[mattbee]

You can already do this with hostapd under WPA3 or WPA2 - The password alone can identify each client, and activate different configs for each one.

Some commercial APs support this under different names but it's hard to make it work with RADIUS, which is usually necessary on larger installations.

But without preloaded certificates, the clients don't know that they're not connecting to a rogue access point.

Hotspot 2.0 was going to solve that part, but kind of died last year as the WiFi Alliance let their last KPI partnership die off.

[est31]

> The password alone can identify each client, and activate different configs for each one.

That's interesting, first time I hear this. How would that be represented in the hostapd config file? Would it be WPA enterprise using a radius server, or would it actually use WPA-PSK?

[mattbee]

Check the wpa_psk_file option in the main config file [1] which lets you specify a file full of PSKs [2], each with its own options like vlanid=X and keyid=X:

[1] https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf [2] https://w1.fi/cgit/hostap/plain/hostapd/hostapd.wpa_psk

Works with WPA2 or WPA3-Personal modes, but (if you didn't know) an attacker that sniffs a WPA2-Personal association can learn the password they're using.