How to choose the encryption method for my IoT devices on an ISP-Customized Wi-Fi7 Router

04-16-2026
1745
VB433v V1, NE211-Outdoor V1, NE210-Outdoor V1, VB433v (AU) V1, NE225-Outdoor V1, VB400v V1, NX620v V2, VX800v V1, EB810v V1, VX420-G2h V2, HB810 V1, HB810 (EU) V1, VX420-G2h V3, HB710 V1, HB710 (EU) V1, HB615 V1, HB610 (EU) V2, HB610 V2, HB410 (EU) V1, HB210 Pro V1, HB210 Pro (EU) V1, Deco X53-DSL V1, HB210 V1, Deco BE28 V1, EB831v V1, XGB830v V1, VX231v V1, HX716 Pro V1, EB831v V1.60, XGB430v Pro V1, HX710 Pro V1, VX230v V1, XGB430v V1, XB430v V1, EB610v V1, VX220-G2v V1, EB431v V1, XX532v V1, VC321-G2v V1, XX530v V1, HX710 V1, XX530v V2, Archer VR1210v V1, XX530 V2, Archer VR1210v V2, VC221-G3v V1, HX510-PoE V1, HX510-Outdoor V1, EB200v Pro V1, HX510 V2, HX510 V1, Archer VR1600v V1, HX520 V1, HX521 V1, XX231v V1, HX220 V1, EB210 Pro V1, VC220-F3v V1, HX141 V1, VN020-F3 V1, XX230v V1, HC220-G5 V1, EB210 V1, TD-W8961N V1, XC220-G3v V2.30, XC220-G3 V1, XN020-G3v V1, NX520v V1, NX510v V1, NX511v V1, XN020-G3 V3, XN020-G3 V2, EX920 V1, MX110v V1, MX515v V1, EX820v V1, Deco X58-4G V1, EX710 Pro V1, EX710 V1, EX510 Pro V1, EX510 V1, EX511 V2, EX520 V1, EX520v V1, EX521 V1, EX530v V1, Archer MR600 V2, Archer MR600 V1, EX220 V1, Archer MR400 V3, Archer MR400 V2, Archer MR400 V4, EX222 V1, Archer MR200 V4, XGZ030v V2, Archer MR200 V3, Archer MR200 V5, XGZ030 V1, EX230v V1, XGZ030 V2, XGZ032v V1, TL-MR6500v V1, XGZ032 V1, TL-MR6400 V5, TL-MR6400 V4, XZ005-G6 V1, TL-MR100 V1, EX141 V1, XZ000-G6v V1, XZ000-G6 V1, XZ001-G7 V1, EC225-G5 V1, XZ001-G6 V1, EC223-G5 V1, EC220-G5 V2, EC220-G5 V3, XZ000-G7 V1, XZ000-G7 (UPC) V1, EC220-F5 V1, DS-P8000-X7 V1, TL-WR850N V1, DS-P8000-X2 V1, DS-LGPA-16 V1, DS-LGPA-08 V1, DS-P7500-16 V1, DS-P7501-08 V1, DS-P7500-08 V1, DS-P7001-16 V1, DS-P7001-08 V1, DS-P7001-04 V1, DS-P7001-01 V1, DS-ETPA-1U V1, PSM150-AC V3, PSM150-DC V1, TL-SM7110-SR V1, DS-PMA-C++ V2, DS-PMA-Combo C+ V1, DS-PMA-C+ V2, DS-PMA-C+ V1, XGM80A V1, XM60A V1

Introduction

This FAQ article aims to show the difference between WAP2-PSK/WPA3-Personal and WPA2-PSK encryption methods. And guide users to choose the appropriate encryption method for a WiFi 7 router to connect IoT devices.

  • WPA2-PSK: Second-generation Wi-Fi security protocol launched in 2004, PSK means Pre-shared key.
  • WPA3-SAE: Third-generation Wi-Fi security protocol launched in 2018, SAE means Simultaneous Authentication of Equals, it is based on passwords with greatly enhanced security.

Compared with WPA2-PSK, WPA3-SAE has advantages such as being difficult to crack, management frame protection, and support for Forward Secrecy. However, some older client models cannot support WPA3-SAE. Therefore, a hybrid encryption method that supports both WPA2-PSK and WPA3-SAE was introduced as a transitional measure. Devices that only support WPA2-PSK are allowed to connect to the SSID.

It shows a hybrid encryption method that supports both WPA2-PSK and WPA3-SAE in the WebGUI of Wi-Fi7 Aginet models.

ISP-Customized Wi-Fi 7 Router uses WPA2-PSK + WPA3-Personal encryption by default. It can accommodate clients that only support WPA2-PSK connections and also ensure Wi-Fi 7 clients negotiate 11be rates with the AP (under the Wi-Fi 7 protocol, the AP needs to use WPA3 encryption to negotiate 11be rates).

Under this encryption method, most clients experience no issues. However, the Wi-Fi Alliance finds that some older devices (especially certain IoT devices) cannot associate properly when faced with two encryption options because they cannot interpret the encryption correctly. To address the issue, it needs to temporarily adjust the encryption method to WPA2-PSK only.

Configuration

Scenario 1. Via the Web Management Page

Step 1. Log in to the router's web interface. Ensure your device is connected to the router via Wi-Fi or an Ethernet port. Open a web browser and enter one of these addresses in the browser bar to access the web interface:

For models starting with E/H: http://tplinkwifi.net

For models starting with V/N/M: http://tplinkmodem.net

Step 2. Go to Advanced > Wireless > Wireless Settings. For the 2.4/5GHz Band, change the Security type from the default WPA2-PSK[AES]+WPA3-Personal to WPA2-PSK[AES]. If your IoT devices only support 2.4 GHz Wi-Fi, you should disable Band Steering and set the Security type to WPA2-PSK[AES] for 2.4 GHz.

Change the Security type to WPA2-PSK[AES] for 2.4/5 GHz in WebGUI.

Disable the Band Steering and change the Security type to WPA2-PSK[AES] for 2.4 GHz.

Scenario 2. Via Aginet App

Step 1. In your mobile devices, log in to the Aginet app to open the router’s network.

Step 2. Go to More > WiFi Settings > 2.4 GHz & 5 GHz Network > Security, for 2.4/5GHz Band, change the Security type from WPA2/WPA3 in the default to WPA2. Likely, if your IoT devices only support connecting to the 2.4G WiFi, you should disable the Band Steering and change the Security type to WPA2 for 2.4 GHz.

Change the Security type to WPA2 for 2.4/5 GHz in Aginet APP.

Please note that adjusting the AP encryption method to WPA2-PSK can resolve client association issues, but some Wi-Fi 7 clients may be unable to negotiate to 11be rates.