How to connect Windows 10 with WPA3-Personal (SAE/PMF) to Stellar Wireless AP

Connecting with WPA3-Personal (SAE/PMF) wireless networks on Windows 10 is straight forward, given you run the Win10 May 2019 update (Build 1903) and a compatible Wireless card. On this page I'll document what needs to be done to get it to work.

Equipment & Access Point used:

Alcatel-Lucent Enterprise OmniAccess Stellar AP1201
AWOS v3.0.6.23
OmniVista 2500 v4.4R1 Build 39
Microsoft Windows 10 (Build 1903, May 2019 Update)
Intel Wireless-AC 9260 (Wi-Fi.org Certification) with 21.10.1.2 drivers (go to wireless card settings and trigger an update via online search)

If you'd like to know how to connect a Raspberry Pi Model 3 B+ via WPA3-Personal, you may want to review this article!

Connecting to SSID „ov44b39“ mandates MFP/PMF (as SAE-only), as you can tell from following Wifi Explorer screenshot.

PCAP Screenshot

Download of the PCAP (check e.g. #183): ch132_2019-06-06_15.35.14.pcap.zip

SSID Overview (get_wlan)

support@AP-1E:60:~$ ssudo wam_debug get_wlan
{
	[
		{
			"srvname": "ov44b39-portal",
			"ssid": "ov44b39-portal",
			"hide": "no",
			"ssid_enable": "enable",
			"band": "all",
			"seclevel": "psk",
			"encryptype": "wpa3_psk_sae_aes",
			"ifindex": "2g: ath02, 5g_1: ath12, 5g_2: ",
			"passphrase": "******",
			"prekey": "******",
			"AAAprofile": "ov44b39-portal",
			"macau_enable": "enable",
			"bypass_enable": "disable",
			"mac_eap_allow": "enable",
			"macpassrole": "",
			"classification_enable": "disable",
			"defaultrole": "__ov44b39-portal",
			"80211r_enable": "disable",
			"okc_enable": "disable",
			"l3_roaming": "disable",
			"bcrotation_enable": "disable",
			"bcrotation_inteval": 15,
			"mesh": "disable",
			"clientIsolation": "disable"
		},
		{
			"srvname": "ov44b39",
			"ssid": "ov44b39",
			"hide": "no",
			"ssid_enable": "enable",
			"band": "all",
			"seclevel": "psk",
			"encryptype": "wpa3_sae_aes",
			"ifindex": "2g: ath01, 5g_1: ath11, 5g_2: ",
			"passphrase": "******",
			"prekey": "******",
			"AAAprofile": "",
			"macau_enable": "disable",
			"bypass_enable": "disable",
			"mac_eap_allow": "enable",
			"macpassrole": "",
			"classification_enable": "disable",
			"defaultrole": "__ov44b39",
			"80211r_enable": "disable",
			"okc_enable": "disable",
			"l3_roaming": "disable",
			"bcrotation_enable": "disable",
			"bcrotation_inteval": 15,
			"mesh": "disable",
			"clientIsolation": "disable"
		}
	]
}

Client Overview (sta_list)

support@AP-1E:60:~$ ssudo wam_debug sta_list
{
	"status": "Success!!!",
	"wlanServiceData": [
		{
			"iface": "ath01",
			"ssid": "ov44b39",
			"freq": "2.4GHz",
			"security": "Personal(WPA3_SAE_AES)",
			"wlanService": "ov44b39"
		},
		{
			"iface": "ath11",
			"ssid": "ov44b39",
			"freq": "5GHz",
			"security": "Personal(WPA3_SAE_AES)",
			"wlanService": "ov44b39",
			"staData": [
				{
					"staMAC": "58:a0:23:25:b6:01",
					"staIP": "192.168.12.116",
					"staGlobalIPv6": "::",
					"staLocalIPv6": "fe80::b1f4:1058:dc9d:c780",
					"associationTime": 347,
					"mappingType": 0,
					"assignedVLAN": 12,
					"assignedAR": "__ov44b39",
					"assignedPL": "",
					"macAuthResult": "",
					"ARFromMACAuth": "",
					"PLFromMACAuth": "",
					"redirectURLFromMACAuth": "",
					"ARFrom8021xAuth": "",
					"PLFrom8021xAuth": "",
					"redirectURLFrom8021xAuth": "",
					"CPAuthResult": "FAILED",
					"ARFromCPAuth": "",
					"PLFromCPAuth": "",
					"ARFromRoaming": "",
					"PLFromRoaming": "",
					"redirectURLFromRoaming": "",
					"classificationMatched": "none"
				}
			]
		},
		{
			"iface": "ath02",
			"ssid": "ov44b39-portal",
			"freq": "2.4GHz",
			"security": "Personal(WPA3_PSK_SAE_AES)",
			"wlanService": "ov44b39-portal"
		},
		{
			"iface": "ath12",
			"ssid": "ov44b39-portal",
			"freq": "5GHz",
			"security": "Personal(WPA3_PSK_SAE_AES)",
			"wlanService": "ov44b39-portal"
		}
	]
}

Client Overview (wlanconfig ath11 list)

I still need to figure out a few things in this output.

support@AP-1E:60:~$ wlanconfig ath11 list
ADDR               AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE  TXSEQ  RXSEQ  CAPS XCAPS        ACAPS     ERP    STATE MAXRATE(DOT11) HTCAPS VHTCAPS ASSOCTIME    IEs   MODE                   PSMODE RXNSS TXNSS
58:a0:23:25:b6:01    1  132 130M     54M   39      36      48    0      0   65535   EPs  EBQO         0          b              0             APM           1gTRs 00:06:50  RSN WME IEEE80211_MODE_11AC_VHT20   0 2 2
 Minimum Tx Power		: 0
 Maximum Tx Power		: 12
 HT Capability			: Yes
 VHT Capability			: Yes
 MU capable			: Yes
 SNR				: 39
 Operating band			: 5GHz
 Current Operating class	: 0
 Supported Rates		: 12  18  24  36  48  72  96  108

OmniVista: Client RSSI history

Settings on Windows 10 device

Microsoft/Intel driver for Intel 9260 wireless card

Click on „Treiber aktualisieren“ (Update driver) to let Windows 10 search for the most recent driver online. The driver that comes originally with Windows 10 for this card doesn't support WPA3 (2018 vs. 2019 driver). Validate that you run the same or a newer version: 21.10.1.2

Output for "netsh wlan show wirelesscapabilities"

Output for command „netsh wlan show wirelesscapabilities“ needs to contain support „SAE-Authentication: Yes/True“

Output for "netsh wlan show drivers"

Output for command „netsh wlan show drivers“ needs to contain support for „802.11w Management Frame Protection: Yes/True“

Win10: Adding a new WPA3-Personal wireless network

New option for „WPA3-Personal AES“

Win10: Details on WPA3-Personal wireless network

Please note that Windows 10 now also reports Wi-Fi 5 (802.11ac) or Wi-Fi 6 (802.11ax) respectively.