ArubaOS 8.6.0.0 Help Center
You are here: Home > 802.1X Authentication > WPA3 Authentication

Support for WPA3

ArubaOS supports new WPA3 security improvements with the following features:

SAE

SAE replaces the less-secure WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication. Instead of using the PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. as the PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. , SAE arrives at a PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. , by mapping the PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. to an element of a finite cyclic group, PassWord Element (PWE), doing FCG operations on it, and exchanging it with the peer. ArubaOS supports:

SAE Without PMK Caching

ArubaOS advertises support for SAE by using an AKM suite selector for SAE in all beacons and probe response frames. Besides, PMF is set to required (MFPR=1).

A client that wishes to perform SAE sends an 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. authentication request with authentication algorithm set to value 3 (SAE). This frame contains a well-formed commit message, that is, authentication transaction sequence set to 1, an FCG, commit-scalar, and commit-element.

ArubaOS responds with an 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. authentication containing its own commit message.

ArubaOS and the client compute the PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. and send the confirm message to each other using an authentication frame with authentication transaction sequence set to 2.

The client sends an association request with the AKM suite set to SAE and ArubaOS sends an association response.

ArubaOS initiates a 4-way key handshake with the client to derive the PTK.

SAE With PMK Caching

If SAE has been established earlier, a client that wishes to perform SAE with PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching sends an authentication frame with authentication algorithm set to open. ArubaOS sends an authentication response and the client sends a reassociation request with AKM set to SAE and includes the previously derived PMKID.

ArubaOS checks if the PMKID is valid and sends an association response with the status code success.

ArubaOS initiates a 4-way key handshake with the client to derive the PTK.

SAE or WPA2-PSK Mixed Mode

SAE or WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. mixed mode allows both SAE clients and clients that can only perform WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. to connect to the same BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly.. In this mode, the beacon or probe responses contain a AKM list which contains both PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. (00-0F-ACAccess Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:2) and SAE (00-0F-ACAccess Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:8). Client that support SAE send an authentication frame with SAE payload and connect to the BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly..

Clients that support only WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. send an authentication frame with authentication algorithm set to open.

ArubaOS initiates a 4-way key handshake similar to WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES..

WPA3-Enterprise

WPA3-Enterprise enforces top secret security standards for an enterprise Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. in comparison to secret security standards. Top secret security standards includes:

ArubaOS supports WPA3-Enterprise only in non-termination 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., tunnel-forward, and decrypt-tunnel modes. WPA3-Enterprise compatible 802.1x authentication occurs between STA and CPPM.

WPA3-Enterprise advertises or negotiates the following capabilities in beacons, probes response, or 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association:

If WPA3-Enterprise is enabled, STA is successfully associated only if it uses one of the four suite selectors for AKM selection, pairwise data protection, group data protection, and group management protection. If a STA mismatches any one of the four suite selectors, the STA association fails.

WPA3 Opmodes

ArubaOS supports the WPA3-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CCM-128, WPA3-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-256, WPA3-CNSA, and WPA3-SAE-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. opmodes. These opmodes work in tunnel and decrypt-tunnel modes and opmode transition is not applicable to WPA3-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CCM-128 and WPA3-CNSA opmodes.

The WPA3 opmodes are effective only on the 300 Series, 310 Series, 320 Series, 330 Series, 340 Series, 360 Series, 370 Series, 510 Series, 530 Series, and 550 Series access points. Other access points will reject these opmodes.

If your network topology includes a Mobility Master that runs ArubaOS 8.4.0.0 and managed devices that run ArubaOS 8.3.0.0 or earlier version, the WPA3 opmodes will be converted to their corresponding WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. versions (for example: WPA3-SAE-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. opmode will be converted to WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.).

Before using the WPA3-SAE-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. opmode, disable opmode-transition and configure a WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. hexkey or WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. passphrase as a pre-shared key. Use the WPA3 with SAE and PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. mode for SAE mixed mode operation during transition. The opmode-transition is not applicable to WPA3-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CCM-128 and WPA3-CNSA opmodes.

WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. virtual APs will be not be automatically upgraded to WPA3-SAE-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. virtual APs. Hence, WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. virtual APs will not automatically work in mixed mode. Configure a WPA3-SAE-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. virtual AP with opmode-transition for the virtual AP to operate in mixed mode.

Management Frame Protection in WPA3

Management frame protection is supported only in tunnel mode in WPA3 opmodes and it is enabled by default. The mfp-capable and mfp-required parameters do not take effect when any WPA3 opmode is enabled.

Configuring WPA3

To configure WPA3, configure the opmode and opmode-transition parameters under the wlan ssid-profile command.

The opmode-transition parameter is enabled by default and provides backward compatibility for authentication and WPA3-SAE-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. opmode. Use the opmode-transition parameter as a fallback option if a client faces connectivity issues on the enhanced open authentication or WPA3-SAE-AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. transition mode virtual APs.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure WPA3 opmode:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan ssid-profile wpa3_mode

(host) [mynode] (SSID Profile "wpa3_mode) #opmode wpa3-aes-ccm-128

(host) [mynode] (SSID Profile "wpa3_mode) #opmode wpa3-aes-gcm-256

(host) [mynode] (SSID Profile "wpa3_mode) #opmode wpa3-cnsa

(host) [mynode] (SSID Profile "wpa3_mode) #opmode wpa3-sae-aes

The following procedure describes how to configure WPA3 opmode:

  1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
  2. From the All Profiles list, select Wireless LAN > SSID.
  3. To create a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click + and enter a name for the new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in Profile name.
  4. Configure your SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.
  5. In Encryption, select wpa3-aes-ccm-128, wpa3-aes-gcm-256, wpa3-cnsa, or wpa3-sae-aes.
  6. Click Submit.
  7. Click Pending Changes.
  8. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands disable WPA3 opmode:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan ssid-profile wpa3_mode

(host) [mynode] (SSID Profile "wpa3_mode") #no opmode

The following procedure describes how to disable WPA3 opmode:

  1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
  2. From the All Profiles list, select Wireless LAN > SSID.
  3. To create a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click + and enter a name for the new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in Profile name.
  4. Configure your SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.
  5. In Encryption, unselect wpa3-aes-ccm-128, wpa3-aes-gcm-256, wpa3-cnsa, or wpa3-sae-aes.
  6. Click Submit.
  7. Click Pending Changes.
  8. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable opmode transition:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan ssid-profile wpa3_opmode

(host) [mynode] (SSID Profile "wpa3_opmode") #opmode-transition

The following procedure describes how to enable opmode transition:

  1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
  2. From the All Profiles list, select Wireless LAN > SSID.
  3. To create a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click + and enter a name for the new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in Profile name.
  4. Configure your SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.
  5. Select Opmode transition.
  6. Click Submit.
  7. Click Pending Changes.
  8. In the Pending Changes window, select the check box and click Deploy Changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands disable opmode transition:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan ssid-profile wpa3_opmode

(host) [mynode] (SSID Profile "wpa3_opmode") #no opmode-transition

The following procedure describes how to disable opmode transition:

  1. In the Managed Network node hierarchy, navigate to the Configuration > System > Profiles tab.
  2. From the All Profiles list, select Wireless LAN > SSID.
  3. To create a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, click + and enter a name for the new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile in Profile name.
  4. Configure your SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. settings. The configuration parameters are described in WLAN SSID Profiles.
  5. Unselect Opmode transition.
  6. Click Submit.
  7. Click Pending Changes.
  8. In the Pending Changes window, select the check box and click Deploy Changes.

WPA3 in Decrypt-Tunnel Mode

ArubaOS supports WPA3-Enterprise and WPA3-Personal in decrypt-tunnel mode.

In 200 Series, 210 Series, 220 Series, 270 Series access points, the wpa3-aes-gcm-256 and wpa3-cnsa decrypt-tunnel modes are not supported. Only wpa3-sae-aes and wpa3-aes-ccm-128 decrypt tunnel modes are supported.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure WPA3 in decrypt-tunnel mode:

(host) [mynode] #configure terminal

(host) [mynode] (config) #wlan virtual-ap wpa3_dtunnel_mode

(host) [mynode] (Virtual AP profile "wpa3_dtunnel_mode") #forward-mode decrypt-tunnel

(host) [mynode] (Virtual AP profile "wpa3_dtunnel_mode") #wlan ssid-profile wap3-dtunnel_test

(host) [mynode] (SSID Profile "wpa3_dtunnel_test") #opmode wpa3-sae-aes

Fast BSS Transition Support for WPA3

ArubaOS supports Fast BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. Transition (802.11r802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. ) for the following WPA3 modes in both tunnel-forwarding and decrypt-tunnel modes for all APs which support WPA3:

WPA3-Personal – SAE

WPA3-Personal – SAE/WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. Mixed mode

WPA3-Enterprise Basic option

WPA3-Enterprise non-CNSA mode with GCMP-256 Cipher Suite

/*]]>*/