Enhanced Open Security
Enhanced open replaces open unencrypted wireless networks thereby mitigating exposure of user data to passive traffic sniffing. With enhanced open, the client and WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. perform Diffie-Hellman key exchange during the access procedure and use the resulting pairwise key with a 4-way handshake. ArubaOS supports:
Enhanced Open without PMK Caching
In enhanced open without PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching, the 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. beacon, probe response frame, and authentication request or response frame are generic. However, the 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association request or response are specific for enhanced open without PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching.
ArubaOS advertises support for enhanced open by using an AKM suite selector in all beacons and probe response frames. Besides, PMF is set to required (MFPR=1). Authentication request and authentication response use open authentication.
A client that wishes to perform data encryption in an open Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. network using enhanced open, indicates enhanced open AKM in the 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association request with PMF is required (MFPR=1). The DHPE contains group and the Diffie-Hellman public Key from the client. ArubaOS supports Diffie-Hellman Groups 19, 20, and 21.
ArubaOS includes the enhanced open AKM and DHPE in the 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association response after agreeing to enhanced open with PME is required (MFPR=1). The DHPE contains group and the Diffie-Hellman public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. from ArubaOS. If ArubaOS does not support the group indicated in the received 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association request, it responds with an 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association response having the status code 77. A status code 77 indicates unsupported finite cyclic group.
After completing the 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association, PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. and its associated PMKID are created. ArubaOS initiates a 4-way handshake with the client using the generated PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. . The result of the 4-way handshake is the encryption key to protect bulk unicast data and broadcast data between the client and ArubaOS.
Enhanced Open with PMK Caching
If enhanced open has been established earlier, a client that wishes to perform enhanced open with PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching includes a PMKID in its 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association request in addition to the enhanced open AKM, DHPE, and PMF is required(MFPR=1). If ArubaOS has cached the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. identified by that PMKID, it includes the PMKID in its 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association response but does not include the DHPE. If ArubaOS has not cached the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. identified by that PMKID, it ignores the PMKID and proceeds with enhanced open association by including a DHPE. The 4-way handshake is initiated subsequently.
Enhanced Open Transition Mode
The enhanced open transition mode enables a seamless transition from open unencrypted WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. connections without adversely impacting the end user experience. It provides the ability for enhanced open and non-enhanced open clients to connect to the same open system virtual AP.
Two different SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. are created for each configured 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. open system virtual AP, one for enhanced open and another for open networks. Both SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. operate either in the same band Band refers to a specified range of frequencies of electromagnetic radiation. and channel or the band Band refers to a specified range of frequencies of electromagnetic radiation. and channel of the other SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. (the enhanced open transition mode information element includes the band Band refers to a specified range of frequencies of electromagnetic radiation. and channel information). ArubaOS always uses the same band Band refers to a specified range of frequencies of electromagnetic radiation. and channel.
802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. beacon and probe response frames of the open BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. include an enhanced open transition mode information element to encapsulate BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. and SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. of the enhanced open BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. .
802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. beacon and probe response frames from the enhanced open BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. include an enhanced open transition mode information element to encapsulate the BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. and SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. of the open BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. . Besides, the beacon frame from the enhanced open BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. has zero length SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. and indicates enhanced open in robust security network element.
In enhanced open transition mode, ArubaOS uses more virtual APs than configured. The number of virtual APs pushed depends on MultiZone parameters, if configured (maximum SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. per zone). During enhanced open transition mode, depending on the available VAP slots, ArubaOS will either push both open and enhanced open virtual APs or only enhanced open virtual APs. There will be no impact on other virtual APs configured. An additional enhanced open virtual AP will be pushed to an AP only if it has an available extra slot.
During transition, if there are many enhanced open enabled virtual APs, based on the availability of slots, the AP will choose to transition all enhanced open virtual APs or configure them as enhanced open-only virtual APs. That is, if there are 2 enhanced open virtual APs and 4 available slots, the AP will create 2 enhanced open-only virtual APs and 2 open virtual APs. If the available slots are 3, the AP will create 2 enhanced open-only virtual APs and no open virtual APs.
Configuring Enhanced Open
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable enhanced open:
(host) [mynode] #configure terminal
(host) [mynode] (config) #wlan ssid-profile enhanced_open_mode
(host) [mynode] (SSID Profile "enhanced_open_mode") #opmode enhanced-open
The following procedure describes how to enable enhanced open:
- In the node hierarchy, navigate to the tab.
- From the list, select .
- To create a new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click and enter a name for the new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in .
- Configure your SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.
- In , select .
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands disable enhanced open:
(host) [mynode] #configure terminal
(host) [mynode] (config) #wlan ssid-profile enhanced_open_mode
(host) [mynode] (SSID Profile "enhanced_open_mode") #no opmode
The following procedure describes how to disable enhanced open:
- In the node hierarchy, navigate to the tab.
- From the list, select .
- To create a new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click and enter a name for the new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in .
- Configure your SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.
- In , unselect .
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable opmode transition:
(host) [mynode] #configure terminal
(host) [mynode] (config) #wlan ssid-profile enhanced_open_mode
(host) [mynode] (SSID Profile "enhanced_open_mode") #opmode-transition
The following procedure describes how to enable opmode transition:
- In the node hierarchy, navigate to the tab.
- From the list, select .
- To create a new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click and enter a name for the new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in .
- Configure your SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.
- Select .
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands disable opmode transition:
(host) [mynode] #configure terminal
(host) [mynode] (config) #wlan ssid-profile enhanced_open_mode
(host) [mynode] (SSID Profile "enhanced_open_mode") #no opmode-transition
The following procedure describes how to disable opmode transition:
- In the node hierarchy, navigate to the tab.
- From the list, select .
- To create a new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click and enter a name for the new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in .
- Configure your SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.
- Unselect .
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands display the enhanced open transition mode virtual APs:
(host) [mynode] #show ap owe-tm-wins ap-name <ap-name>
(host) [mynode] #show ap owe-tm-wins ip-addr <ip-addr>
(host) [mynode] #show ap owe-tm-wins ip6-addr <ip6-addr>
(host) [mynode] #show ap owe-tm-wins wired-mac <wired-mac>
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands display the virtual APs that are rejected during enhanced open transition:
(host) [mynode] #show ap details advanced ap-name <ap-name>
(host) [mynode] #show ap details advanced ip-addr <ip-addr>
(host) [mynode] #show ap details advanced ip6-addr <ip6-addr>
(host) [mynode] #show ap details advanced wired-mac <wired-mac>
Enhanced Open in Decrypt-Tunnel Mode
ArubaOS supports enhanced open in decrypt-tunnel mode.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure enhanced open in decrypt-tunnel mode:
(host) [mynode] #configure terminal
(host) [mynode] (config) #wlan virtual-ap enhanced_open_mode
(host) [mynode] (Virtual AP profile "enhanced_open_mode") #forward-mode decrypt-tunnel
(host) [mynode] (Virtual AP profile "enhanced_open_mode") #wlan ssid-profile enhanced_open_test
(host) [mynode] (SSID Profile "enhanced_open_test") #opmode enhanced-open