ESP-5.5.1 breaks WPA3 Personal and Enterprise on Micropython (IDFGH-16860)

[h-milz]

Answers checklist.

• I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• I have searched the issue tracker for a similar issue and not found a similar issue.

IDF version.

v5.5.1

Espressif SoC revision.

ESP32-C6FH4 (QFN32) (revision v0.0)

Operating System used.

Linux

How did you build your project?

Command line with idf.py

If you are using Windows, please specify command line type.

None

Development Kit.

DfRobot Firebeetle ESP32-C6 v1.0

Power Supply used.

USB

What is the expected behavior?

When using

    wifi_sta_config.sta.threshold.authmode = WIFI_AUTH_WPA2_WPA3_PSK;

or

    wifi_sta_config.sta.threshold.authmode = WIFI_AUTH_WPA3_PSK;

board should connect using WPA3 with an AP supporting it.

What is the actual behavior?

I wrote a WPA2 Enterprise extension for Micropython on ESP32, which is about to be merged in v1.27 coming soon. Basically, I used the ESP-IDF functions and built a wrapper around it. The code can be seen using the https://github.com/micropython/micropython/milestone/11 list, and my last commit shows that I deleted all changes related to WPA3. The reason is, when I first built this extension earlier this year using ESP-IDF 5.4.0 or 5.5-beta I think, WPA2/WPA3 transition mode and WPA3 personal seemed to work fine. With ESP-IDF 5.5.1, though, things seem to break.

Testing, my private WiFi AP is set to WPA2/WPA3 transition mode, and my Android phone connects reporting "WPA3 Personal". wpa_cli on my Linux box in turn reports "key_mgmt=SAE" so my AP clearly works with WPA3-SAE.

However, when I try connecting with a generic ESP32-C6 board running Micropython with my patches involving

wifi_sta_config.sta.threshold.authmode = WIFI_AUTH_WPA2_WPA3_PSK;

all I get is

...I (9934) wifi: STA_DISCONNECTED, reason:211:no AP with authmode within threshold found

and the same happens when I try to connect to my uni eduroam using EAP-{PWD,PEAP,TTLS} with any authmode that contains WPA3. Pure WPA2 Enterprise works. When I tried this earlier this year, a connection set to WPA2/WPA3 defaulted to WPA2 but it did connect without any errors.

So far I was unable to figure out what might have changed since, but maybe someone could look into this? I would really like to provide the remaining patches for WPA3 Personal and Enterprise for MPY 1.28.

Steps to reproduce.

1. use the updated Micropython code about to be merged in v1.27
2. build normally
3. connect using wpa_connect(SSID, password) on the MPY console

Debug Logs.

I (7334) pp: pp rom version: 5b8dcfa
I (7334) net80211: net80211 rom version: 5b8dcfa
I (7344) wifi:wifi driver task: 408291c4, prio:23, stack:6144, core=0
I (7344) wifi:wifi firmware version: 14da9b7
I (7344) wifi:wifi certification version: v7.0
I (7344) wifi:config NVS flash: enabled
I (7344) wifi:config nano formatting: enabled
I (7354) wifi:mac_version:HAL_MAC_ESP32AX_761,ut_version:N, band mode:0x1
I (7354) wifi:Init data frame dynamic rx buffer num: 32
I (7364) wifi:Init static rx mgmt buffer num: 5
I (7364) wifi:Init management short buffer num: 32
I (7374) wifi:Init dynamic tx buffer num: 32
I (7374) wifi:Init static tx FG buffer num: 2
I (7384) wifi:Init static rx buffer size: 1700 (rxctrl:92, csi:512)
I (7384) wifi:Init static rx buffer num: 10
I (7394) wifi:Init dynamic rx buffer num: 32
I (7394) wifi_init: rx ba win: 6
I (7394) wifi_init: accept mbox: 6
I (7404) wifi_init: tcpip mbox: 32
I (7404) wifi_init: udp mbox: 6
I (7404) wifi_init: tcp mbox: 6
I (7414) wifi_init: tcp tx win: 5760
I (7414) wifi_init: tcp rx win: 5760
I (7414) wifi_init: tcp mss: 1440
I (7424) phy_init: phy_version 341,a6c8fe6,Jul 30 2025,18:34:11
W (7474) wifi:ACK_TAB0   :0x   90a0b, QAM16:0x9 (24Mbps), QPSK:0xa (12Mbps), BPSK:0xb (6Mbps)
W (7474) wifi:CTS_TAB0   :0x   90a0b, QAM16:0x9 (24Mbps), QPSK:0xa (12Mbps), BPSK:0xb (6Mbps)
W (7474) wifi:(agc)0x600a7128:0xd200d9f2, min.avgNF:0xce->0xd2(dB), RCalCount:0xd, min.RRssi:0x9f2(-96.88)
I (7484) wifi:11ax coex: WDEVAX_PTI0(0x55777555), WDEVAX_PTI1(0x00003377).

I (7494) wifi:mode : sta (54:32:04:0b:58:bc)
I (7494) wifi:enable tsf
I (7504) wifi: STA_START
Script executed with arguments: ()
W (7514) wifi:(itwt)itwt_stop_process!
I (7514) wpa: EAP: already disabled
...I (9934) wifi: STA_DISCONNECTED, reason:211:no AP with authmode within threshold found
>>> I (12344) wifi: STA_DISCONNECTED, reason:211:no AP with authmode within threshold found
I (14754) wifi: STA_DISCONNECTED, reason:211:no AP with authmode within threshold found
I (17164) wifi: STA_DISCONNECTED, reason:211:no AP with authmode within threshold found
I (19574) wifi: STA_DISCONNECTED, reason:211:no AP with authmode within threshold found
I (21984) wifi: STA_DISCONNECTED, reason:211:no AP with authmode within threshold found
I (24394) wifi: STA_DISCONNECTED, reason:211:no AP with authmode within threshold found

Diagnostic report archive.

idf-diag-84f82ee3-486a-4648-802e-7c12ae20568a.zip

More Information.

No response

[kapilkedawat]

@h-milz is it possible for you to share a wireless sniffer capture of AP's beacon? Also please share how we can reproduce this issue locally.