE.
# Create the OWE interface/interface wifiadd name="guest-owe" ssid="GuestNetwork" security=owe-guest
# Create the open fallback (hidden)/interface wifiadd name="guest-open" ssid="GuestNetwork" security=owe-open disabled=no
# Link them/interface wifi securityset [find name=owe-guest] owe-transition-interface=guest-openPMF (Protected Management Frames)
Section titled “PMF (Protected Management Frames)”PMF (802.11w) protects deauthentication and disassociation frames against spoofing attacks. WPA3 requires PMF.
| PMF Setting | Behavior | Use When |
|---|---|---|
disabled | No PMF — WPA2 only | Legacy-only networks |
optional | Clients choose — WPA2 and WPA3 work | Mixed environments |
required | Only PMF-capable clients connect | WPA3-only networks |
# Check current PMF setting/interface wifi security print
# Set PMF mode/interface wifi security set [find name=my-profile] pmf=optional:::warning IoT Device Compatibility
Most IoT devices manufactured before 2019 do not support PMF. Setting pmf=required on an SSID shared with older smart home devices, cameras, or industrial sensors will prevent them from connecting. Use a separate SSID with pmf=optional or pmf=disabled for IoT devices.
:::
WPA2/WPA3 Transition Mode
Section titled “WPA2/WPA3 Transition Mode”Transition mode is the recommended deployment strategy for most environments. WPA3-capable clients use SAE; legacy clients fall back to WPA2-PSK.
/interface wifi securityadd name="wpa2-wpa3-mixed" \ authentication-types=wpa2-psk,wpa3-psk \ pmf=optional \ passphrase="YourPassphrase"Enterprise Transition Mode
Section titled “Enterprise Transition Mode”/interface wifi securityadd name="wpa2-wpa3-enterprise" \ authentication-types=wpa2-eap,wpa3-eap \ pmf=optionalClient Compatibility
Section titled “Client Compatibility”WPA3 has real-world compatibility issues. Test all device types before production deployment.
Devices with Known Problems
Section titled “Devices with Known Problems”| Device Category | Reported Issue | Workaround |
|---|---|---|
| Samsung (various) | Disconnections in transition mode | Use WPA3-only or WPA2-only |
| Apple iPhone (some) | Won’t reconnect automatically after roaming | Disable WPA3 if using 802.11r |
| Older Android | SAE not supported or broken | WPA2/WPA3 transition mode |
| Most Android | Roaming failures with WPA3 | Use WPA2-only if 802.11r required |
| Pre-2019 IoT devices | No PMF support — cannot connect | Separate WPA2 SSID |
Devices with Good WPA3 Support
Section titled “Devices with Good WPA3 Support”| Device Category | Notes |
|---|---|
| Linux laptops (ThinkPad, etc.) | Generally reliable |
| Google Pixel 4A, 6A, 7A | No reported issues |
| Xiaomi Mi 9 SE | Works well |
| Modern Windows laptops | Generally good, varies by driver |
WPA3 and Fast Roaming (802.11r)
Section titled “WPA3 and Fast Roaming (802.11r)”WPA3 is incompatible with 802.11r fast roaming on most Android devices. If seamless roaming is a requirement, use WPA2-only:
# Roaming-optimized profile — WPA2 only/interface wifi securityadd name="roaming-profile" \ authentication-types=wpa2-psk \ pmf=optional \ ft=yes \ ft-over-ds=yes \ passphrase="YourPassphrase"See the Fast Roaming guide for full 802.11r configuration.
Configuration Strategies by Environment
Section titled “Configuration Strategies by Environment”Home Network (Mixed Devices)
Section titled “Home Network (Mixed Devices)”# WPA2/WPA3 transition — covers everything/interface wifi securityadd name="home" \ authentication-types=wpa2-psk,wpa3-psk \ pmf=optional \ passphrase="HomePassphrase"Modern Office (New Devices Only)
Section titled “Modern Office (New Devices Only)”# WPA3 only — maximum security/interface wifi securityadd name="office-wpa3" \ authentication-types=wpa3-psk \ pmf=required \ passphrase="OfficePassphrase"IoT-Heavy Network
Section titled “IoT-Heavy Network”# WPA2 only for IoT SSID/interface wifi securityadd name="iot-ssid" \ authentication-types=wpa2-psk \ pmf=disabled \ passphrase="IoTPassphrase"
# WPA3 for main SSID on separate VLAN/interface wifi securityadd name="main-ssid" \ authentication-types=wpa2-psk,wpa3-psk \ pmf=optional \ passphrase="MainPassphrase"Guest Network (OWE + Open Fallback)
Section titled “Guest Network (OWE + Open Fallback)”Use OWE transition mode (see OWE section above) to encrypt guest traffic without requiring a password.
Troubleshooting
Section titled “Troubleshooting”Common Failure Modes
Section titled “Common Failure Modes”| Symptom | Likely Cause | Fix |
|---|---|---|
| Client won’t connect to WPA3 | Device doesn’t support SAE or PMF | Use transition mode or WPA2-only |
| Constant disconnections | RouterOS < 7.3.1 bug | Upgrade RouterOS |
| No roaming (stays on weak AP) | Android + WPA3 incompatibility | Switch to WPA2-only |
| IoT device can’t connect | PMF required, device doesn’t support it | Set pmf=optional or separate SSID |
| SAE handshake failure | Anti-clogging threshold too low | Increase sae-anti-clogging-threshold |
| WPA3-Enterprise 192-bit failures | Supplicant lacks GCMP-256 support | Use WPA2/WPA3-Enterprise transition |
Diagnostic Commands
Section titled “Diagnostic Commands”# View security profiles/interface wifi security print detail
# Check connected client authentication type/interface wifi registration-table print
# View WiFi-related log entries/log print where topics~"wireless"
# Check if client supports WPA3/interface wifi registration-table print where interface=wlan1# Look for "auth-type" in the outputRouterOS Version Notes
Section titled “RouterOS Version Notes”| Version | WPA3 Status |
|---|---|
| 6.x | Not supported — WPA2 only |
| 7.0–7.3.0 | WPA3 available but has disconnection bugs |
| 7.3.1+ | Recommended — disconnection issues fixed |
| 7.x latest | Best compatibility and stability |
Related Resources
Section titled “Related Resources”- Security Profiles — Full reference for all security configuration options
- Fast Roaming (802.11r/k/v) — Seamless AP transitions (note WPA3 limitations)
- CAPsMAN Configuration — Multi-AP managed deployments
- Dense WiFi Deployment — High-density environments