ArubaOS 8.6.0.0 Help Center
You are here: Home > 802.1X Authentication > Enhanced Open Authentication

Enhanced Open Security

Enhanced open replaces open unencrypted wireless networks thereby mitigating exposure of user data to passive traffic sniffing. With enhanced open, the client and WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. perform Diffie-Hellman key exchange during the access procedure and use the resulting pairwise key with a 4-way handshake. ArubaOS supports:

Enhanced Open without PMK Caching

In enhanced open without PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  caching, the 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. beacon, probe response frame, and authentication request or response frame are generic. However, the 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association request or response are specific for enhanced open without PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching.

ArubaOS advertises support for enhanced open by using an AKM suite selector in all beacons and probe response frames. Besides, PMF is set to required (MFPR=1). Authentication request and authentication response use open authentication.

A client that wishes to perform data encryption in an open Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. network using enhanced open, indicates enhanced open AKM in the 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association request with PMF is required (MFPR=1). The DHPE contains group and the Diffie-Hellman public Key from the client. ArubaOS supports Diffie-Hellman Group 19, a 256-bit Elliptic Curve group.

ArubaOS includes the enhanced open AKM and DHPE in the 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association response after agreeing to enhanced open with PME is required (MFPR=1). The DHPE contains group and the Diffie-Hellman public keyThe part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. from ArubaOS. If ArubaOS does not support the group indicated in the received 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association request, it responds with an 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association response having the status code 77. A status code 77 indicates unsupported finite cyclic group.

After completing the 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association, PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. and its associated PMKID are created. ArubaOS initiates a 4-way handshake with the client using the generated PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. . The result of the 4-way handshake is the encryption key to protect bulk unicast data and broadcast data between the client and ArubaOS.

Enhanced Open with PMK Caching

If enhanced open has been established earlier, a client that wishes to perform enhanced open with PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching includes a PMKID in its 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association request in addition to the enhanced open AKM, DHPE, and PMF is required(MFPR=1). If ArubaOS has cached the PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. identified by that PMKID, it includes the PMKID in its 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association response but does not include the DHPE. If ArubaOS has not cached the PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  identified by that PMKID, it ignores the PMKID and proceeds with enhanced open association by including a DHPE. The 4-way handshake is initiated subsequently.

Enhanced Open Transition Mode

The enhanced open transition mode enables a seamless transition from open unencrypted WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. connections without adversely impacting the end user experience. It provides the ability for enhanced open and non-enhanced open clients to connect to the same open system virtual AP.

Two different SSIDsService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. are created for each configured 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. open system virtual AP, one for enhanced open and another for open networks. Both SSIDsService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. operate either in the same bandBand refers to a specified range of frequencies of electromagnetic radiation. and channel or the bandBand refers to a specified range of frequencies of electromagnetic radiation. and channel of the other SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. (the enhanced open transition mode information element includes the bandBand refers to a specified range of frequencies of electromagnetic radiation. and channel information). ArubaOS always uses the same bandBand refers to a specified range of frequencies of electromagnetic radiation. and channel.

802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. beacon and probe response frames of the open BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. include an enhanced open transition mode information element to encapsulate BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. and SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. of the enhanced open BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. .

802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. beacon and probe response frames from the enhanced open BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. include an enhanced open transition mode information element to encapsulate the BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. and SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. of the open BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. . Besides, the beacon frame from the enhanced open BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. has zero length SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. and indicates enhanced open in robust security network element.

In enhanced open transition mode, ArubaOS uses more virtual APs than configured. The number of virtual APs pushed depends on MultiZone parameters, if configured (maximum SSIDsService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. per zone). During enhanced open transition mode, depending on the available VAP slots, ArubaOS will either push both open and enhanced open virtual APs or only enhanced open virtual APs. There will be no impact on other virtual APs configured. An additional enhanced open virtual AP will be pushed to an AP only if it has an available extra slot.

During transition, if there are many enhanced open enabled virtual APs, based on the availability of slots, the AP will choose to transition all enhanced open virtual APs or configure them as enhanced open-only virtual APs. That is, if there are 2 enhanced open virtual APs and 4 available slots, the AP will create 2 enhanced open-only virtual APs and 2 open virtual APs. If the available slots are 3, the AP will create 2 enhanced open-only virtual APs and no open virtual APs.

Configuring Enhanced Open

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable enhanced open:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan ssid-profile enhanced_open_mode

(host) [mynode] (SSID Profile "enhanced_open_mode") #opmode enhanced-open

The following procedure describes how to enable enhanced open:

1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.

2. From the All Profiles list, select Wireless LAN > SSID.

3. To create a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click + and enter a name for the new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in Profile name.

4. Configure your SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.

5. In Encryption, select enhanced-open.

6. Click Submit.

7. Click Pending Changes.

8. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands disable enhanced open:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan ssid-profile enhanced_open_mode

(host) [mynode] (SSID Profile "enhanced_open_mode") #no opmode

The following procedure describes how to disable enhanced open:

1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.

2. From the All Profiles list, select Wireless LAN > SSID.

3. To create a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click + and enter a name for the new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in Profile name.

4. Configure your SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.

5. In Encryption, unselect enhanced-open.

6. Click Submit.

7. Click Pending Changes.

8. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable opmode transition:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan ssid-profile enhanced_open_mode

(host) [mynode] (SSID Profile "enhanced_open_mode") #opmode-transition

The following procedure describes how to enable opmode transition:

1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.

2. From the All Profiles list, select Wireless LAN > SSID.

3. To create a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click + and enter a name for the new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in Profile name.

4. Configure your SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.

5. Select Opmode transition.

6. Click Submit.

7. Click Pending Changes.

8. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands disable opmode transition:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan ssid-profile enhanced_open_mode

(host) [mynode] (SSID Profile "enhanced_open_mode") #no opmode-transition

The following procedure describes how to disable opmode transition:

1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.

2. From the All Profiles list, select Wireless LAN > SSID.

3. To create a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click + and enter a name for the new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in Profile name.

4. Configure your SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.

5. Unselect Opmode transition.

6. Click Submit.

7. Click Pending Changes.

8. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands display the enhanced open transition mode virtual APs:

(host) [mynode] #show ap owe-tm-wins ap-name <ap-name>

(host) [mynode] #show ap owe-tm-wins ip-addr <ip-addr>

(host) [mynode] #show ap owe-tm-wins ip6-addr <ip6-addr>

(host) [mynode] #show ap owe-tm-wins wired-mac <wired-mac>

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands display the virtual APs that are rejected during enhanced open transition:

(host) [mynode] #show ap details advanced ap-name <ap-name>

(host) [mynode] #show ap details advanced ip-addr <ip-addr>

(host) [mynode] #show ap details advanced ip6-addr <ip6-addr>

(host) [mynode] #show ap details advanced wired-mac <wired-mac>

Enhanced Open in Decrypt-Tunnel Mode

ArubaOS supports enhanced open in decrypt-tunnel mode.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure enhanced open in decrypt-tunnel mode:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan virtual-ap enhanced_open_mode

(host) [mynode] (Virtual AP profile "enhanced_open_mode") #forward-mode decrypt-tunnel

(host) [mynode] (Virtual AP profile "enhanced_open_mode") #wlan ssid-profile enhanced_open_test

(host) [mynode] (SSID Profile "enhanced_open_test") #opmode enhanced-open

/*]]>*/