WPA3-Transition

WPA3-Transition runs two authentication methods under a single SSID so a mixed fleet can keep working while a site migrates to WPA3. WPA3-capable clients negotiate SAE (Simultaneous Authentication of Equals, the password-authenticated key exchange from IEEE 802.11-2020), which gives forward secrecy and resists offline dictionary attacks. Older clients fall back to the legacy WPA2-PSK four-way handshake on the very same network, using the very same passphrase. The access point advertises both the RSN information element and the RSN Extensions element (RSNXE) in its beacons, and a client picks the strongest method it understands.

The catch is that one shared secret backs both paths. SAE never transmits anything an attacker can grind, but the WPA2-PSK side of the network derives its Pairwise Master Key from the same passphrase and exposes it through a crackable handshake. The two methods are only as strong as their weakest member, and the weakest member is WPA2.

WPA3-Transition has no weakness toggle in the form; the weakness is baked into the mode. Tala WTE writes the one passphrase to both the SAE and the WPA2-PSK paths, keeps both key-management suites live, leaves PMF optional, and sets the transition-disable indication off, which is exactly what keeps the WPA2 downgrade reachable. A hardened deployment would assert transition-disable to lock SAE-capable clients out of the PSK fallback once they have seen WPA3; here it stays open. For a teaching network, pick a passphrase a wordlist will contain (for example Summer2026!) so the downgrade lands on something students can actually crack.

For the full New-Network walkthrough, see Networks.

WPA2 downgrade

The headline attack ignores SAE entirely. Suppress or outrun the WPA3 information elements so a transition-capable client believes only WPA2-PSK is on offer, then capture its four-way handshake and crack it offline. A rogue beacon advertising the same SSID with the RSNXE stripped, paired with a deauthentication burst against the real AP, pushes the client onto the PSK path:

airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
hashcat -m 22000 cap.hc22000 wordlist.txt

Judgment: this is the whole point of transition mode being insecure - the strong half of the network is bypassed and you crack the weak half.

Inherited WPA2-PSK handshake crack

Any client that was always WPA2-only never needed downgrading; it joins via PSK by default. Capture its handshake the ordinary way and recover the passphrase, which is also the SAE password:

airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w psk wlan0mon
aireplay-ng -0 3 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
hashcat -m 22000 psk.hc22000 wordlist.txt

Judgment: transition mode inherits every WPA2-Personal weakness wholesale - see WPA2-Personal for the full handshake and PMKID treatment.

Deauthentication without PMF

Because PMF is optional, unprotected 802.11 deauthentication frames are still honored on the PSK side. That is what makes the forced reconnect above reliable; the same primitive also lets you knock clients off at will to harvest fresh handshakes:

aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF wlan0mon

Judgment: optional PMF leaves the legacy management-frame attack surface fully open even though SAE clients could have had it closed.

Transition mode is the common default on consumer and small-business gear that shipped after WPA3 certification arrived in 2018, precisely so a new router does not strand old phones and IoT devices. The result is a network that looks like WPA3 in the client's status bar but answers WPA2 to anything that asks. The presence of even one legacy device guarantees a PSK path exists, and the same passphrase protects both methods, so an attacker only ever needs to beat WPA2. Most deployments also leave transition_disable unset, so even a fully WPA3-capable client can be coaxed back down. The practical lesson is that a transition SSID is a WPA2 network wearing a WPA3 badge until the legacy clients are gone and transition-disable is asserted.

There is no PSK-side fix; the defense is to leave transition mode. Once the legacy fleet is retired, switch the SSID to WPA3-Personal so SAE is the only method and the crackable handshake disappears. While you must run mixed clients, assert the transition-disable indication so SAE-capable devices refuse the PSK fallback after their first WPA3 association, require PMF where every client supports it to cut the deauthentication primitive, and choose a long high-entropy passphrase so the inevitable WPA2 capture is computationally hopeless rather than a wordlist hit. In Tala WTE this network is intentionally configured the soft way (transition_disable=0, PMF optional) so the downgrade is demonstrable; production gear should do the opposite.

• IEEE 802.11-2020 - the consolidated standard defining SAE, the RSNXE, transition mode, and the transition-disable indication.
• IEEE 802.11w-2009 - Protected Management Frames, optional in transition mode and the reason deauthentication still works.
• RFC 7664 - Dragonfly Key Exchange, the cryptographic basis of SAE.
• CVE-2019-9494 - SAE timing side-channel in PWE derivation (Dragonblood class), relevant to the SAE half of the network.
• CVE-2019-9496 - missing state validation when processing an SAE Confirm message in AP mode, crashing the daemon (a denial of service) in affected implementations.