WPA3 Security

Aruba Instant supports WPA3 security improvements that include:

Simultaneous Authentication of Equals (SAE)—Replaces WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. with password-based authentication that is resistant to dictionary attacks.

WPA3-Enterprise 192-Bit Mode—Brings Suite-B 192-bit security suite that is aligned with Commercial National Security Algorithm (CNSA) for enterprise network. SAE-based keys are not based on PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. and are therefore pairwise and unique between clients and the AP. Suite B restricts the deployment to one of two options:

128-bit security

192-bit security without the ability to mix-and-match ciphers, Diffie-Hellman groups, hash functions, and signature modes

SAE

SAE replaces the less-secure WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication. Instead of using the PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. as the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. , SAE arrives at a PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. , by mapping the PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. to an element of a finite cyclic group, PassWord Element (PWE), doing FCG operations on it, and exchanging it with the peer.

Aruba Instant supports:

SAE without PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  caching

SAE with PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication.  caching

SAE or WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. mixed mode

SAE Without PMK Caching

Instant advertises support for SAE by using an AKM suite selector for SAE in all beacons and probe response frames. Besides, PMF is set to required (MFPR=1).

A client that wishes to perform SAE sends an 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. authentication request with authentication algorithm set to value 3 (SAE). This frame contains a well-formed commit message, that is, authentication transaction sequence set to 1, an FCG, commit-scalar, and commit-element.

Instant supports group 19, a 256-bit Elliptic Curve group. Instant responds with an 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. authentication containing its own commit message.

Instant and the client compute the PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. and send the confirm message to each other using an authentication frame with authentication transaction sequence set to 2.

The client sends an association request with the AKM suite set to SAE and Instant sends an association response.

Instant initiates a 4-way key handshake with the client to derive the PTK.

SAE With PMK Caching

If SAE has been established earlier, a client that wishes to perform SAE with PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. caching sends an authentication frame with authentication algorithm set to open. Instant sends an authentication response and the client sends a reassociation request with AKM set to SAE and includes the previously derived PMKID.

Instant checks if the PMKID is valid and sends an association response with the status code success.

Instant initiates a 4-way key handshake with the client to derive the PTK.

SAE or WPA2-PSK Mixed Mode

SAE or WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. mixed mode allows both SAE clients and clients that can only perform WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. to connect to the same BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly.. In this mode, the beacon or probe responses contain a AKM list which contains both PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. (00-0F-AC Access Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:2) and SAE (00-0F-AC Access Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:8). Clients that support SAE send an authentication frame with SAE payload and connect to the BSSID Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly..

Clients that support only WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. send an authentication frame with authentication algorithm set to open.

Instant initiates a 4-way key handshake similar to WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES..

WPA3-Enterprise

WPA3-Enterprise enforces top secret security standards for an enterprise Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. in comparison to secret security standards. Top secret security standards includes:

Deriving at least 384-bit PMK Pairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. /MSK using Suite B compatible EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..

Securing pairwise data between STA and authenticator using AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-256.

Securing group addressed data between STA and authenticator using AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM-256.

Securing group addressed management frames using BIP-GMAC-256

 

WPA3-Enterprise compatible 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication occurs between STA and CPPM.

WPA3-Enterprise 192-bit Mode requires a compatible EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  server (such as Aruba ClearPass Policy Manager ClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. 6.8+) and requires EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..

WPA3-Enterprise advertises or negotiates the following capabilities in beacons, probes response, or 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association:

AKM Suite Selector as 00-0F-AC Access Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:12

Pairwise Cipher Suite Selector as 00-0F-AC Access Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:9

Group data cipher suite selector as 00-0F-AC Access Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:9

Group management cipher suite (MFP) selector as 00-0F-AC Access Category. As per the IEEE 802.11e standards, AC refers to various levels of traffic prioritization in Enhanced Distributed Channel Access (EDCA) operation mode. The WLAN applications prioritize traffic based on the Background, Best Effort, Video, and Voice access categories. AC can also refer to Alternating Current, a form of electric energy that flows when the appliances are plugged to a wall socket.:12

If WPA3-Enterprise is enabled, STA is successfully associated only if it uses one of the four suite selectors for AKM selection, pairwise data protection, group data protection, and group management protection. If a STA mismatches any one of the four suite selectors, the STA association fails.

WPA3 Opmodes

Aruba Instant supports the WPA3-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CCM-128, WPA3-CNSA, WPA3-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CCM-256, and WPA3-SAE-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. opmodes.

The WPA3 opmodes are effective only on the 300 Series, 303 Series, 310 Series, 320 Series, 330 Series, 340 Series, AP-365, AP-367, 370 Series, 510 Series, 530 Series, and 550 Series access points. Other access points will reject these opmodes.

Before using the WPA3-SAE-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. opmode, disable opmode-transition and configure a WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. hexkey or WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. passphrase as a pre-shared key. Use the WPA3 with SAE and PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. mode for SAE mixed mode operation during transition. The opmode-transition is not applicable to WPA3-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CCM-128 and WPA3-CNSA opmodes.

WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. virtual APs will be not be automatically upgraded to WPA3-SAE-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. virtual APs. Hence, WPA2 Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES.-PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. -AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. virtual APs will not automatically work in mixed mode. Configure a WPA3-SAE-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. virtual AP with opmode-transition for the virtual AP to operate in mixed mode.

Configuring WPA3

To support WPA3, configure the opmode and opmode-transition parameters under the wlan ssid-profile command.

The opmode-transition parameter is enabled by default and provides backward compatibility for authentication and WPA3-SAE-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. opmode. Use the opmode-transition parameter as a fallback option if a client faces connectivity issues on the enhanced open authentication or WPA3-SAE-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. transition mode virtual APs.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands disable opmode transition:

(Instant AP)(config)# wlan ssid-profile <profile_name>

(Instant AP)(SSID Profile "<profile_name>")# opmode-transition-disable

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable opmode transition:

(Instant AP)(config)# wlan ssid-profile <profile_name>

(Instant AP)(SSID Profile "<profile_name>")# opmode-transition

The following procedure describes how to configure WPA3 for Enterprise with 192-bit mode using the New WebUI:

1. Navigate to the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard (To add a new profile, go to Configuration > Networks and click +. To modify an existing profile, go to Configuration > Networks , select a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. from the list of networks to edit.

2. Click the Security tab.

3. Select Enterprise from the Security Level drop-down list. The authentication options applicable to the Enterprise network are displayed.

4. Select one of the following from the Key Management drop-down list:

a. WPA3-Enterprise (CNSA)—WPA3 with AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. GCM-256 encryption using CNSA (192 bit).

b. WPA3-Enterprise (CCM 128)—WPA3 with AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. CCM encryption and dynamic keys using 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority..

c. WPA3-Enterprise (CCM 256)—WPA3 with AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. GCM-256 encryption.

5. Click Next and the click Finish.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure WPA3 opmode for Enterprise security:

(Instant AP)(config)# wlan ssid-profile wpa3_mode

(Instant AP)(SSID Profile "wpa3_mode")# opmode wpa3-aes-ccm-128

(Instant AP)(SSID Profile "wpa3_mode")# opmode wpa3-cnsa

The following procedure describes how to configure WPA3 opmode for Personal security using the New WebUI:

1. Navigate to the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard (To add a new profile, go to Configuration > Networks and click +. To modify an existing profile, go to Configuration > Networks, select a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. from the list of networks to edit.

2. Click the Security tab.

3. Select Personal from the Security Level drop-down list. The authentication options applicable to the Personal network are displayed.

4. Select WPA3 Personal from the Key Management drop-down list.

5. Click Next and the click Finish.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure WPA3 opmode for Personal security:

(Instant AP)(config)# wlan ssid-profile wpa3_mode

(Instant AP)(SSID Profile "wpa3_mode")# opmode wpa3-sae-aes

 

Using the WPA3-SAE-AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits. opmode requires a pre-shared key. Configure either a WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. hexkey or WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. passphrase as a pre-shared key.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands disable WPA3 opmode:

(Instant AP)(config)# wlan ssid-profile wpa3_mode

(Instant AP)(SSID Profile "wpa3_mode")# no opmode