// writing · security · wpa3 · pcap

Status=126 is not a failure — it's the AP protecting itself

 Shankar K.·June 2026·security · wpa3 · sae · pcap·6 min read 

"Status=126 means the network is working correctly. The dashboard just does not tell you that."

Not because the outcome matters less. But Status=126 in a WPA3 handshake is not a failure. Engineers who see it in a capture and start troubleshooting the wrong thing lose an hour they will not get back.

What Status=126 actually is

WPA3 uses SAE — Simultaneous Authentication of Equals — a Dragonfly key exchange that replaces the WPA2 pre-shared key handshake. The client sends a Commit frame to start the exchange. The AP responds. Both sides derive a shared key without ever transmitting it. The problem is that the Commit frame is computationally expensive to process. A flood of forged Commit frames from different source MACs can exhaust AP CPU before any legitimate client gets through. That is the attack SAE was designed to resist — and the reason the spec includes anti-clogging token protection.

When the AP decides the network is under potential load, it responds to the client's Commit with Status=126. That is not a rejection. It is the AP saying: prove you are a real device before I spend CPU on your handshake. It issues a token. The client includes the token in a new Commit frame. The AP processes it. The exchange completes.

Two SAE rounds instead of one. By design.

What the capture shows

Captured from a Wiz smart bulb. WPA3-SAE, PMF Required, Wi-Fi 7 AP. The sequence:

 t=0.0s   Probe Request
 t=2.3s   SAE Commit Seq=1 → AP responds Status=126 (token issued)
 t=4.2s   SAE Commit Seq=1 with token → AP responds Status=126 (second round)
 t=4.5s   SAE Confirm → Status=0 → Association complete → AID=1

4.5 seconds from probe to associated. The anti-clogging retry accounts for 1.9 seconds of that.

Your controller dashboard shows one thing: associated. It does not show how many SAE rounds the client needed. It does not show the token exchange. It does not show the 1.9 second cost. The PCAP shows all of it.

The filters

wlan.fc.type == 0 && wlan.fc.subtype == 11

All Authentication frames. Expected: 9 frames. Shows the full SAE exchange including both rounds.

wlan.fc.type == 0 && wlan.fc.subtype == 11 && wlan.fixed.status_code == 126

Status=126 frames only. Expected: 4 frames. Two rounds, both directions. This is the anti-clogging token exchange.

Why this matters

If you are seeing slow WPA3 associations and assuming a misconfiguration — check the SAE round count before you change anything. If you are comparing WPA3 association time to WPA2 and wondering why WPA3 is slower — this is likely why. The retry round is not a bug. It is the AP doing exactly what the spec requires.

Status=126 means the network is working correctly. The dashboard just does not tell you that.

// sample pcap

wiz_assoc_sae.pcap — 1,001 frames trimmed to the relevant window. Probe through association success. WPA3-SAE with two anti-clogging token rounds visible. Open in Wireshark.

Download wiz_assoc_sae.pcap

// related reference

Wi-Fi 8 → Reference → Wi-Fi 7 →

← all writing