Chapter 12. Configuring RHEL as a WPA2 or WPA3 Personal access point

download PDF

On a host with a wifi device, you can use NetworkManager to configure this host as an access point. Wi-Fi Protected Access 2 (WPA2) and Wi-Fi Protected Access 3 (WPA3) Personal provide secure authentication methods, and wireless clients can use a pre-shared key (PSK) to connect to the access point and use services on the RHEL host and in the network.

When you configure an access point, NetworkManager automatically:

  • Configures the dnsmasq service to provide DHCP and DNS services for clients
  • Enables IP forwarding
  • Adds nftables firewall rules to masquerade traffic from the wifi device and configures IP forwarding


  • The wifi device supports running in access point mode.
  • The wifi device is not in use.
  • The host has internet access.


  1. List the wifi devices to identify the one that should provide the access point:

    # nmcli device status | grep wifi
    wlp0s20f3    wifi   disconnected    --
  2. Verify that the device supports the access point mode:

    # nmcli -f WIFI-PROPERTIES.AP device show wlp0s20f3

    To use a wifi device as an access point, the device must support this feature.

  3. Install the dnsmasq and NetworkManager-wifi packages:

    # dnf install dnsmasq NetworkManager-wifi

    NetworkManager uses the dnsmasq service to provide DHCP and DNS services to clients of the access point.

  4. Create the initial access point configuration:

    # nmcli device wifi hotspot ifname wlp0s20f3 con-name Example-Hotspot ssid Example-Hotspot password "password"

    This command creates a connection profile for an access point on the wlp0s20f3 device that provides WPA2 and WPA3 Personal authentication. The name of the wireless network, the Service Set Identifier (SSID), is Example-Hotspot and uses the pre-shared key password.

  5. Optional: Configure the access point to support only WPA3:

    # nmcli connection modify Example-Hotspot 802-11-wireless-security.key-mgmt sae
  6. By default, NetworkManager uses the IP address for the wifi device and assigns IP addresses from the remaining subnet to clients. To configure a different subnet and IP address, enter:

    # nmcli connection modify Example-Hotspot ipv4.addresses

    The IP address you set, in this case, is the one that NetworkManager assigns to the wifi device. Clients will use this IP address as default gateway and DNS server.

  7. Activate the connection profile:

    # nmcli connection up Example-Hotspot


  1. On the server:

    1. Verify that NetworkManager started the dnsmasq service and that the service listens on port 67 (DHCP) and 53 (DNS):

      # ss -tulpn | egrep ":53|:67"
      udp   UNCONN 0  0*    users:(("dnsmasq",pid=55905,fd=6))
      udp   UNCONN 0  0*    users:(("dnsmasq",pid=55905,fd=4))
      tcp   LISTEN 0  32*    users:(("dnsmasq",pid=55905,fd=7))
    2. Display the nftables rule set to ensure that NetworkManager enabled forwarding and masquerading for traffic from the subnet:

      # nft list ruleset
      table ip nm-shared-wlp0s20f3 {
          chain nat_postrouting {
              type nat hook postrouting priority srcnat; policy accept;
              ip saddr ip daddr != masquerade
          chain filter_forward {
              type filter hook forward priority filter; policy accept;
              ip daddr oifname "wlp0s20f3" ct state { established, related } accept
              ip saddr iifname "wlp0s20f3" accept
              iifname "wlp0s20f3" oifname "wlp0s20f3" accept
              iifname "wlp0s20f3" reject
              oifname "wlp0s20f3" reject
  2. On a client with a wifi adapter:

    1. Display the list of available networks:

      # nmcli device wifi
      IN-USE  BSSID              SSID             MODE   CHAN  RATE      SIGNAL  BARS  SECURITY
              00:53:00:88:29:04  Example-Hotspot  Infra  11    130 Mbit/s  62      ▂▄▆_  WPA3
    2. Connect to the Example-Hotspot wireless network. See Managing Wi-Fi connections.
    3. Ping a host on the remote network or the internet to verify that the connection works:

      # ping -c 3

Additional resources

  • nm-settings(5) man page
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.