Switching your Ubuntu system’s Wi-Fi security to WPA3 blocks password-guessing attacks and protects your data with stronger encryption. WPA3, now standard on modern routers and devices, uses Simultaneous Authentication of Equals (SAE) to make brute-force attacks far less effective. On Ubuntu, configuring WPA3 requires both compatible hardware and the right network configuration steps.

Check Hardware and Software Compatibility

WPA3 security only works if both your Wi-Fi router and your Ubuntu device’s wireless adapter support it. For routers, look for WPA3 options in the admin interface or check the manufacturer’s website for firmware updates that add WPA3 support. On Ubuntu, most laptops with Wi-Fi 6 (802.11ax) adapters support WPA3, but you should confirm by searching your adapter model in the Wi-Fi Alliance Product Finder or your device’s documentation.

On the software side, Ubuntu 20.04 and later include NetworkManager with WPA3 support, but some advanced WPA3 features may require a recent version of wpa_supplicant (2.9 or newer). If you’re connecting to Wi-Fi 6E networks (6 GHz band), you may need to manually upgrade wpa_supplicant to version 2.10 or later.

Setting WPA3 via NetworkManager’s command-line tool nmcli is the most reliable method, especially if the graphical interface keeps reverting to WPA2 or mixed mode. This approach directly sets the key management method to SAE, which is required for WPA3-Personal.

Step 1: List your existing Wi-Fi connections to identify the UUID or name of the one you wish to modify.

nmcli connection show

This command displays all configured connections. Note the UUID or NAME for your Wi-Fi network.

Step 2: Edit the connection to set WPA3 as the key management protocol.

nmcli connection edit <UUID-or-NAME>
nmcli> set wifi-sec.key-mgmt sae
nmcli> save persistent
nmcli> quit

This updates the connection to use SAE (Simultaneous Authentication of Equals), which is the WPA3-Personal authentication method. Saving as persistent ensures changes remain after reboot.

Step 3: Restart your network connection or toggle Wi-Fi off and on to apply the new settings. In some cases, a full reboot may be required for the change to take effect.

After reconnecting, verify on your router’s admin interface or via the connection details that your device is using WPA3.

Configure WPA3 Using the Connection File (Alternative Method)

Directly editing the NetworkManager connection file is another way to set WPA3 if you prefer not to use nmcli. This method involves changing the key management line from wpa-psk to sae in your network’s configuration file.

Step 1: Locate your connection file, typically found in /etc/NetworkManager/system-connections/. The file name matches your connection’s name and ends with .nmconnection.

Step 2: Replace wpa-psk with sae for the key management option.

sudo sed -i -e '/key-mgmt=/s,wpa-psk,sae,' /etc/NetworkManager/system-connections/<your-connection-file>

This command updates the file in-place. Double-check your changes, then restart NetworkManager or your computer.

Set Up WPA3 Wi-Fi from Scratch Using nmcli

If you need to create a new connection profile for a WPA3 network, use the following command. Replace YOUR_SSID and YOURPASSWORD with your network’s details.

nmcli c add type wifi con-name SYMBOLIC_NETWORK_NAME ssid YOUR_SSID wifi-sec.key-mgmt sae wifi-sec.psk YOURPASSWORD

This creates a new connection using SAE for WPA3-Personal. Activate the connection with:

nmcli connection up SYMBOLIC_NETWORK_NAME

Advanced: WPA3 with Netplan and wpa_supplicant

For custom setups (e.g., Ubuntu Server or Wi-Fi 6E/6 GHz bands), you may need to use Netplan with the NetworkManager backend or manually edit wpa_supplicant.conf and start the wpa_supplicant service.

Step 1: Ensure you have an up-to-date wpa_supplicant (2.10+ for 6 GHz support). If not, download and build the latest version from the official hostap repository.

Step 2: Create or edit /etc/wpa_supplicant/wpa_supplicant.conf with WPA3 parameters:

pmf=2
sae_pwe=1
network={
    scan_ssid=1
    ssid="YOUR_SSID"
    key_mgmt=SAE
    proto=RSN
    ieee80211w=2
    sae_password="YOURPASSWORD"
    pairwise=CCMP
    group=CCMP
}

This configuration enforces WPA3 with management frame protection and the correct encryption.

Step 3: Start wpa_supplicant in the background, specifying your Wi-Fi interface:

wpa_supplicant -B -c /etc/wpa_supplicant/wpa_supplicant.conf -i INTERFACE_NAME

Obtain an IP address with dhclient INTERFACE_NAME as needed.

Troubleshooting WPA3 Connections on Ubuntu

Some devices and drivers may default to WPA2 even if WPA3 is available, especially if the router is running in mixed WPA2/WPA3 mode. If your Ubuntu system keeps connecting using WPA2, delete and recreate the Wi-Fi connection profile, or use nmcli to enforce SAE as shown above. Editing connection settings through the graphical interface may reset the security mode to WPA2/WPA3 mixed, so always verify your configuration after making changes.

If you change any settings via the Wi-Fi Settings GUI (such as enabling "Connect automatically"), you may need to reapply the WPA3 configuration with nmcli or by editing the connection file again.

Router-Side Configuration Tips

On your router, select WPA3-Personal if all devices support it, or WPA2/WPA3-Personal mixed mode to allow older devices to connect. Some routers only offer mixed mode, which lets WPA3-capable devices use stronger security, while others fall back to WPA2. Always use a strong, unique Wi-Fi password and keep router firmware up to date for the best security.

Switching your Ubuntu Wi-Fi to WPA3 security blocks common attack methods and keeps your data safer on modern wireless networks. Regularly check for updates to both your router and Ubuntu system to maintain strong security over time.